openat | OpenAT : Open Source Algorithmic Trading Library | Cryptocurrency library

__x64_sys_openat is the name of some function in the Linux kernel, to which BCC attaches a kprobe.

sys_enter_openat is the name of a tracepoint in Linux, meaning that this is a (more or less) stable interface to which you can hook for tracing, including with an eBPF program. You can see the available tracepoints on your system by listing the entries under /sys/kernel/debug/tracing/events/. I think BCC also has a utility called tplist to help with it.

When given the choice, I would recommend hooking at tracepoints if possible, because they tend to be more stable than kernel internals: The parameters for __x64_sys_openat, or the name of that function, could change between different kernel versions for example; or the name would change on an other architecture, et cætera. However, the tracepoint is unlikely to change. Note that the instability of kernel's internals is somewhat mitigated for eBPF with CO-RE.

Then it is not always possible to hook to a tracepoint: You can only use one of the existing tracepoints from the kernel. If you want to hook to another random function where no tracepoint is present (and assuming this function was not inlined at compilation time - check this by looking for it in /proc/kallsyms), then you want to use a kprobe.

Sometimes you also need to pay extra attention to where you hook. For example, for security use cases (i.e. blocking a syscall), syscall tracepoints (or the corresponding kernel functions, obviously) are not always the best hooking points because they might leave you open to TOCTOU attacks. LSM hooks could be a good solution for that use case.

Looking at the strace output for both root and greg, the problem seems clear.

For the root user, python 3.6 finds the libraries in /usr/lib64/python3.6.

However, for greg, it only looks under /usr/bin/python3 for subdirectories. That doesn't work because /usr/bin/python3 is a file.

I suspect that the user greg has PYTOHNHOME set erroneously to the location of the Python binary , and that is causing the issue.

Remove PYTOHNHOME from your environment, log out and log in again.

Note: the stuff below is probably barking up the wrong tree. I'll leave it for information.

The encodings module is an (undocumented) part of the python standard library. It is used by the locale module.

Based on the output I suspect that your Python installation has been damaged or corrupted. Try re-installing python.

EDIT:

If a forced re-install doesn't fix the problem, check that the directory encodings exist in your Python stdlib directory, and is accessible for all users.

To find out which directory that is:

TL;DR: Your map update works fine. The message is a bug in bpftool.

Bpftool updates the maps just as you would expect; and then, after processing all the batch file, it checks errno. If errno is 0, it supposes that everything went fine, and it's good. If not, it prints strerror(errno) so you can see what went wrong when processing the file.

errno being set is not due to your map updates. I'm not entirely sure of what's happening to it. The bug was seemingly introduced with commit cf9bf714523d ("tools: bpftool: Allow unprivileged users to probe features"), where we manipulate process capabilities with libcap. Having a call to cap_get_proc() in feature.c is apparently enough for the executable to pick it up and to run some checks on capabilities that are supported, or not, on the system even if we're not doing any probing. I'm observing the following calls with strace:

Finally I found the solution:

Since both system has the arch and OS. I cross copied the R compiled installations between them. The R which was compiled on the problematic system, but was run on the correct one gave the warnings below after the calling of the install.packages("renv", repos="https://cran.wu.ac.at/")

After digging a bit in other threads here, I found that every syscall is supposed to appear twice, once before it was called, and another time after it was called.
So the solution will be to simply to add the syscall to the list only once every two iterations.

If I follow the code correctly, you're redoing a ton of work for every IP address that doesn't need to be redone. Every time through the main loop you're:

• creating a new packet socket
• binding it
• setting up a tx packet ring buffer
• mmap'ing it
• sending a single packet
• unmapping
• closing the socket

That's a huge amount of work you're causing the system to do for one packet.

You should only create one packet socket at the beginning, set up the tx buffer and mmap once, and leave it open until the program is done. You can send any number of packets through the interface without closing/re-opening.

This is why your top time users are setsockopt, mmap, unmap, etc. All of those operations are heavy in the kernel.

Also, the point of PACKET_TX_RING is that you can set up a large buffer and create one packet after another within the buffer without making a send system call for each packet. By using the packet header's tp_status field you're telling the kernel that this frame is ready to be sent. You then advance your pointer within the ring buffer to the next available slot and build another packet. When you have no more packets to build (or you've filled the available space in the buffer [i.e. wrapped around to your oldest still-in-flight frame]), you can then make one send/sendto call to tell the kernel to go look at your buffer and (start) sending all those packets.

You can then start building more packets (being careful to ensure they are not still in use by the kernel -- through the tp_status field).

That said, if this were a project I were doing, I would simplify a lot - at least for the first pass: create a packet socket, bind it to the interface, build packets one at a time, and use send once per frame (i.e. not bothering with PACKET_TX_RING). If (and only if) performance requirements are so tight that it needs to send faster would I bother setting up and using the ring buffer. I doubt you'll need that. This should go a ton faster without the excess setsockopt and mmap calls.

Finally, a non-blocking socket is only useful if you have something else to do while you're waiting. In this case, if you have the socket set to be non-blocking and the packet can't be sent because the call would block, the send call will fail and if you don't do something about that (enqueue the packet somewhere, and retry later, say), the packet will be lost. In this program, I can't see any benefit whatsoever to using a non-blocking socket. If the socket blocks, it's because the device transmit queue is full. After that, there's no point in you continuing to produce packets to be sent, you won't be able send those packets either. Much simpler to just block at that point until the queue drains.

As you can see in strace, the execve command executes as: execve("/bin//nc", ["/bin//nc", "/bin//nc-e //bin/bash -nvlp 4455"], NULL) = 0 It seems to be taking the whole /bin//nc-e //bin/bash -nvlp 4455 as a single argument and thus thinks it's a hostname. In order to get around that, the three argv[] needed for execve() is pushed seperately. argv[]=["/bin/nc", "-e/bin/bash", "-nvlp4455"] These arguments are each pushed into edx, ecx, and ebx. since ebx needs to be /bin/nc, which was already done in the original code. we just needed to push 2nd and 3rd argv[] into ecx and edx and push it into stack. After that we just copy the whole stack into ecx, and then xor edx,edx to set edx as NULL.

Here is the correct solution:

Following up on my VISUAL comment, these worked for me:

You have to assign whole user when authorize. This is how I solved this problem. Auth.js (middleware)