kprobes not working in Ubuntu

StackOverflow https://stackoverflow.com/questions/23196278

  •  06-07-2023
  •  | 
  •  

Question

I am trying to run one of the standard example scripts from Systemtap. The procmod_watcher.stp uses kprobes to watch fork, exec, etc. But when I try to Run this script I get an error. 

semantic error: while resolving probe point: identifier 'kprobe' at /usr/share/systemtap/tapset/linux/nd_syscalls.stp:967:27
    source: probe nd_syscall.execve = kprobe.function("do_execve")

sure enough :stap -L 'kprobe.function("do_execve")' returns nothing. How can this be?

I am using Ubuntu have followed the instructions in: Systemtap on Ubuntu @sourceware

I have also tried compiling my own kernel and making sure Kprobes, debug_info and all the other required items are enabled though config. I get the same error.

I have tried the same script on fedora and it runs practically out of the box. But I only have a virtual machine with fedora on and would like to continue with ubuntu for a while.

What do I need to do to enable kprobes in systemtap on ubuntu?

Was it helpful?

Solution

The kprobe.function probes rely on systemtap reading the System.map file for lists of functions. Run

stap -vv -L 'kprobe.function("do_execve")'

to see where stap is looking for that file; it's probably complaining about "Kernel symbol table ... unavailable". Arrange to put a System.map symlink there, and stap should find it and the do_execve function within it. We can extend stap's search path to find the file in its original location; pointers welcome. Or if the problem is permissions,

sudo chmod a+r /boot/System.map*

This is to work around a misguided part of https://wiki.ubuntu.com/Security/Features - see also https://sourceware.org/bugzilla/show_bug.cgi?id=15172

OTHER TIPS

Adding to @fche answer, SystemTap is looking for System.map in /lib/modules/$(uname -r)/build/System.map.

In Ubuntu, system.map is placed in /boot/System.map-$(uname -r) so:

  1. You need run stap as sudo (since only root has access to /boot or do some groups magic)
  2. Create a soft link to System.map: sudo ln -s /boot/System.map-$(uname -r) /lib/modules/$(uname -r)/build/System.map

I would not recommend changing the read flag on the files in either location, security and all...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top