为什么内核版本 5.4.156 上的 kallsyms 和 System.map 中缺少 security_path_* 符号?
我无法加载使用 kprobe 跟踪路径重命名的 eBPF 脚本:
int kprobe__security_path_rename( struct pt_regs *ctx, const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry )
{
...
}
它在我的 Ubuntu 计算机(内核 5.13.0)上运行良好,但在 AWS 节点(内核 5.4.156)上失败,并出现以下错误:
sh-4.2$ sudo ./tracker.py
cannot attach kprobe, probe entry may not exist
Traceback (most recent call last):
File "./tracker.py", line 698, in <module>
bpf = BPF(text=program)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 372, in __init__
self._trace_autoload()
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 1232, in _trace_autoload
fn_name=fn.name)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 684, in attach_kprobe
(fn_name, event))
Exception: Failed to attach BPF program b'kprobe__security_path_rename' to kprobe b'security_path_rename'
我检查了 < code>/proc/kallsyms 和 /boot/System.map-$(uname -r) 以及符号security_path_{mknod,mkdir,unlink,rename} 全部存在于我的计算机上,但在 AWS 节点上缺失。
我还观察到,将 AWS 内核版本更新到 5.4.176 后,符号出现并且我的程序可以运行。然而,这些符号都出现在所有(相关)内核版本的源代码中,未标记为static或notrace,并通过<代码>EXPORT_SYMBOL。
不能在内核 5.4.156 上对这些符号进行 kprobed 吗?
I am failing to load an eBPF script that traces path renames by using kprobe:
int kprobe__security_path_rename( struct pt_regs *ctx, const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry )
{
...
}
It works fine on my Ubuntu machine (kernel 5.13.0), but fails on an AWS node (kernel 5.4.156) with the following error:
sh-4.2$ sudo ./tracker.py
cannot attach kprobe, probe entry may not exist
Traceback (most recent call last):
File "./tracker.py", line 698, in <module>
bpf = BPF(text=program)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 372, in __init__
self._trace_autoload()
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 1232, in _trace_autoload
fn_name=fn.name)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 684, in attach_kprobe
(fn_name, event))
Exception: Failed to attach BPF program b'kprobe__security_path_rename' to kprobe b'security_path_rename'
I checked /proc/kallsyms and /boot/System.map-$(uname -r) and indeed the symbols security_path_{mknod,mkdir,unlink,rename} all exist on my machine and are missing on the AWS node.
I also observed that after updating the AWS kernel version to 5.4.176 the symbols appear and my program works. However, these symbols all appear in the source of all (relevant) kernel versions, are not marked static or notrace and are explicitly exported via EXPORT_SYMBOL.
Can't these symbols be kprobed on kernel 5.4.156?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我找到了原因。该问题与内核版本没有直接关系,而是与内核配置有关。
显然,AWS 节点的内核版本 5.4.156 是在没有
CONFIG_SECURITY_PATH的情况下配置的,而同一节点的较新内核 5.4.176 是使用此标志配置的。在前面的配置中,问题中提到的security_path_*符号不存在,因为它们的整个代码路径受到#ifdef的保护。可以通过检查配置文件来测试启用了哪些内核配置标志,例如使用以下命令之一:
I found the cause. The problem was not directly related to kernel versions, but rather to kernel config.
Apparently, the kernel version 5.4.156 for AWS nodes was configured without
CONFIG_SECURITY_PATH, while newer kernel 5.4.176 for the same node was configured with this flag. In the former configuration, thesecurity_path_*symbols mention in the question do not exist since their whole code path is guarded with#ifdefs.One can test which kernel configuration flags are enabled by inspecting the config file, e.g. use one of the following commands: