I'm learning eBPF and I'm playing with it in order to understand it better while following the docs but there's something I don't understand why it's not working...
I have this very simple code that stops the code and returns 5.
int main() {
exit(5);
return 0;
}
The exit function from the code above calls the exit_group syscall as can we can see by using strace (image below) yet within my Python code that's using eBPF through bcc the output I get for my bpf_trace_printk is the value 208682672 and not the value 5 that the exit_group syscall is called with as I was expecting...
from bcc import BPF
def main():
bpftext = """
#include <uapi/linux/ptrace.h>
void my_exit(struct pt_regs *ctx, int status){
bpf_trace_printk("%d", status);
}
"""
bpf = BPF(text=bpftext)
fname = bpf.get_syscall_fnname('exit_group')
bpf.attach_kprobe(event=fname, fn_name='my_exit')
while True:
print(bpf.trace_fields())
if __name__ == '__main__':
main()
I've looked into whatever I found online but I couldn't find a solution as I've been investigating this problem for a few days now...
I truly appreciate any help available and thank you!
from ebpf kprobe argument not matching the syscall
No comments:
Post a Comment