I am trying to run one of the standard example scripts from Systemtap. The procmod_watcher.stp uses kprobes to watch fork, exec, etc. But when I try to Run this script I get an error.
semantic error: while resolving probe point: identifier 'kprobe' at /usr/share/systemtap/tapset/linux/nd_syscalls.stp:967:27
source: probe nd_syscall.execve = kprobe.function("do_execve")
sure enough :stap -L 'kprobe.function("do_execve")' returns nothing.
How can this be?
I am using Ubuntu have followed the instructions in: Systemtap on Ubuntu @sourceware
I have also tried compiling my own kernel and making sure Kprobes, debug_info and all the other required items are enabled though config. I get the same error.
I have tried the same script on fedora and it runs practically out of the box. But I only have a virtual machine with fedora on and would like to continue with ubuntu for a while.
What do I need to do to enable kprobes in systemtap on ubuntu?
The kprobe.function probes rely on systemtap reading the System.map file for lists of functions. Run
stap -vv -L 'kprobe.function("do_execve")'
to see where stap is looking for that file; it's probably complaining about "Kernel symbol table ... unavailable". Arrange to put a System.map symlink there, and stap should find it and the do_execve function within it. We can extend stap's search path to find the file in its original location; pointers welcome. Or if the problem is permissions,
sudo chmod a+r /boot/System.map*
This is to work around a misguided part of https://wiki.ubuntu.com/Security/Features - see also https://sourceware.org/bugzilla/show_bug.cgi?id=15172