ebpf kprobe argument not matching the syscall
I'm learning eBPF and I'm playing with it in order to understand it better while following the docs but there's something I don't understand why it's not working...
I have this very simple code that stops the code and returns 5.
int main() {
exit(5);
return 0;
}
The exit function from the code above calls the exit_group syscall as can we can see by using strace (image below) yet within my Python code that's using eBPF through bcc the output I get for my bpf_trace_printk is the value 208682672 and not the value 5 that the exit_group syscall is called with as I was expecting...
from bcc import BPF
def main():
bpftext = """
#include <uapi/linux/ptrace.h>
void my_exit(struct pt_regs *ctx, int status){
bpf_trace_printk("%d", status);
}
"""
bpf = BPF(text=bpftext)
fname = bpf.get_syscall_fnname('exit_group')
bpf.attach_kprobe(event=fname, fn_name='my_exit')
while True:
print(bpf.trace_fields())
if __name__ == '__main__':
main()
I've looked into whatever I found online but I couldn't find a solution as I've been investigating this problem for a few days now...
I truly appreciate any help available and thank you!
Fix
You need to rename your function from my_exit to syscall__exit_group.
Why does this matter? BPF programs named in this way get special handling from BCC. Here's what the documentation says:
8. system call tracepoints
Syntax:
syscall__SYSCALLNAME
syscall__is a special prefix that creates a kprobe for the system call name provided as the remainder. You can use it by declaring a normal C function, then using the PythonBPF.get_syscall_fnname(SYSCALLNAME)andBPF.attach_kprobe()to associate it.Arguments are specified on the function declaration:
syscall__SYSCALLNAME(struct pt_regs *ctx, [, argument1 ...]).For example:
int syscall__execve(struct pt_regs *ctx, const char __user *filename, const char __user *const __user *__argv, const char __user *const __user *__envp) { [...] }This instruments the execve system call.
Corrected Code
from bcc import BPF
def main():
bpftext = """
#include <uapi/linux/ptrace.h>
void syscall__exit_group(struct pt_regs *ctx, int status){
bpf_trace_printk("%d", status);
}
"""
bpf = BPF(text=bpftext)
fname = bpf.get_syscall_fnname('exit_group')
bpf.attach_kprobe(event=fname, fn_name='syscall__exit_group')
while True:
print(bpf.trace_fields())
if __name__ == '__main__':
main()
Output from the sample program exiting:
(b'<...>', 14896, 0, b'd...1', 3996.079261, b'5')
How it Works
After BCC transforms your BPF program, this results in a slightly different interpretation of the arguments passed. You can use bpf = BPF(text=bpftext, debug=bcc.DEBUG_PREPROCESSOR) to see how your code is transformed.
Here's what happens without the syscall__ prefix:
void my_exit(struct pt_regs *ctx){
int status = ctx->di;
({ char _fmt[] = "%d"; bpf_trace_printk_(_fmt, sizeof(_fmt), status); });
}
This reads in the RDI register and interprets it as the syscall argument.
On the other hand, here's what happens if it's named syscall__exit_group:
void syscall__exit_group(struct pt_regs *ctx){
#if defined(CONFIG_ARCH_HAS_SYSCALL_WRAPPER) && !defined(__s390x__)
struct pt_regs * __ctx = ctx->di;
int status; bpf_probe_read(&status, sizeof(status), &__ctx->di);
#else
int status = ctx->di;
#endif
({ char _fmt[] = "%d"; bpf_trace_printk_(_fmt, sizeof(_fmt), status); });
}
If the CONFIG_ARCH_HAS_SYSCALL_WRAPPER is defined (it is on x86_64) then the RDI register is interpreted as a pointer to a struct pt_regs, which looks up the RDI register in that, which is the first argument to exit_group().
On systems without syscall wrappers, this does the same thing as the previous example.
- Accessing Python 3 type annotations for variables at runtime
- Identify and mark duplicates where any of them has a specific quality
- numpy.dtype size changed, may indicate binary incompatibility. Expected 96 from C header, got 88 from PyObject
- Can't install new packages for Python (Python 3.9.0, Windows 10)
- How can I set all form fields readonly in Odoo 16 depending on a field?
- Django - CreateView - Send a custom Error Message if model form is not valid
- How to rotate only Table, using borb (PDF library) python?
- Python unittest: how to run only part of a test file?
- add nested attributes to python
- How to Enumerate Threads using CreateToolhelp32Snapshot and Python ctypes?
- NotImplementedError YOLO ultralitycs
- Tuple matching using SQLAlchemy
- is there parallelism inside Ollama?
- Problem when adding dependencies to pyinstaller using poetry to manage dependencies
- The difference between <str:slug> and <slug:slug> in urls.py of Django application
- Visual Studio Code does not detect Virtual Environments
- Error print special character on results with Flask-SQLAlchemy
- Printing a list from a random sample using join()
- How to load a huggingface dataset from local path?
- Modify output from Python Pandas describe
- python Shift + enter not working in VScode with jupyter
- Logging Error: Failed to initialize logging system. Log messages may be missing.?
- Encountering connection problems with PostgreSQL when using psycopg2 on a port that has been forwarded
- Poetry stuck in infinite install/update
- How can one combine iterables keeping only the first element with each index?
- How to resolve a many-to-one-relation on insert in sqlalchemy 2.0?
- Widget with WA_TransparentForMouseEvents attribute in QSplitter. How to make it?
- WindowsError: [Error 126] The specified module could not be found
- How do I define a function with optional arguments?
- Add "b" prefix to python variable?