The kprobe.function
probes rely on systemtap reading the System.map
file for lists of functions. Run
stap -vv -L 'kprobe.function("do_execve")'
to see where stap is looking for that file; it's probably complaining about "Kernel symbol table ... unavailable". Arrange to put a System.map
symlink there, and stap should find it and the do_execve
function within it. We can extend stap's search path to find the file in its original location; pointers welcome. Or if the problem is permissions,
sudo chmod a+r /boot/System.map*
This is to work around a misguided part of https://wiki.ubuntu.com/Security/Features - see also https://sourceware.org/bugzilla/show_bug.cgi?id=15172