共计 1523 个字符,预计需要花费 4 分钟才能阅读完成。
⚡ Thu 15 Jun - 15:48 /usr/share/bcc/tools
root@ebpf uname -a
Linux ebpf 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
报错信息
✘ ⚡ Thu 15 Jun - 15:39 ~/go/src/tp-test
root@ebpf docker run -it -v$PWD/ebpf/execve:/src/ ghcr.io/eunomia-bpf/ecc-`uname -m`:latest && ecli ./ebpf/execve/package.json
ls: cannot access '/src/*.h': No such file or directory
INFO [ecc_rs::bpf_compiler] Compiling bpf object...
INFO [ecc_rs::bpf_compiler] Generating package json..
INFO [ecc_rs::bpf_compiler] Packing ebpf object and config into /src/package.json...
INFO [faerie::elf] strtab: 0x597e symtab 0x59b8 relocs 0x5a00 sh_offset 0x5a00
libbpf: prog 'tracepoint__syscalls__sys_enter_execve': BPF program load failed: Permission denied
libbpf: prog 'tracepoint__syscalls__sys_enter_execve': -- BEGIN PROG LOAD LOG --
arg#0 reference type('UNKNOWN ') size cannot be determined: -22
; struct task_struct *task = (struct task_struct *)bpf_get_current_task();
0: (85) call bpf_get_current_task#35
; u64 ppid = task->real_parent->tgid;
1: (79) r1 = *(u64 *)(r0 +2400)
R0 invalid mem access 'inv'
processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
-- END PROG LOAD LOG --
libbpf: prog 'tracepoint__syscalls__sys_enter_execve': failed to load: -13
libbpf: failed to load object 'execv_bpf<ʉ�'
Error: Bpf("Failed to start polling: Bpf(\"Failed to load and attach: Failed to load bpf object\"), receiving on a closed channel")错误代码
struct task_struct *task = (typeof(task))bpf_get_current_task();
u64 ppid = task->real_parent->tgid;
正确代码
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
u64 ppid = (u64)BPF_CORE_READ(task, real_parent, tgid);正文完