Replies: 1 comment 1 reply
-
|
The error occurs because the section name in your BPF C code doesn't match what cilium/ebpf expects for kretprobes. Change your section name from // Wrong
SEC("kprobe/sys_execve")
int kretprobe_execve(struct pt_regs *ctx) {
// ...
}
// Correct
SEC("kretprobe/sys_execve")
int kretprobe_execve(struct pt_regs *ctx) {
// ...
}cilium/ebpf uses the
When the section name is wrong, the library can't infer the program type, resulting in "program type is unspecified". //go:build ignore
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
SEC("kretprobe/sys_execve")
int kretprobe_execve(struct pt_regs *ctx) {
int ret = PT_REGS_RC(ctx); // get return value
bpf_printk("execve returned: %d\n", ret);
return 0;
}
char LICENSE[] SEC("license") = "GPL";Then in Go, attach it with: kp, err := link.Kretprobe("sys_execve", objs.KretprobeExecve, nil)
if err != nil {
log.Fatalf("opening kretprobe: %s", err)
}
defer kp.Close()For kernels with syscall wrappers (most modern kernels), you may need to use |
Beta Was this translation helpful? Give feedback.
-
|
Small correction: semantically, there's no difference between the You've likely omitted the For posterity, there's documentation about this now: https://ebpf-go.dev/concepts/section-naming/#program-sections. The kernel (libbpf) also has a more up-to-date counterpart to this: https://docs.kernel.org/bpf/libbpf/program_types.html. In the upcoming 0.21 release, our supported section names will support 1:1 what libbpf supports. We had some legacy compatibility extras, but those were removed in #1934. There's also the venerable |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I can run ringbuff example,but when i want to replace kprobe to Kretprobe, i get the erro:
2023/06/15 06:38:27 loading objects: field KretprobeExecve: cannot load program kretprobe_execve: program type is unspecifiedBeta Was this translation helpful? Give feedback.
All reactions