* bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
@ 2020-05-07 5:19 Ma Xinjian
2020-05-07 16:16 ` Andrii Nakryiko
0 siblings, 1 reply; 8+ messages in thread
From: Ma Xinjian @ 2020-05-07 5:19 UTC (permalink / raw)
To: bpf
Hi,
When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
below issue:
root@lkp-skl-d01
/usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
./test_progs -vv -t test_lsm
libbpf: loading object 'lsm' from buffer
libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
libbpf: skip section(1) .strtab
libbpf: section(2) .text, size 0, link 0, flags 6, type=1
libbpf: skip section(2) .text
libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
libbpf: found program lsm/file_mprotect
libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
type=1
libbpf: found program lsm/bprm_committed_creds
libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
0, type=9
libbpf: section(7) license, size 4, link 0, flags 3, type=1
libbpf: license of lsm is GPL
libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
libbpf: skip section(9) .debug_loc
libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
libbpf: skip relo .rel.debug_loc(10) for section(9)
libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
libbpf: skip section(11) .debug_abbrev
libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
libbpf: skip section(12) .debug_info
libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
libbpf: skip relo .rel.debug_info(13) for section(12)
libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
libbpf: skip section(14) .debug_ranges
libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
libbpf: skip relo .rel.debug_ranges(15) for section(14)
libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
libbpf: skip section(16) .debug_str
libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
libbpf: skip relo .rel.BTF(18) for section(17)
libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
libbpf: skip relo .rel.BTF.ext(20) for section(19)
libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
libbpf: skip section(21) .debug_frame
libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
libbpf: skip relo .rel.debug_frame(22) for section(21)
libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
libbpf: skip section(23) .debug_line
libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
libbpf: skip relo .rel.debug_line(24) for section(23)
libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
libbpf: looking for externs among 12 symbols...
libbpf: collected 0 externs total
libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
libbpf: map 0 is "lsm.bss"
libbpf: collecting relocating info for: 'lsm/file_mprotect'
libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
('monitored_pid'), insn 12
libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
('mprotect_count'), insn 17
libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
('monitored_pid'), insn 1
libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
('bprm_count'), insn 6
libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: created map lsm.bss: fd=4
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
&x[0].vm_mm: 1
libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
off 64 -> 64
libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
libbpf: [32] mm_struct: found candidate [308] mm_struct
libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
&x[0].start_stack: 1
libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
off 304 -> 304
libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
&x[0].vm_start: 1
libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
off 0 -> 0
libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
&x[0].vm_end: 1
libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
off 8 -> 8
test_test_lsm:PASS:skel_load 0 nsec
test_test_lsm:PASS:attach 0 nsec
test_test_lsm:PASS:exec_cmd 0 nsec
test_test_lsm:FAIL:bprm_count bprm_count = 0
test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
#70 test_lsm:FAIL
Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
kconfig:
CONFIG_BPF_LSM=y
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
besides:
when I add bpf to CONFIG_LSM, then boot failed.
boot error:
```
Cannot determine cgroup we are running in: No data available
Failed to allocate manager object: No data available
[!!!!!!] Failed to allocate manager object, freezing.
Freezing execution.
```
seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
clang version: v11.0.0
commit: 54b35c066417d4856e9d53313f7e98b354274584
# pahole --version
v1.17
--
Best Regards.
Ma Xinjian
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
2020-05-07 5:19 bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3 Ma Xinjian
@ 2020-05-07 16:16 ` Andrii Nakryiko
[not found] ` <CAFLU3KuU6zFs7+xQ-=vy9WEx-4U=cTSW9VXNMyxRdwY3LHc9HA@mail.gmail.com>
0 siblings, 1 reply; 8+ messages in thread
From: Andrii Nakryiko @ 2020-05-07 16:16 UTC (permalink / raw)
To: Ma Xinjian, KP Singh; +Cc: bpf
On Wed, May 6, 2020 at 10:21 PM Ma Xinjian <max.xinjian@intel.com> wrote:
>
> Hi,
>
> When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
> below issue:
>
> root@lkp-skl-d01
> /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
> ./test_progs -vv -t test_lsm
>
> libbpf: loading object 'lsm' from buffer
> libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
> libbpf: skip section(1) .strtab
> libbpf: section(2) .text, size 0, link 0, flags 6, type=1
> libbpf: skip section(2) .text
> libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
> libbpf: found program lsm/file_mprotect
> libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
> libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
> type=1
> libbpf: found program lsm/bprm_committed_creds
> libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
> 0, type=9
> libbpf: section(7) license, size 4, link 0, flags 3, type=1
> libbpf: license of lsm is GPL
> libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
> libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
> libbpf: skip section(9) .debug_loc
> libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
> libbpf: skip relo .rel.debug_loc(10) for section(9)
> libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
> libbpf: skip section(11) .debug_abbrev
> libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
> libbpf: skip section(12) .debug_info
> libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
> libbpf: skip relo .rel.debug_info(13) for section(12)
> libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
> libbpf: skip section(14) .debug_ranges
> libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
> libbpf: skip relo .rel.debug_ranges(15) for section(14)
> libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
> libbpf: skip section(16) .debug_str
> libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
> libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
> libbpf: skip relo .rel.BTF(18) for section(17)
> libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
> libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
> libbpf: skip relo .rel.BTF.ext(20) for section(19)
> libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
> libbpf: skip section(21) .debug_frame
> libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
> libbpf: skip relo .rel.debug_frame(22) for section(21)
> libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
> libbpf: skip section(23) .debug_line
> libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
> libbpf: skip relo .rel.debug_line(24) for section(23)
> libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
> libbpf: looking for externs among 12 symbols...
> libbpf: collected 0 externs total
> libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
> libbpf: map 0 is "lsm.bss"
> libbpf: collecting relocating info for: 'lsm/file_mprotect'
> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
> ('monitored_pid'), insn 12
> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
> libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
> ('mprotect_count'), insn 17
> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
> libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
> ('monitored_pid'), insn 1
> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
> libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
> ('bprm_count'), insn 6
> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
> libbpf: created map lsm.bss: fd=4
> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
> libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
> libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
> vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
> libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
> libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
> vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
> &x[0].vm_mm: 1
> libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
> off 64 -> 64
> libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
> mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
> libbpf: [32] mm_struct: found candidate [308] mm_struct
> libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
> mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
> &x[0].start_stack: 1
> libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
> off 304 -> 304
> libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
> vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
> libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
> vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
> &x[0].vm_start: 1
> libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
> off 0 -> 0
> libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
> vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
> libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
> vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
> &x[0].vm_end: 1
> libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
> off 8 -> 8
> test_test_lsm:PASS:skel_load 0 nsec
> test_test_lsm:PASS:attach 0 nsec
> test_test_lsm:PASS:exec_cmd 0 nsec
> test_test_lsm:FAIL:bprm_count bprm_count = 0
> test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
> #70 test_lsm:FAIL
> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
>
>
> kconfig:
>
> CONFIG_BPF_LSM=y
>
> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
>
> besides:
>
> when I add bpf to CONFIG_LSM, then boot failed.
>
> boot error:
>
> ```
>
> Cannot determine cgroup we are running in: No data available
> Failed to allocate manager object: No data available
> [!!!!!!] Failed to allocate manager object, freezing.
> Freezing execution.
>
> ```
>
> seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
>
>
> clang version: v11.0.0
>
> commit: 54b35c066417d4856e9d53313f7e98b354274584
>
> # pahole --version
> v1.17
>
It might be due to bug in default return value of one of the
functions, which KP recently fixed. But just to be sure, KP, could you
please take a look?
>
> --
> Best Regards.
> Ma Xinjian
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
[not found] ` <CAFLU3KuU6zFs7+xQ-=vy9WEx-4U=cTSW9VXNMyxRdwY3LHc9HA@mail.gmail.com>
@ 2020-05-07 16:24 ` KP Singh
2020-05-09 7:41 ` Ma Xinjian
0 siblings, 1 reply; 8+ messages in thread
From: KP Singh @ 2020-05-07 16:24 UTC (permalink / raw)
To: Andrii Nakryiko; +Cc: Ma Xinjian, bpf
Adding the list back after an HTML/text mess up.
On Thu, May 7, 2020 at 6:23 PM KP Singh <kpsingh@google.com> wrote:
>
> Can you check if you have the following fix:
>
> https://lore.kernel.org/bpf/20200430155240.68748-1-kpsingh@chromium.org/
>
> The test fails because the "bpf" is not in the LSM string which means the file_mprotect hook does not return a -EPERM error.
>
> - KP
>
> On Thu, May 7, 2020 at 6:16 PM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>>
>> On Wed, May 6, 2020 at 10:21 PM Ma Xinjian <max.xinjian@intel.com> wrote:
>> >
>> > Hi,
>> >
>> > When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
>> > below issue:
>> >
>> > root@lkp-skl-d01
>> > /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
>> > ./test_progs -vv -t test_lsm
>> >
>> > libbpf: loading object 'lsm' from buffer
>> > libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
>> > libbpf: skip section(1) .strtab
>> > libbpf: section(2) .text, size 0, link 0, flags 6, type=1
>> > libbpf: skip section(2) .text
>> > libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
>> > libbpf: found program lsm/file_mprotect
>> > libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
>> > libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
>> > type=1
>> > libbpf: found program lsm/bprm_committed_creds
>> > libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
>> > 0, type=9
>> > libbpf: section(7) license, size 4, link 0, flags 3, type=1
>> > libbpf: license of lsm is GPL
>> > libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
>> > libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
>> > libbpf: skip section(9) .debug_loc
>> > libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.debug_loc(10) for section(9)
>> > libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
>> > libbpf: skip section(11) .debug_abbrev
>> > libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
>> > libbpf: skip section(12) .debug_info
>> > libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.debug_info(13) for section(12)
>> > libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
>> > libbpf: skip section(14) .debug_ranges
>> > libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.debug_ranges(15) for section(14)
>> > libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
>> > libbpf: skip section(16) .debug_str
>> > libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
>> > libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.BTF(18) for section(17)
>> > libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
>> > libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.BTF.ext(20) for section(19)
>> > libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
>> > libbpf: skip section(21) .debug_frame
>> > libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.debug_frame(22) for section(21)
>> > libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
>> > libbpf: skip section(23) .debug_line
>> > libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
>> > libbpf: skip relo .rel.debug_line(24) for section(23)
>> > libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
>> > libbpf: looking for externs among 12 symbols...
>> > libbpf: collected 0 externs total
>> > libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
>> > libbpf: map 0 is "lsm.bss"
>> > libbpf: collecting relocating info for: 'lsm/file_mprotect'
>> > libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>> > ('monitored_pid'), insn 12
>> > libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
>> > libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
>> > ('mprotect_count'), insn 17
>> > libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
>> > libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
>> > libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>> > ('monitored_pid'), insn 1
>> > libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
>> > libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
>> > ('bprm_count'), insn 6
>> > libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
>> > libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>> > libbpf: created map lsm.bss: fd=4
>> > libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>> > libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
>> > libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
>> > vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
>> > libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
>> > libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
>> > vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
>> > &x[0].vm_mm: 1
>> > libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
>> > off 64 -> 64
>> > libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
>> > mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
>> > libbpf: [32] mm_struct: found candidate [308] mm_struct
>> > libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
>> > mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
>> > &x[0].start_stack: 1
>> > libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
>> > off 304 -> 304
>> > libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
>> > vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
>> > libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
>> > vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
>> > &x[0].vm_start: 1
>> > libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
>> > off 0 -> 0
>> > libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
>> > vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
>> > libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
>> > vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
>> > &x[0].vm_end: 1
>> > libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
>> > off 8 -> 8
>> > test_test_lsm:PASS:skel_load 0 nsec
>> > test_test_lsm:PASS:attach 0 nsec
>> > test_test_lsm:PASS:exec_cmd 0 nsec
>> > test_test_lsm:FAIL:bprm_count bprm_count = 0
>> > test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
>> > #70 test_lsm:FAIL
>> > Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
>> >
>> >
>> > kconfig:
>> >
>> > CONFIG_BPF_LSM=y
>> >
>> > CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
>> >
>> > besides:
>> >
>> > when I add bpf to CONFIG_LSM, then boot failed.
>> >
>> > boot error:
>> >
>> > ```
>> >
>> > Cannot determine cgroup we are running in: No data available
>> > Failed to allocate manager object: No data available
>> > [!!!!!!] Failed to allocate manager object, freezing.
>> > Freezing execution.
>> >
>> > ```
>> >
>> > seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
>> >
>> >
>> > clang version: v11.0.0
>> >
>> > commit: 54b35c066417d4856e9d53313f7e98b354274584
>> >
>> > # pahole --version
>> > v1.17
>> >
>>
>> It might be due to bug in default return value of one of the
>> functions, which KP recently fixed. But just to be sure, KP, could you
>> please take a look?
>>
>> >
>> > --
>> > Best Regards.
>> > Ma Xinjian
>> >
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
2020-05-07 16:24 ` KP Singh
@ 2020-05-09 7:41 ` Ma Xinjian
2020-05-09 9:26 ` KP Singh
0 siblings, 1 reply; 8+ messages in thread
From: Ma Xinjian @ 2020-05-09 7:41 UTC (permalink / raw)
To: KP Singh, Andrii Nakryiko; +Cc: bpf
On 5/8/20 12:24 AM, KP Singh wrote:
> Adding the list back after an HTML/text mess up.
>
> On Thu, May 7, 2020 at 6:23 PM KP Singh <kpsingh@google.com> wrote:
>> Can you check if you have the following fix:
>>
>> https://lore.kernel.org/bpf/20200430155240.68748-1-kpsingh@chromium.org/
>>
>> The test fails because the "bpf" is not in the LSM string which means the file_mprotect hook does not return a -EPERM error.
>>
>> - KP
I have rebuilt kernel with this fix.
root@lkp-skl-d01 ~# grep "ENOPARAM"
/usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-79dede78c0573618e3137d3d8cbf78c84e25fabd/include/linux/lsm_hook_defs.h
LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc,
But still the same issue, and error message are exactly the same.
Anything else I can check in my env?
Ma
>>
>> On Thu, May 7, 2020 at 6:16 PM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>>> On Wed, May 6, 2020 at 10:21 PM Ma Xinjian <max.xinjian@intel.com> wrote:
>>>> Hi,
>>>>
>>>> When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
>>>> below issue:
>>>>
>>>> root@lkp-skl-d01
>>>> /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
>>>> ./test_progs -vv -t test_lsm
>>>>
>>>> libbpf: loading object 'lsm' from buffer
>>>> libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
>>>> libbpf: skip section(1) .strtab
>>>> libbpf: section(2) .text, size 0, link 0, flags 6, type=1
>>>> libbpf: skip section(2) .text
>>>> libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
>>>> libbpf: found program lsm/file_mprotect
>>>> libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
>>>> libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
>>>> type=1
>>>> libbpf: found program lsm/bprm_committed_creds
>>>> libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
>>>> 0, type=9
>>>> libbpf: section(7) license, size 4, link 0, flags 3, type=1
>>>> libbpf: license of lsm is GPL
>>>> libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
>>>> libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
>>>> libbpf: skip section(9) .debug_loc
>>>> libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_loc(10) for section(9)
>>>> libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
>>>> libbpf: skip section(11) .debug_abbrev
>>>> libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
>>>> libbpf: skip section(12) .debug_info
>>>> libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_info(13) for section(12)
>>>> libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
>>>> libbpf: skip section(14) .debug_ranges
>>>> libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_ranges(15) for section(14)
>>>> libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
>>>> libbpf: skip section(16) .debug_str
>>>> libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
>>>> libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.BTF(18) for section(17)
>>>> libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
>>>> libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.BTF.ext(20) for section(19)
>>>> libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
>>>> libbpf: skip section(21) .debug_frame
>>>> libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_frame(22) for section(21)
>>>> libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
>>>> libbpf: skip section(23) .debug_line
>>>> libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_line(24) for section(23)
>>>> libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
>>>> libbpf: looking for externs among 12 symbols...
>>>> libbpf: collected 0 externs total
>>>> libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
>>>> libbpf: map 0 is "lsm.bss"
>>>> libbpf: collecting relocating info for: 'lsm/file_mprotect'
>>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>>>> ('monitored_pid'), insn 12
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
>>>> libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
>>>> ('mprotect_count'), insn 17
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
>>>> libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
>>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>>>> ('monitored_pid'), insn 1
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
>>>> libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
>>>> ('bprm_count'), insn 6
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
>>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>>>> libbpf: created map lsm.bss: fd=4
>>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>>>> libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
>>>> vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
>>>> libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
>>>> &x[0].vm_mm: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
>>>> off 64 -> 64
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
>>>> mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
>>>> libbpf: [32] mm_struct: found candidate [308] mm_struct
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
>>>> mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
>>>> &x[0].start_stack: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
>>>> off 304 -> 304
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
>>>> vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
>>>> &x[0].vm_start: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
>>>> off 0 -> 0
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
>>>> vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
>>>> &x[0].vm_end: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
>>>> off 8 -> 8
>>>> test_test_lsm:PASS:skel_load 0 nsec
>>>> test_test_lsm:PASS:attach 0 nsec
>>>> test_test_lsm:PASS:exec_cmd 0 nsec
>>>> test_test_lsm:FAIL:bprm_count bprm_count = 0
>>>> test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
>>>> #70 test_lsm:FAIL
>>>> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
>>>>
>>>>
>>>> kconfig:
>>>>
>>>> CONFIG_BPF_LSM=y
>>>>
>>>> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
>>>>
>>>> besides:
>>>>
>>>> when I add bpf to CONFIG_LSM, then boot failed.
>>>>
>>>> boot error:
>>>>
>>>> ```
>>>>
>>>> Cannot determine cgroup we are running in: No data available
>>>> Failed to allocate manager object: No data available
>>>> [!!!!!!] Failed to allocate manager object, freezing.
>>>> Freezing execution.
>>>>
>>>> ```
>>>>
>>>> seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
>>>>
>>>>
>>>> clang version: v11.0.0
>>>>
>>>> commit: 54b35c066417d4856e9d53313f7e98b354274584
>>>>
>>>> # pahole --version
>>>> v1.17
>>>>
>>> It might be due to bug in default return value of one of the
>>> functions, which KP recently fixed. But just to be sure, KP, could you
>>> please take a look?
>>>
>>>> --
>>>> Best Regards.
>>>> Ma Xinjian
>>>>
--
Best Regards.
Ma Xinjian
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
2020-05-09 7:41 ` Ma Xinjian
@ 2020-05-09 9:26 ` KP Singh
2020-05-09 9:42 ` KP Singh
[not found] ` <b3991caf-9e04-b6f4-aee5-86191a0fc3df@intel.com>
0 siblings, 2 replies; 8+ messages in thread
From: KP Singh @ 2020-05-09 9:26 UTC (permalink / raw)
To: Ma Xinjian; +Cc: Andrii Nakryiko, bpf
Do you have bpf in your CONFIG_LSM string?
Also, can you share your Kconfig please?
On Sat, May 9, 2020 at 9:42 AM Ma Xinjian <max.xinjian@intel.com> wrote:
>
>
> On 5/8/20 12:24 AM, KP Singh wrote:
> > Adding the list back after an HTML/text mess up.
> >
> > On Thu, May 7, 2020 at 6:23 PM KP Singh <kpsingh@google.com> wrote:
> >> Can you check if you have the following fix:
> >>
> >> https://lore.kernel.org/bpf/20200430155240.68748-1-kpsingh@chromium.org/
> >>
> >> The test fails because the "bpf" is not in the LSM string which means the file_mprotect hook does not return a -EPERM error.
> >>
> >> - KP
>
> I have rebuilt kernel with this fix.
>
> root@lkp-skl-d01 ~# grep "ENOPARAM"
> /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-79dede78c0573618e3137d3d8cbf78c84e25fabd/include/linux/lsm_hook_defs.h
> LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc,
>
> But still the same issue, and error message are exactly the same.
>
> Anything else I can check in my env?
>
>
> Ma
>
> >>
> >> On Thu, May 7, 2020 at 6:16 PM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
> >>> On Wed, May 6, 2020 at 10:21 PM Ma Xinjian <max.xinjian@intel.com> wrote:
> >>>> Hi,
> >>>>
> >>>> When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
> >>>> below issue:
> >>>>
> >>>> root@lkp-skl-d01
> >>>> /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
> >>>> ./test_progs -vv -t test_lsm
> >>>>
> >>>> libbpf: loading object 'lsm' from buffer
> >>>> libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
> >>>> libbpf: skip section(1) .strtab
> >>>> libbpf: section(2) .text, size 0, link 0, flags 6, type=1
> >>>> libbpf: skip section(2) .text
> >>>> libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
> >>>> libbpf: found program lsm/file_mprotect
> >>>> libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
> >>>> libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
> >>>> type=1
> >>>> libbpf: found program lsm/bprm_committed_creds
> >>>> libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
> >>>> 0, type=9
> >>>> libbpf: section(7) license, size 4, link 0, flags 3, type=1
> >>>> libbpf: license of lsm is GPL
> >>>> libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
> >>>> libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
> >>>> libbpf: skip section(9) .debug_loc
> >>>> libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.debug_loc(10) for section(9)
> >>>> libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
> >>>> libbpf: skip section(11) .debug_abbrev
> >>>> libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
> >>>> libbpf: skip section(12) .debug_info
> >>>> libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.debug_info(13) for section(12)
> >>>> libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
> >>>> libbpf: skip section(14) .debug_ranges
> >>>> libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.debug_ranges(15) for section(14)
> >>>> libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
> >>>> libbpf: skip section(16) .debug_str
> >>>> libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
> >>>> libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.BTF(18) for section(17)
> >>>> libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
> >>>> libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.BTF.ext(20) for section(19)
> >>>> libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
> >>>> libbpf: skip section(21) .debug_frame
> >>>> libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.debug_frame(22) for section(21)
> >>>> libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
> >>>> libbpf: skip section(23) .debug_line
> >>>> libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
> >>>> libbpf: skip relo .rel.debug_line(24) for section(23)
> >>>> libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
> >>>> libbpf: looking for externs among 12 symbols...
> >>>> libbpf: collected 0 externs total
> >>>> libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
> >>>> libbpf: map 0 is "lsm.bss"
> >>>> libbpf: collecting relocating info for: 'lsm/file_mprotect'
> >>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
> >>>> ('monitored_pid'), insn 12
> >>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
> >>>> libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
> >>>> ('mprotect_count'), insn 17
> >>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
> >>>> libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
> >>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
> >>>> ('monitored_pid'), insn 1
> >>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
> >>>> libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
> >>>> ('bprm_count'), insn 6
> >>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
> >>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
> >>>> libbpf: created map lsm.bss: fd=4
> >>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
> >>>> libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
> >>>> libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
> >>>> vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
> >>>> libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
> >>>> libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
> >>>> vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
> >>>> &x[0].vm_mm: 1
> >>>> libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
> >>>> off 64 -> 64
> >>>> libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
> >>>> mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
> >>>> libbpf: [32] mm_struct: found candidate [308] mm_struct
> >>>> libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
> >>>> mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
> >>>> &x[0].start_stack: 1
> >>>> libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
> >>>> off 304 -> 304
> >>>> libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
> >>>> vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
> >>>> libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
> >>>> vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
> >>>> &x[0].vm_start: 1
> >>>> libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
> >>>> off 0 -> 0
> >>>> libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
> >>>> vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
> >>>> libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
> >>>> vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
> >>>> &x[0].vm_end: 1
> >>>> libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
> >>>> off 8 -> 8
> >>>> test_test_lsm:PASS:skel_load 0 nsec
> >>>> test_test_lsm:PASS:attach 0 nsec
> >>>> test_test_lsm:PASS:exec_cmd 0 nsec
> >>>> test_test_lsm:FAIL:bprm_count bprm_count = 0
> >>>> test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
> >>>> #70 test_lsm:FAIL
> >>>> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
> >>>>
> >>>>
> >>>> kconfig:
> >>>>
> >>>> CONFIG_BPF_LSM=y
> >>>>
> >>>> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> >>>>
> >>>> besides:
> >>>>
> >>>> when I add bpf to CONFIG_LSM, then boot failed.
> >>>>
> >>>> boot error:
> >>>>
> >>>> ```
> >>>>
> >>>> Cannot determine cgroup we are running in: No data available
> >>>> Failed to allocate manager object: No data available
> >>>> [!!!!!!] Failed to allocate manager object, freezing.
> >>>> Freezing execution.
> >>>>
> >>>> ```
> >>>>
> >>>> seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
> >>>>
> >>>>
> >>>> clang version: v11.0.0
> >>>>
> >>>> commit: 54b35c066417d4856e9d53313f7e98b354274584
> >>>>
> >>>> # pahole --version
> >>>> v1.17
> >>>>
> >>> It might be due to bug in default return value of one of the
> >>> functions, which KP recently fixed. But just to be sure, KP, could you
> >>> please take a look?
> >>>
> >>>> --
> >>>> Best Regards.
> >>>> Ma Xinjian
> >>>>
> --
> Best Regards.
> Ma Xinjian
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
2020-05-09 9:26 ` KP Singh
@ 2020-05-09 9:42 ` KP Singh
[not found] ` <b3991caf-9e04-b6f4-aee5-86191a0fc3df@intel.com>
1 sibling, 0 replies; 8+ messages in thread
From: KP Singh @ 2020-05-09 9:42 UTC (permalink / raw)
To: Ma Xinjian; +Cc: Andrii Nakryiko, bpf
Also, I would appreciate it if you can share some details / steps for
reproducing this error and your environment (is it a physical machine?
VM etc?)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
[not found] ` <b3991caf-9e04-b6f4-aee5-86191a0fc3df@intel.com>
@ 2020-05-09 13:28 ` KP Singh
2020-05-13 5:55 ` Ma Xinjian
0 siblings, 1 reply; 8+ messages in thread
From: KP Singh @ 2020-05-09 13:28 UTC (permalink / raw)
To: Ma Xinjian; +Cc: Andrii Nakryiko, bpf
On Sat, May 9, 2020 at 11:59 AM Ma Xinjian <max.xinjian@intel.com> wrote:
>
>
> On 5/9/20 5:26 PM, KP Singh wrote:
> > Do you have bpf in your CONFIG_LSM string?
>
> That's the point!
>
> I remove bpf from since I can't boot if bpf in it.
That does indicate a problem which needs to be fixed.
> seems bpf in CONFIG_LSM conflict with CONFIG_BPF_LSM
>
> Here is boot error:
>
> "Cannot determine cgroup we are running in: No data available
> Failed to allocate manager object: No data available
> [!!!!!!] Failed to allocate manager object, freezing.
I found some references to these error messages and they seem
to be coming from systemd but I am not sure.
https://github.com/lxc/lxc/issues/1669
https://github.com/containers/libpod/issues/1226
> Freezing execution.
> [ 35.773797] random: fast init done
> [ 130.560629] random: crng init done"
>
> > Also, can you share your Kconfig please?
>
> refer to attackment.
>
> I doubt sth was wrong with my kconfig, maybe me some suggestion
I am not saying something is wrong with your Kconfig :)
I just want to make sure we eliminate as many
variables as possible.
I was able to boot this successfully using QEMU
(after I enabled SCSI and VIRTIO). So it's likely
dependent on some user-space configuration
(again, I am not saying your config is wrong). But
I will need more information to reproduce and debug this.
Can you try providing a reliable reproduction with a list
of steps? e.g.
1. Download the vanilla image here.
2. Compile the kernel with defonconfig and kvmconfig
(or your own config)
3. Boot the kernel in QEMU with the cmdline (...) and the
QEMU args (...)
Thanks!
- KP
>
> Besides, I tested on both physical machine and vm
[...]
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
2020-05-09 13:28 ` KP Singh
@ 2020-05-13 5:55 ` Ma Xinjian
0 siblings, 0 replies; 8+ messages in thread
From: Ma Xinjian @ 2020-05-13 5:55 UTC (permalink / raw)
To: KP Singh; +Cc: Andrii Nakryiko, bpf
On 5/9/20 9:28 PM, KP Singh wrote:
> On Sat, May 9, 2020 at 11:59 AM Ma Xinjian <max.xinjian@intel.com> wrote:
>>
>> On 5/9/20 5:26 PM, KP Singh wrote:
>>> Do you have bpf in your CONFIG_LSM string?
>> That's the point!
>>
>> I remove bpf from since I can't boot if bpf in it.
> That does indicate a problem which needs to be fixed.
>
>> seems bpf in CONFIG_LSM conflict with CONFIG_BPF_LSM
>>
>> Here is boot error:
>>
>> "Cannot determine cgroup we are running in: No data available
>> Failed to allocate manager object: No data available
>> [!!!!!!] Failed to allocate manager object, freezing.
> I found some references to these error messages and they seem
> to be coming from systemd but I am not sure.
>
> https://github.com/lxc/lxc/issues/1669
> https://github.com/containers/libpod/issues/1226
>
>> Freezing execution.
>> [ 35.773797] random: fast init done
>> [ 130.560629] random: crng init done"
>>
>>> Also, can you share your Kconfig please?
>> refer to attackment.
>>
>> I doubt sth was wrong with my kconfig, maybe me some suggestion
> I am not saying something is wrong with your Kconfig :)
> I just want to make sure we eliminate as many
> variables as possible.
>
> I was able to boot this successfully using QEMU
> (after I enabled SCSI and VIRTIO). So it's likely
> dependent on some user-space configuration
> (again, I am not saying your config is wrong). But
> I will need more information to reproduce and debug this.
>
> Can you try providing a reliable reproduction with a list
> of steps? e.g.
>
> 1. Download the vanilla image here.
> 2. Compile the kernel with defonconfig and kvmconfig
> (or your own config)
> 3. Boot the kernel in QEMU with the cmdline (...) and the
> QEMU args (...)
>
> Thanks!
> - KP
Thank you very much for your kind and quick reply.
I tested on LKP cluster of Intel. Everything works automatically.
https://github.com/intel/lkp-tests
---------------------
And I have found the cause.
It can't boot due to comfliction between cgroup configuration for
CONFIG_BPF_LSM
and systemd.
similar to https://github.com/elogind/elogind/issues/18
we have decided to skip this test.
Thanks again.
- Ma
>
>> Besides, I tested on both physical machine and vm
> [...]
>
--
Best Regards.
Ma Xinjian
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-05-13 6:06 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-07 5:19 bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3 Ma Xinjian
2020-05-07 16:16 ` Andrii Nakryiko
[not found] ` <CAFLU3KuU6zFs7+xQ-=vy9WEx-4U=cTSW9VXNMyxRdwY3LHc9HA@mail.gmail.com>
2020-05-07 16:24 ` KP Singh
2020-05-09 7:41 ` Ma Xinjian
2020-05-09 9:26 ` KP Singh
2020-05-09 9:42 ` KP Singh
[not found] ` <b3991caf-9e04-b6f4-aee5-86191a0fc3df@intel.com>
2020-05-09 13:28 ` KP Singh
2020-05-13 5:55 ` Ma Xinjian
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.