共计 1523 个字符,预计需要花费 4 分钟才能阅读完成。
| ⚡ Thu 15 Jun - 15:48 /usr/share/bcc/tools | |
| root@ebpf uname -a | |
| Linux ebpf 5.15.0-73-generic #80-Ubuntu SMP Mon May 15 15:18:26 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux |
报错信息
| ✘ ⚡ Thu 15 Jun - 15:39 ~/go/src/tp-test | |
| root@ebpf docker run -it -v$PWD/ebpf/execve:/src/ ghcr.io/eunomia-bpf/ecc-`uname -m`:latest && ecli ./ebpf/execve/package.json | |
| ls: cannot access '/src/*.h': No such file or directory | |
| INFO [ecc_rs::bpf_compiler] Compiling bpf object... | |
| INFO [ecc_rs::bpf_compiler] Generating package json.. | |
| INFO [ecc_rs::bpf_compiler] Packing ebpf object and config into /src/package.json... | |
| INFO [faerie::elf] strtab: 0x597e symtab 0x59b8 relocs 0x5a00 sh_offset 0x5a00 | |
| libbpf: prog 'tracepoint__syscalls__sys_enter_execve': BPF program load failed: Permission denied | |
| libbpf: prog 'tracepoint__syscalls__sys_enter_execve': -- BEGIN PROG LOAD LOG -- | |
| arg#0 reference type('UNKNOWN ') size cannot be determined: -22 | |
| ; struct task_struct *task = (struct task_struct *)bpf_get_current_task(); | |
| 0: (85) call bpf_get_current_task#35 | |
| ; u64 ppid = task->real_parent->tgid; | |
| 1: (79) r1 = *(u64 *)(r0 +2400) | |
| R0 invalid mem access 'inv' | |
| processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 | |
| -- END PROG LOAD LOG -- | |
| libbpf: prog 'tracepoint__syscalls__sys_enter_execve': failed to load: -13 | |
| libbpf: failed to load object 'execv_bpf<ʉ�' | |
| Error: Bpf("Failed to start polling: Bpf(\"Failed to load and attach: Failed to load bpf object\"), receiving on a closed channel") |
错误代码
| struct task_struct *task = (typeof(task))bpf_get_current_task(); | |
| u64 ppid = task->real_parent->tgid; |
正确代码
| struct task_struct *task = (struct task_struct *)bpf_get_current_task(); | |
| u64 ppid = (u64)BPF_CORE_READ(task, real_parent, tgid); |
正文完