Hello all, I compiled an Android Kernel to enable ebpf and LSM features. Enabled features: -d CONFIG_LTO \ -d CONFIG_LTO_CLANG \ -d CONFIG_CFI_CLANG \ -d CFI_PERMISSIVE \ -d CFI_CLANG \ -d CONFIG_RANDOMIZE_BASE \ -e CONFIG_FTRACE_SYSCALLS \ -e CONFIG_DEBUG_FS \ -e CONFIG_ROP_PROTECTION_NONE \ -e CONFIG_DEBUG_INFO \ -e CONFIG_DEBUG_INFO_BTF \ -e CONFIG_BPF \ -e CONFIG_BPF_SYSCALL \ -e CONFIG_BPF_JIT \ -e CONFIG_HAVE_BPF_JIT \ -e CONFIG_HAVE_EBPF_JIT \ -e CONFIG_BPF_EVENTS \ -e CONFIG_IKHEADERS \ -e CONFIG_CGROUP_BPF \ -e CONFIG_FTRACE_SYSCALLS \ -e CONFIG_BPF_LSM \ -e CONFIG_TRACEPOINTS \ -e CONFIG_HAVE_SYSCALL_TRACEPOINTS \ -d CONFIG_TRACEFS_DISABLE_AUTOMOUNT \ -e CONFIG_DEBUG_PREEMPT \ -e CONFIG_PREEMPTIRQ_EVENTS \ -d CONFIG_PROVE_LOCKING \ -d CONFIG_LOCKDEP \ -e CONFIG_NET_CLS_BPF \ -e CONFIG_NET_ACT_BPF \ -e CONFIG_NET_SCH_SFQ \ -e CONFIG_NET_ACT_POLICE \ -e CONFIG_NET_ACT_GACT \ -e CONFIG_DUMMY It may be more that what's necessary but I was experimenting by adding more features I was finding on Internet about the topic. System: Cuttlefish Android Device (crossvm) with kernel 5.15.78 (from https://android.googlesource.com/kernel/manifest -b common-android13-5.15). Program to test: SEC("lsm/file_open") int BPF_PROG(file_open_lsm, struct file *file, int ret) { return ret; } cat /sys/kernel/security/lsm capability,selinux,bpf Output when running the lsm program: libbpf: prog 'lsm_file_open_function': failed to attach: Device or resource busylibbpf: prog 'lsm_file_open_function': failed to auto-attach: -16 Failed to attach BPF skeleton strace: ... bpf(BPF_OBJ_GET_INFO_BY_FD, {info={bpf_fd=16, info_len=88 => 80, info=0x7fffe2761f70}}, 16) = 0mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 16, 0) = 0x7bc0d9511000 mmap(NULL, 1052672, PROT_READ, MAP_SHARED, 16, 0x1000) = 0x7bbe4628d000 epoll_ctl(30, EPOLL_CTL_ADD, 16, {EPOLLIN, {u32=10, u64=10}}) = 0 bpf(BPF_OBJ_GET_INFO_BY_FD, {info={bpf_fd=17, info_len=88 => 80, info=0x7fffe2761f70}}, 16) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 17, 0) = 0x7bc0d9510000 mmap(NULL, 1052672, PROT_READ, MAP_SHARED, 17, 0x1000) = 0x7bbe45f5d000 epoll_ctl(30, EPOLL_CTL_ADD, 17, {EPOLLIN, {u32=11, u64=11}}) = 0 bpf(0x1c /* BPF_??? */, 0x7fffe2761df0, 48) = -1 EINVAL (Invalid argument) bpf(BPF_RAW_TRACEPOINT_OPEN, {raw_tracepoint={name=NULL, prog_fd=21}}, 16) = -1 EBUSY (Device or resource busy) write(2, "libbpf: prog 'file_open_lsm"..., 81libbpf: prog 'file_open_lsm': failed to attach: Device or resource busy ) = 81 write(2, "libbpf: prog 'file_open_lsm"..., 66libbpf: prog 'file_open_lsm': failed to auto-attach: -16 ) = 66 write(2, "Failed to attach BPF skeleton\n", 30Failed to attach BPF skeleton ) = 30 When I remove lsm hooks but keep kprobes and other ones, it works. Seems like only lsm programs have the issue. I'm using xmake to compile it for Android, according to samples from here: https://github.com/libbpf/libbpf-bootstrap libbpf version: 1.0 bpftool version: v7.0.0 Any help is appreciated Best regards,
Attachment:
signature.asc
Description: OpenPGP digital signature
