bcc icon indicating copy to clipboard operation
bcc copied to clipboard
verified publisher icon iovisor

libbpf: prog 'tracepoint__syscalls__sys_enter_accept': failed to create BPF link for perf_event FD 49: -13 (Permission denied

Open X3eRo0 opened this issue 3 years ago • 6 comments

My tracepoint for sys_accept is not working for some reason. Here is the bpf code related to accept

#include <vmlinux.h>
#include "dojosnoop.h"
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_helpers.h>
#include "syscalls.h"

static pid_t filter_pid = 0;
static const struct event empty_event = {};

struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __uint(max_entries, 10240);
    __type(key, pid_t);
    __type(value, struct event);
} accepts SEC(".maps");

SEC("tracepoint/syscalls/sys_enter_accept")
int tracepoint__syscalls__sys_enter_accept(struct trace_event_raw_sys_enter* ctx)
{
    struct event* event;
    pid_t pid = (pid_t)bpf_get_current_pid_tgid();
    // trace only selected pid
    if (filter_pid == 0 || pid != filter_pid) {
        return 0;
    }

    if (bpf_map_update_elem(&accepts, &pid, &empty_event, BPF_NOEXIST))
        return 0;

    event = bpf_map_lookup_elem(&accepts, &pid);
    if (!event)
        return 0;

    event->sysnr = sys_accept;
    event->pid = pid;
    event->uid = bpf_get_current_uid_gid();
    bpf_get_current_comm(&event->comm, sizeof(event->comm));
    event->arg0 = ctx->args[0];
    bpf_probe_read_user(&event->data, sizeof(struct sockaddr), (const char*)ctx->args[1]);
    bpf_probe_read_user(&event->arg2, sizeof(int), (const char*)ctx->args[2]);
    event->arg3 = ctx->args[3];
    bpf_map_update_elem(&accepts, &pid, event, 0);
    return 0;
}

SEC("tracepoint/syscalls/sys_exit_accept")
int tracepoint__syscalls__sys_exit_accept(struct trace_event_raw_sys_exit* ctx)
{
    u64 id;
    pid_t pid;
    u64 ret;
    struct event* event;

    id = bpf_get_current_pid_tgid();
    pid = (pid_t)id;
    // trace only selected pid
    if (filter_pid == 0 || pid != filter_pid) {
        return 0;
    }

    event = bpf_map_lookup_elem(&accepts, &pid);
    if (!event)
        return 0;
    ret = ctx->ret;
    if (ret < 0)
        goto cleanup;
    event->ret = ret;
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event, sizeof(*event));
cleanup:
    bpf_map_delete_elem(&accepts, &pid);
    return 0;
}

Output:

libbpf: prog 'tracepoint__syscalls__sys_enter_accept': failed to create BPF link for perf_event FD 33: -13 (Permission denied)
libbpf: prog 'tracepoint__syscalls__sys_enter_accept': failed to attach to tracepoint 'syscalls/sys_enter_accept': Permission denied
libbpf: prog 'tracepoint__syscalls__sys_enter_accept': failed to auto-attach: -13
failed to attach BPF programs

/sys/kernel/debug/tracing/events/syscalls/sys_enter_accept certainly exists

All other syscalls work just fine

X3eRo0 avatar Sep 18 '22 20:09 X3eRo0

What's your distro and kernel version ? Please enable libbpf verbose log and see if there are any clues.

chenhengqi avatar Sep 19 '22 02:09 chenhengqi

uname -a Linux x3ero0-gen10 5.15.0-47-generic #51-Ubuntu SMP Thu Aug 11 07:51:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Distro : Ubuntu 22.04

Also how do I enable verbose logs?

X3eRo0 avatar Sep 20 '22 00:09 X3eRo0

https://github.com/iovisor/bcc/blob/ca5fd8ee6fe03e8617e83de1d6d6a1e2994d668c/libbpf-tools/biosnoop.c#L205-L206

chenhengqi avatar Sep 20 '22 02:09 chenhengqi

These 2 lines are already present in my code

X3eRo0 avatar Sep 20 '22 02:09 X3eRo0

image This is the output when we run this

X3eRo0 avatar Sep 20 '22 02:09 X3eRo0

No idea.

chenhengqi avatar Sep 20 '22 14:09 chenhengqi