[RFC PATCH v1 0/5, linux-azure, 5.4.1089, arm64] eBPF opensnoop does not display PATH
Francis Laniel
flaniel at linux.microsoft.com
Wed Sep 7 09:33:35 UTC 2022
Hi.
First, I hope you are fine and the same for your relatives.
The actual kernel used on AKS arm64 (i.e. 5.4.1089) suffers from a known problem
[1].
As a consequence, opensnoop does not display PATH:
# Run the following from Canonical:UbuntuServer:18_04-daily-lts-arm64:18.04.202208290
$ uname -a
Linux francis-vm-arm64-ubuntu18vm 5.4.0-1089-azure #94~18.04.1-Ubuntu SMP Fri Aug 5 12:36:48 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
$ lsb_release -rd
Description: Ubuntu 18.04.6 LTS
Release: 18.04
$ git clone --recurse-submodules https://github.com/iovisor/bcc
Linux francis-vm-arm64-ubuntu18vm 5.4.0-1089-azure #94~18.04.1-Ubuntu SMP Fri Aug 5 12:36:48 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
$ sudo sh -c 'apt update && apt install -qy clang-10 llvm-10 make gcc pkg-config libelf-dev libz-dev'
...
$ cd bcc/libbpf-tools
$ CLANG=clang-10 LLVM_STRIP=llvm-strip-10 make -j opensnoop
...
BINARY opensnoop
$ sudo ./opensnoop
PID COMM FD ERR PATH
1672 python3 3 0
9746 opensnoop 20 0
1672 python3 3 0
1672 python3 3 0
1672 python3 -1 2
1672 python3 3 0
1 systemd 18 0
1672 python3 6 0
1672 python3 3 0
1672 python3 3 0
1672 python3 3 0
1672 python3 3 0
1672 python3 3 0
^C
As you can see, nothing is printed for the PATH while normal behavior prints the
path of the opened file:
$ uname -a
Linux pwmachine 5.15.0-46-generic #49~20.04.1-Ubuntu SMP Thu Aug 4 19:15:44 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ sudo ./opensnoop
PID COMM FD ERR PATH
2704 systemd 23 0 virtual
2704 systemd 22 0 misc
2704 systemd 23 0 fuse
2704 systemd 22 0 /sys/devices/virtual/misc/fuse/uevent
2704 systemd 22 0 /run/udev/data/c10:229
2704 systemd 22 0 /proc/2704/status
2704 systemd 22 0 /proc/2704/status
2704 systemd 22 0 /proc/2704/status
^C
This bug was fixed in upstream patch [2]
Sadly, this patch was not back ported, so it is not present in stable kernels.
I backported the patches myself and was able to build the kernel package with
the following command:
$ sudo LANG=C $(dpkg-architecture -aarm64) CROSS_COMPILE=aarch64-linux-gnu- fakeroot debian/rules binary skipdbg=false
Sadly, I was not able to successfully boot it on Azure, either by installing the
package or using kexec.
I suspect this is because my image was not signed.
Daniel Borkmann (4):
uaccess: Add strict non-pagefault kernel-space read function
bpf, samples: Use bpf_probe_read_user where appropriate
bpf, testing: Convert prog tests to probe_read_{user, kernel}{, _str}
helper
bpf, testing: Add selftest to read/write sockaddr from user space
Francis Laniel (1):
bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str
helpers
arch/x86/mm/Makefile | 2 +-
arch/x86/mm/maccess.c | 43 +++++
include/linux/uaccess.h | 4 +
include/uapi/linux/bpf.h | 129 ++++++++-----
kernel/trace/bpf_trace.c | 181 +++++++++++++-----
mm/maccess.c | 25 ++-
samples/bpf/map_perf_test_kern.c | 4 +-
samples/bpf/test_map_in_map_kern.c | 4 +-
samples/bpf/test_probe_write_user_kern.c | 2 +-
tools/include/uapi/linux/bpf.h | 128 ++++++++-----
.../selftests/bpf/prog_tests/probe_user.c | 78 ++++++++
tools/testing/selftests/bpf/progs/pyperf.h | 67 ++++---
.../testing/selftests/bpf/progs/strobemeta.h | 36 ++--
.../selftests/bpf/progs/test_probe_user.c | 26 +++
.../selftests/bpf/progs/test_tcp_estats.c | 2 +-
15 files changed, 542 insertions(+), 189 deletions(-)
create mode 100644 arch/x86/mm/maccess.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/probe_user.c
create mode 100644 tools/testing/selftests/bpf/progs/test_probe_user.c
Best regards and thank you in advance.
---
[1] https://github.com/iovisor/bcc/issues/2253
[2] https://github.com/torvalds/linux/commit/6ae08ae3dea2cfa03dd3665a3c8475c2d429ef47
--
2.25.1
More information about the kernel-team
mailing list