I am failing to load an eBPF script that traces path renames by using kprobe:
int kprobe__security_path_rename( struct pt_regs *ctx, const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry )
{
...
}
It works fine on my Ubuntu machine (kernel 5.13.0), but fails on an AWS node (kernel 5.4.156) with the following error:
sh-4.2$ sudo ./tracker.py
cannot attach kprobe, probe entry may not exist
Traceback (most recent call last):
File "./tracker.py", line 698, in <module>
bpf = BPF(text=program)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 372, in __init__
self._trace_autoload()
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 1232, in _trace_autoload
fn_name=fn.name)
File "/usr/lib/python3.7/site-packages/bcc/__init__.py", line 684, in attach_kprobe
(fn_name, event))
Exception: Failed to attach BPF program b'kprobe__security_path_rename' to kprobe b'security_path_rename'
I checked /proc/kallsyms and /boot/System.map-$(uname -r) and indeed the symbols security_path_{mknod,mkdir,unlink,rename} all exist on my machine and are missing on the AWS node.
I also observed that after updating the AWS kernel version to 5.4.176 the symbols appear and my program works. However, these symbols all appear in the source of all (relevant) kernel versions, are not marked static or notrace and are explicitly exported via EXPORT_SYMBOL.
Can't these symbols be kprobed on kernel 5.4.156?
