You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello everyone,
I have a question about execsnoop.bpf.c in bcc (https://github.com/iovisor/bcc/blob/master/libbpf-tools/execsnoop.bpf.c). I found that if I started tmux in a bash, tracepoint__syscalls__sys_enter_execve hook program cannot read ctx→args[0] properly, in fact, it returns error -14. Based on my understanding, ctx→args[0] is the filename, if you check it from /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format
In order to make it more obvious, I have the following change to print out the error:
After the above change, I do make then run sudo ./execsnoop.
Then from another bash shell, I type in tmux then hit enter key.
In /sys/kernel/debug/tracing/trace_pip, I can see the following printout:
root@l130r1-srv3:/sys/kernel/debug/tracing# cat trace_pipe | grep -A10 -B10 xxxx
utempter-4031732 [027] d...1 3878624.643948: bpf_trace_printk: sys_enter_execve: tgid=4031732, pid=4031732, comm=tmux: server xxxxxxxxxxxx cannot read file name
<...>-4035723 [077] d...1 3878668.047954: bpf_trace_printk: sys_enter_execve: tgid=4035723, pid=4035723, comm=tmux: server xxxxxxxxxxxx cannot read file name
Could you please let me know if this is a bug from execsnoop.bpf.c in bcc or it is a special type of processes that simply just do not have filename?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello everyone,
I have a question about execsnoop.bpf.c in bcc (https://github.com/iovisor/bcc/blob/master/libbpf-tools/execsnoop.bpf.c). I found that if I started tmux in a bash, tracepoint__syscalls__sys_enter_execve hook program cannot read ctx→args[0] properly, in fact, it returns error -14. Based on my understanding, ctx→args[0] is the filename, if you check it from /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format
In order to make it more obvious, I have the following change to print out the error:
After the above change, I do
makethen runsudo ./execsnoop.Then from another bash shell, I type in tmux then hit enter key.
In
/sys/kernel/debug/tracing/trace_pip, I can see the following printout:Could you please let me know if this is a bug from execsnoop.bpf.c in bcc or it is a special type of processes that simply just do not have filename?
I am having erlexec having this issue as well.
Platform: Ubuntu 22.04 LTS
Another note might be helpful:
From https://unix.stackexchange.com/questions/615518/if-i-run-tmux-and-then-kill-the-tmux-process-i-see-two-bash-processes-how-do, I do see that tmux starts 2 processes then terminate the one started first. Maybe it is related??
Thanks,
Jon Liu
Beta Was this translation helpful? Give feedback.
All reactions