Search code examples
ubuntuubuntu-13.10systemtap

kprobes not working in Ubuntu


I am trying to run one of the standard example scripts from Systemtap. The procmod_watcher.stp uses kprobes to watch fork, exec, etc. But when I try to Run this script I get an error.

semantic error: while resolving probe point: identifier 'kprobe' at /usr/share/systemtap/tapset/linux/nd_syscalls.stp:967:27
    source: probe nd_syscall.execve = kprobe.function("do_execve")

sure enough :stap -L 'kprobe.function("do_execve")' returns nothing. How can this be?

I am using Ubuntu have followed the instructions in: Systemtap on Ubuntu @sourceware

I have also tried compiling my own kernel and making sure Kprobes, debug_info and all the other required items are enabled though config. I get the same error.

I have tried the same script on fedora and it runs practically out of the box. But I only have a virtual machine with fedora on and would like to continue with ubuntu for a while.

What do I need to do to enable kprobes in systemtap on ubuntu?


Solution

  • The kprobe.function probes rely on systemtap reading the System.map file for lists of functions. Run

    stap -vv -L 'kprobe.function("do_execve")'
    

    to see where stap is looking for that file; it's probably complaining about "Kernel symbol table ... unavailable". Arrange to put a System.map symlink there, and stap should find it and the do_execve function within it. We can extend stap's search path to find the file in its original location; pointers welcome. Or if the problem is permissions,

    sudo chmod a+r /boot/System.map*
    

    This is to work around a misguided part of https://wiki.ubuntu.com/Security/Features - see also https://sourceware.org/bugzilla/show_bug.cgi?id=15172