3

I am following bcc Tutorial and trying to execute the trace-bpfcc command: sudo trace-bpfcc 'sys_execve "%s", arg1'

The command fails with an error: cannot attach kprobe, probe entry may not exist Failed to attach BPF program b'probe_sys_execve_1' to kprobe b'sys_execve'

While searching the web, I found that such an error can occur if the symbol __x64_sys_execve is missing in /proc/kallsyms, but I have one there.

I don't have any kernel development experience at all, what do I need to do to fix this issue?

My distro is Ubuntu 20

ibse
  • 247
  • 1
  • 2
  • 8

1 Answers1

2

You found the correct symbol yourself: __x64_sys_execve, you want to use the same when running the command:

$ sudo trace-bpfcc '__x64_sys_execve "%s", arg1'

There is no function called simply __sys_execve in your kernel and you have to match the exact symbol for BCC to find the relevant function.

Qeole
  • 684
  • 8
  • 12