@oshaked1 is this somehow related to #3891? If so, please test it again using this patch #3848.

#3891 is not related though I did encounter these together. I tried your patch anyways, it doesn't seem to fix it.

Hey @oshaked1,

I’m currently working on recreating the issue but couldn’t reproduce it fully. Here's what I did step-by-step:

1. I ran Tracee from the /tracee directory using:

   sudo ./dist/tracee -e bpf

2. In another console, I moved to /tracee/dist and ran:

   sudo bpftool gen skeleton -L tracee.bpf.o > hello.skell.h

3. The following error was printed:

   libbpf: elf: skipping unrecognized data section(301) .rodata.str1.1
   libbpf: prog 'suspicious_syscall_source': bad map relo against '.rodata.str1.1' in section '.rodata.str1.1'
   Error: failed to open BPF object file: Relocation failed

However, nothing was captured by Tracee during this process.

Additional Details:

• Tracee version:

  Tracee version: v0.22.0-123-g84aca9d8b4
  

• Kernel version (uname -a):

  Linux ****** 5.15.0-125-generic #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  

Let me know if there's anything specific I should test further, or if you have any suggestions for debugging this.

@ShohamBit Use this code:

import ctypes
import errno
import os

# BPF syscall number (x86_64 Linux)
SYS_BPF = 321  # Verify on your system, e.g., using `man syscall`

# Invalid BPF command
BPF_INVALID_CMD = 9999

# Load the libc shared library
libc = ctypes.CDLL("libc.so.6", use_errno=True)

# Prepare dummy arguments
arg1 = ctypes.c_void_p(0)
arg2 = ctypes.c_void_p(0)
arg3 = ctypes.c_void_p(0)

# Call the syscall
ret = libc.syscall(SYS_BPF, BPF_INVALID_CMD, arg1, arg2, arg3)

if ret == -1:
    err = ctypes.get_errno()
    print(f"Error: {os.strerror(err)} (errno={err})")
    if err == errno.EINVAL:
        print("As expected, got EINVAL for an invalid BPF command.")
    else:
        print("Unexpected error occurred.")