From: Ma Xinjian <max.xinjian@intel.com>
To: KP Singh <kpsingh@google.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: "bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: Re: bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3
Date: Sat, 9 May 2020 15:41:22 +0800 [thread overview]
Message-ID: <65526c26-c94b-d5dd-7143-b1af7071dbf9@intel.com> (raw)
In-Reply-To: <CAFLU3KuUm_1HBjyQdypuWCa4soKwXF7zEic-4=e4pvTBbuwd+A@mail.gmail.com>
On 5/8/20 12:24 AM, KP Singh wrote:
> Adding the list back after an HTML/text mess up.
>
> On Thu, May 7, 2020 at 6:23 PM KP Singh <kpsingh@google.com> wrote:
>> Can you check if you have the following fix:
>>
>> https://lore.kernel.org/bpf/20200430155240.68748-1-kpsingh@chromium.org/
>>
>> The test fails because the "bpf" is not in the LSM string which means the file_mprotect hook does not return a -EPERM error.
>>
>> - KP
I have rebuilt kernel with this fix.
root@lkp-skl-d01 ~# grep "ENOPARAM"
/usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-79dede78c0573618e3137d3d8cbf78c84e25fabd/include/linux/lsm_hook_defs.h
LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc,
But still the same issue, and error message are exactly the same.
Anything else I can check in my env?
Ma
>>
>> On Thu, May 7, 2020 at 6:16 PM Andrii Nakryiko <andrii.nakryiko@gmail.com> wrote:
>>> On Wed, May 6, 2020 at 10:21 PM Ma Xinjian <max.xinjian@intel.com> wrote:
>>>> Hi,
>>>>
>>>> When I test bpf lsm with (/test_progs -vv -t test_lsm ), failed with
>>>> below issue:
>>>>
>>>> root@lkp-skl-d01
>>>> /usr/src/perf_selftests-x86_64-rhel-7.6-kselftests-bpf-lsm-2-6a8b55ed4056ea5559ebe4f6a4b247f627870d4c/tools/testing/selftests/bpf#
>>>> ./test_progs -vv -t test_lsm
>>>>
>>>> libbpf: loading object 'lsm' from buffer
>>>> libbpf: section(1) .strtab, size 306, link 0, flags 0, type=3
>>>> libbpf: skip section(1) .strtab
>>>> libbpf: section(2) .text, size 0, link 0, flags 6, type=1
>>>> libbpf: skip section(2) .text
>>>> libbpf: section(3) lsm/file_mprotect, size 192, link 0, flags 6, type=1
>>>> libbpf: found program lsm/file_mprotect
>>>> libbpf: section(4) .rellsm/file_mprotect, size 32, link 25, flags 0, type=9
>>>> libbpf: section(5) lsm/bprm_committed_creds, size 104, link 0, flags 6,
>>>> type=1
>>>> libbpf: found program lsm/bprm_committed_creds
>>>> libbpf: section(6) .rellsm/bprm_committed_creds, size 32, link 25, flags
>>>> 0, type=9
>>>> libbpf: section(7) license, size 4, link 0, flags 3, type=1
>>>> libbpf: license of lsm is GPL
>>>> libbpf: section(8) .bss, size 12, link 0, flags 3, type=8
>>>> libbpf: section(9) .debug_loc, size 383, link 0, flags 0, type=1
>>>> libbpf: skip section(9) .debug_loc
>>>> libbpf: section(10) .rel.debug_loc, size 112, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_loc(10) for section(9)
>>>> libbpf: section(11) .debug_abbrev, size 901, link 0, flags 0, type=1
>>>> libbpf: skip section(11) .debug_abbrev
>>>> libbpf: section(12) .debug_info, size 237441, link 0, flags 0, type=1
>>>> libbpf: skip section(12) .debug_info
>>>> libbpf: section(13) .rel.debug_info, size 112, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_info(13) for section(12)
>>>> libbpf: section(14) .debug_ranges, size 96, link 0, flags 0, type=1
>>>> libbpf: skip section(14) .debug_ranges
>>>> libbpf: section(15) .rel.debug_ranges, size 128, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_ranges(15) for section(14)
>>>> libbpf: section(16) .debug_str, size 142395, link 0, flags 30, type=1
>>>> libbpf: skip section(16) .debug_str
>>>> libbpf: section(17) .BTF, size 5634, link 0, flags 0, type=1
>>>> libbpf: section(18) .rel.BTF, size 64, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.BTF(18) for section(17)
>>>> libbpf: section(19) .BTF.ext, size 484, link 0, flags 0, type=1
>>>> libbpf: section(20) .rel.BTF.ext, size 416, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.BTF.ext(20) for section(19)
>>>> libbpf: section(21) .debug_frame, size 64, link 0, flags 0, type=1
>>>> libbpf: skip section(21) .debug_frame
>>>> libbpf: section(22) .rel.debug_frame, size 32, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_frame(22) for section(21)
>>>> libbpf: section(23) .debug_line, size 227, link 0, flags 0, type=1
>>>> libbpf: skip section(23) .debug_line
>>>> libbpf: section(24) .rel.debug_line, size 32, link 25, flags 0, type=9
>>>> libbpf: skip relo .rel.debug_line(24) for section(23)
>>>> libbpf: section(25) .symtab, size 288, link 1, flags 0, type=2
>>>> libbpf: looking for externs among 12 symbols...
>>>> libbpf: collected 0 externs total
>>>> libbpf: map 'lsm.bss' (global data): at sec_idx 8, offset 0, flags 400.
>>>> libbpf: map 0 is "lsm.bss"
>>>> libbpf: collecting relocating info for: 'lsm/file_mprotect'
>>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>>>> ('monitored_pid'), insn 12
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 12
>>>> libbpf: relo for shdr 8, symb 9, value 4, type 1, bind 1, name 34
>>>> ('mprotect_count'), insn 17
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 17
>>>> libbpf: collecting relocating info for: 'lsm/bprm_committed_creds'
>>>> libbpf: relo for shdr 8, symb 8, value 0, type 1, bind 1, name 232
>>>> ('monitored_pid'), insn 1
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 1
>>>> libbpf: relo for shdr 8, symb 7, value 8, type 1, bind 1, name 49
>>>> ('bprm_count'), insn 6
>>>> libbpf: found data map 0 (lsm.bss, sec 8, off 0) for insn 6
>>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>>>> libbpf: created map lsm.bss: fd=4
>>>> libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
>>>> libbpf: prog 'lsm/file_mprotect': performing 4 CO-RE offset relocs
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: kind 0, spec is [6]
>>>> vm_area_struct + 0:6 => 64.0 @ &x[0].vm_mm
>>>> libbpf: [6] vm_area_struct: found candidate [329] vm_area_struct
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:6 => 64.0 @
>>>> &x[0].vm_mm: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #0: patched insn #5 (LDX/ST/STX)
>>>> off 64 -> 64
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: kind 0, spec is [32]
>>>> mm_struct + 0:0:35 => 304.0 @ &x[0].start_stack
>>>> libbpf: [32] mm_struct: found candidate [308] mm_struct
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: matching candidate #0
>>>> mm_struct against spec [308] mm_struct + 0:0:35 => 304.0 @
>>>> &x[0].start_stack: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #1: patched insn #7 (LDX/ST/STX)
>>>> off 304 -> 304
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: kind 0, spec is [6]
>>>> vm_area_struct + 0:0 => 0.0 @ &x[0].vm_start
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:0 => 0.0 @
>>>> &x[0].vm_start: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #2: patched insn #8 (LDX/ST/STX)
>>>> off 0 -> 0
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: kind 0, spec is [6]
>>>> vm_area_struct + 0:1 => 8.0 @ &x[0].vm_end
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: matching candidate #0
>>>> vm_area_struct against spec [329] vm_area_struct + 0:1 => 8.0 @
>>>> &x[0].vm_end: 1
>>>> libbpf: prog 'lsm/file_mprotect': relo #3: patched insn #10 (LDX/ST/STX)
>>>> off 8 -> 8
>>>> test_test_lsm:PASS:skel_load 0 nsec
>>>> test_test_lsm:PASS:attach 0 nsec
>>>> test_test_lsm:PASS:exec_cmd 0 nsec
>>>> test_test_lsm:FAIL:bprm_count bprm_count = 0
>>>> test_test_lsm:FAIL:stack_mprotect want err=EPERM, got 0
>>>> #70 test_lsm:FAIL
>>>> Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED
>>>>
>>>>
>>>> kconfig:
>>>>
>>>> CONFIG_BPF_LSM=y
>>>>
>>>> CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
>>>>
>>>> besides:
>>>>
>>>> when I add bpf to CONFIG_LSM, then boot failed.
>>>>
>>>> boot error:
>>>>
>>>> ```
>>>>
>>>> Cannot determine cgroup we are running in: No data available
>>>> Failed to allocate manager object: No data available
>>>> [!!!!!!] Failed to allocate manager object, freezing.
>>>> Freezing execution.
>>>>
>>>> ```
>>>>
>>>> seems bpf in CONFIG_LSM and CONFIG_BPF_LSM conflict.
>>>>
>>>>
>>>> clang version: v11.0.0
>>>>
>>>> commit: 54b35c066417d4856e9d53313f7e98b354274584
>>>>
>>>> # pahole --version
>>>> v1.17
>>>>
>>> It might be due to bug in default return value of one of the
>>> functions, which KP recently fixed. But just to be sure, KP, could you
>>> please take a look?
>>>
>>>> --
>>>> Best Regards.
>>>> Ma Xinjian
>>>>
--
Best Regards.
Ma Xinjian
next prev parent reply other threads:[~2020-05-09 7:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-07 5:19 bprm_count and stack_mprotect error when testing BPF LSM on v5.7-rc3 Ma Xinjian
2020-05-07 16:16 ` Andrii Nakryiko
[not found] ` <CAFLU3KuU6zFs7+xQ-=vy9WEx-4U=cTSW9VXNMyxRdwY3LHc9HA@mail.gmail.com>
2020-05-07 16:24 ` KP Singh
2020-05-09 7:41 ` Ma Xinjian [this message]
2020-05-09 9:26 ` KP Singh
2020-05-09 9:42 ` KP Singh
[not found] ` <b3991caf-9e04-b6f4-aee5-86191a0fc3df@intel.com>
2020-05-09 13:28 ` KP Singh
2020-05-13 5:55 ` Ma Xinjian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65526c26-c94b-d5dd-7143-b1af7071dbf9@intel.com \
--to=max.xinjian@intel.com \
--cc=andrii.nakryiko@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=kpsingh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.