bcc
bcc copied to clipboard
iovisor
bpf : permission denied error
Hi all,
I'm facing the below error while running my profiler using ebpf. I've cloned the bcc repo with the latest code as of today. Can someone please help me resolve the following issue ?
Output of uname -a :
Linux yskot-VirtualBox 6.8.0-40-generic #40~22.04.3-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 30 17:30:19 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
0: R1=ctx() R10=fp0
; TRACEPOINT_PROBE(syscalls, sys_enter_clone) {
0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx()
1: (b7) r1 = 0 ; R1_w=0
; int z = 0;
2: (63) *(u32 *)(r10 -20) = r1 ; R1_w=0 R10=fp0 fp-24=0000????
; struct log_lv *ll = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -4), &z);
3: (18) r1 = 0xffff9a2c468fea00 ; R1_w=map_ptr(map=log_level,ks=4,vs=4)
5: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
6: (07) r2 += -20 ; R2_w=fp-20
; struct log_lv *ll = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -4), &z);
7: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=1,map=log_level,ks=4,vs=4)
; if (ll && ll->log_wt <= WT_FORK) {
8: (15) if r0 == 0x0 goto pc+400 ; R0_w=map_value(map=log_level,ks=4,vs=4)
; if (ll && ll->log_wt <= WT_FORK) {
9: (61) r1 = *(u32 *)(r0 +0) ; R0=map_value(map=log_level,ks=4,vs=4) R1=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
; if (ll && ll->log_wt <= WT_FORK) {
10: (25) if r1 > 0x401 goto pc+398 ; R1=scalar(smin=smin32=0,smax=umax=smax32=umax32=1025,var_off=(0x0; 0x7ff))
; arg_record(args->clone_flags, gettid());
11: (79) r7 = *(u64 *)(r6 +16) ; R6=ctx() R7_w=scalar()
; return bpf_get_current_pid_tgid() & 0xffffffff;
12: (85) call bpf_get_current_pid_tgid#14 ; R0_w=scalar()
13: (7b) *(u64 *)(r10 -16) = r7 ; R7_w=scalar() R10=fp0 fp-16_w=mmmmmmmm
14: (63) *(u32 *)(r10 -4) = r0 ; R0_w=scalar() R10=fp0 fp-8=mmmm????
; bpf_map_update_elem((void *)bpf_pseudo_fd(1, -15), &tid, &d, BPF_ANY);
15: (18) r1 = 0xffff9a2c4d3fec00 ; R1_w=map_ptr(map=arg,ks=4,vs=8)
17: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
; arg_record(args->clone_flags, gettid());
18: (07) r2 += -4 ; R2_w=fp-4
19: (bf) r3 = r10 ; R3_w=fp0 R10=fp0
20: (07) r3 += -16 ; R3_w=fp-16
21: (b7) r9 = 0 ; R9_w=0
; bpf_map_update_elem((void *)bpf_pseudo_fd(1, -15), &tid, &d, BPF_ANY);
22: (b7) r4 = 0 ; R4_w=0
23: (85) call bpf_map_update_elem#2 ; R0=scalar()
; log_sc_long1(args->__syscall_nr, CLONE_EN, WT_FORK, args->clone_flags);
24: (79) r1 = *(u64 *)(r6 +16) ; R1_w=scalar() R6=ctx()
; log_sc_long1(args->__syscall_nr, CLONE_EN, WT_FORK, args->clone_flags);
25: (7b) *(u64 *)(r10 -32) = r1 ; R1_w=scalar() R10=fp0 fp-32_w=mmmmmmmm
26: (61) r8 = *(u32 *)(r6 +8) ; R6=ctx() R8_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
; u64 ts = bpf_ktime_get_ns();
27: (85) call bpf_ktime_get_ns#5 ; R0_w=scalar()
28: (bf) r7 = r0 ; R0_w=scalar(id=2) R7_w=scalar(id=2)
; int z = 0;
29: (63) *(u32 *)(r10 -4) = r9 ; R9=0 R10=fp0 fp-8=0000????
; b = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -9), &z);
30: (18) r1 = 0xffff9a2c468ff600 ; R1_w=map_ptr(map=buf,ks=4,vs=16320)
32: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
; arg_record(args->clone_flags, gettid());
33: (07) r2 += -4 ; R2_w=fp-4
; b = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -9), &z);
34: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=3,map=buf,ks=4,vs=16320)
35: (bf) r6 = r0 ; R0=map_value_or_null(id=3,map=buf,ks=4,vs=16320) R6_w=map_value_or_null(id=3,map=buf,ks=4,vs=16320)
; log_sc_long1(args->__syscall_nr, CLONE_EN, WT_FORK, args->clone_flags);
36: (67) r8 <<= 32 ; R8_w=scalar(smax=0x7fffffff00000000,umax=0xffffffff00000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xffffffff00000000))
37: (c7) r8 s>>= 32 ; R8_w=scalar(smin=0xffffffff80000000,smax=0x7fffffff)
; if (!b) {
38: (55) if r6 != 0x0 goto pc+10 49: R0=map_value(map=buf,ks=4,vs=16320) R6=map_value(map=buf,ks=4,vs=16320) R7=scalar(id=2) R8=scalar(smin=0xffffffff80000000,smax=0x7fffffff) R9=0 R10=fp0 fp-8=mmmm???? fp-16=mmmmmmmm fp-24=mmmm???? fp-32=mmmmmmmm
; if (sc < 500)
49: (65) if r8 s> 0x1f3 goto pc+9 ; R8=scalar(smin=0xffffffff80000000,smax=smax32=499)
; static inline void incr_sc_entry(int sc) { ({ typeof(count.key) _key = sc; typeof(count.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -5), &_key); if (_leaf) lock_xadd(_leaf, 1);}); }
50: (63) *(u32 *)(r10 -16) = r8 ; R8=scalar(smin=0xffffffff80000000,smax=smax32=499) R10=fp0 fp-16=mmmmscalar(smin=0xffffffff80000000,smax=smax32=499)
; static inline void incr_sc_entry(int sc) { ({ typeof(count.key) _key = sc; typeof(count.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -5), &_key); if (_leaf) lock_xadd(_leaf, 1);}); }
51: (18) r1 = 0xffff9a2b5eae8000 ; R1_w=map_ptr(map=count,ks=4,vs=8)
53: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
54: (07) r2 += -16 ; R2_w=fp-16
; return bpf_map_lookup_elem((void *)map, key);
55: (85) call bpf_map_lookup_elem#1 ; R0_w=map_value_or_null(id=7,map=count,ks=4,vs=8)
; static inline void incr_sc_entry(int sc) { ({ typeof(count.key) _key = sc; typeof(count.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -5), &_key); if (_leaf) lock_xadd(_leaf, 1);}); }
56: (15) if r0 == 0x0 goto pc+2 ; R0_w=map_value(map=count,ks=4,vs=8)
57: (b7) r1 = 1 ; R1_w=1
; static inline void incr_sc_entry(int sc) { ({ typeof(count.key) _key = sc; typeof(count.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -5), &_key); if (_leaf) lock_xadd(_leaf, 1);}); }
58: (db) lock *(u64 *)(r0 +0) += r1 ; R0=map_value(map=count,ks=4,vs=8) R1=1
; if (b) {
59: (15) if r6 == 0x0 goto pc+349 ; R6=map_value(map=buf,ks=4,vs=16320)
;
60: (bf) r9 = r7 ; R7=scalar(id=2) R9_w=scalar(id=2)
; b->current_ts = ts;
61: (7b) *(u64 *)(r6 +32) = r9 ; R6=map_value(map=buf,ks=4,vs=16320) R9_w=scalar(id=2)
; *idx = b->idx;
62: (69) r8 = *(u16 *)(r6 +0) ; R6=map_value(map=buf,ks=4,vs=16320) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
63: (b7) r1 = 0 ; R1_w=0
; int z=0;
64: (63) *(u32 *)(r10 -4) = r1 ; R1_w=0 R10=fp0 fp-8=0000????
; u64* snp = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -13), &z);
65: (18) r1 = 0xffff9a2c468fee00 ; R1_w=map_ptr(map=seqn,ks=4,vs=8)
67: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
68: (07) r2 += -4 ; R2_w=fp-4
; u64* snp = bpf_map_lookup_elem((void *)bpf_pseudo_fd(1, -13), &z);
69: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=8,map=seqn,ks=4,vs=8)
; if (snp) {
70: (15) if r0 == 0x0 goto pc+3 ; R0=map_value(map=seqn,ks=4,vs=8)
71: (b7) r4 = 1 ; R4_w=1
; sn = __sync_fetch_and_add(snp, 1);
72: (db) r4 = atomic64_fetch_add((u64 *)(r0 +0), r4) ; R0=map_value(map=seqn,ks=4,vs=8) R4_w=scalar()
73: (05) goto pc+11
; b->current_sn = (u16)sn;
85: (6b) *(u16 *)(r6 +8) = r4 ; R4_w=scalar() R6=map_value(map=buf,ks=4,vs=16320)
; if (*idx == 0)
86: (55) if r8 != 0x0 goto pc+3 90: R0=map_value(map=seqn,ks=4,vs=8) R4_w=scalar() R6=map_value(map=buf,ks=4,vs=16320) R7=scalar(id=2) R8=scalar(smin=umin=smin32=umin32=1,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff)) R9=scalar(id=2) R10=fp0 fp-8=mmmm???? fp-16=mmmmmmmm fp-24=mmmm???? fp-32=mmmmmmmm
; b->start_ts = ts;
90: (b7) r1 = 12161 ; R1_w=12161
; else if ((*idx > BUFSIZE - 4096)
91: (2d) if r1 > r8 goto pc+85 ; R1_w=12161 R8=scalar(smin=umin=smin32=umin32=12161,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
92: (7b) *(u64 *)(r10 -40) = r4 ; R4_w=scalar() R10=fp0 fp-40_w=mmmmmmmm
93: (7b) *(u64 *)(r10 -48) = r9 ; R9=scalar(id=2) R10=fp0 fp-48_w=mmmmmmmm
; u32 rnd = bpf_get_prandom_u32();
94: (85) call bpf_get_prandom_u32#7 ; R0=scalar()
95: (bf) r9 = r0 ; R0=scalar(id=75) R9_w=scalar(id=75)
96: (bf) r2 = r9 ; R2_w=scalar(id=75) R9_w=scalar(id=75)
97: (67) r2 <<= 32 ; R2_w=scalar(smax=0x7fffffff00000000,umax=0xffffffff00000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xffffffff00000000))
98: (77) r2 >>= 32 ; R2_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
99: (b7) r1 = 2 ; R1_w=2
100: (b7) r3 = 858993459 ; R3_w=0x33333333
101: (b7) r4 = 2 ; R4_w=2
102: (2d) if r3 > r2 goto pc+1 ; R2_w=scalar(smin=umin=umin32=0x33333333,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) R3_w=0x33333333
103: (b7) r4 = 1 ; R4_w=1
104: (7b) *(u64 *)(r10 -56) = r4 ; R4_w=1 R10=fp0 fp-56_w=1
; ({ typeof(mystat.key) _key = RB_MSGS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
105: (63) *(u32 *)(r10 -16) = r1 ; R1_w=2 R10=fp0 fp-16=mmmm2
; ({ typeof(mystat.key) _key = RB_MSGS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
106: (18) r1 = 0xffff9a2c4d3fe000 ; R1_w=map_ptr(map=mystat,ks=4,vs=8)
108: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
109: (07) r2 += -16 ; R2_w=fp-16
; return bpf_map_lookup_elem((void *)map, key);
110: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=76,map=mystat,ks=4,vs=8)
; ({ typeof(mystat.key) _key = RB_MSGS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
111: (15) if r0 == 0x0 goto pc+2 ; R0=map_value(map=mystat,ks=4,vs=8)
112: (b7) r1 = 1 ; R1_w=1
; ({ typeof(mystat.key) _key = RB_MSGS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
113: (db) lock *(u64 *)(r0 +0) += r1 ; R0=map_value(map=mystat,ks=4,vs=8) R1_w=1
114: (67) r9 <<= 32 ; R9_w=scalar(smax=0x7fffffff00000000,umax=0xffffffff00000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xffffffff00000000))
115: (77) r9 >>= 32 ; R9_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
; if (flag == BPF_RB_FORCE_WAKEUP)
116: (25) if r9 > 0x33333332 goto pc+10 ; R9_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0x33333332,var_off=(0x0; 0x3fffffff))
117: (b7) r1 = 3 ; R1_w=3
; ({ typeof(mystat.key) _key = RB_WAKEUPS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
118: (63) *(u32 *)(r10 -16) = r1 ; R1_w=3 R10=fp0 fp-16=mmmm3
; ({ typeof(mystat.key) _key = RB_WAKEUPS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
119: (18) r1 = 0xffff9a2c4d3fe000 ; R1_w=map_ptr(map=mystat,ks=4,vs=8)
121: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
122: (07) r2 += -16 ; R2_w=fp-16
; return bpf_map_lookup_elem((void *)map, key);
123: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=77,map=mystat,ks=4,vs=8)
; ({ typeof(mystat.key) _key = RB_WAKEUPS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
124: (15) if r0 == 0x0 goto pc+2 ; R0=map_value(map=mystat,ks=4,vs=8)
125: (b7) r1 = 1 ; R1_w=1
; ({ typeof(mystat.key) _key = RB_WAKEUPS; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, 1);});
126: (db) lock *(u64 *)(r0 +0) += r1 ; R0=map_value(map=mystat,ks=4,vs=8) R1_w=1
127: (b7) r1 = 1 ; R1_w=1
; ({ typeof(mystat.key) _key = RB_BYTES; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, *i+8);}); // # of bytes ATTEMPTED to send
128: (63) *(u32 *)(r10 -16) = r1 ; R1_w=1 R10=fp0 fp-16=mmmm1
; ({ typeof(mystat.key) _key = RB_BYTES; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, *i+8);}); // # of bytes ATTEMPTED to send
129: (18) r1 = 0xffff9a2c4d3fe000 ; R1_w=map_ptr(map=mystat,ks=4,vs=8)
131: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
;
132: (07) r2 += -16 ; R2_w=fp-16
; return bpf_map_lookup_elem((void *)map, key);
133: (85) call bpf_map_lookup_elem#1 ; R0=map_value_or_null(id=78,map=mystat,ks=4,vs=8)
; ({ typeof(mystat.key) _key = RB_BYTES; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, *i+8);}); // # of bytes ATTEMPTED to send
134: (55) if r0 != 0x0 goto pc+3 ; R0=0
; sz = min(sz, BUFSIZE-64);
135: (bf) r3 = r8 ; R3_w=scalar(id=79,smin=umin=smin32=umin32=12161,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff)) R8=scalar(id=79,smin=umin=smin32=umin32=12161,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
136: (07) r3 += 8 ; R3_w=scalar(smin=umin=smin32=umin32=12169,smax=umax=smax32=umax32=0x10007,var_off=(0x0; 0x1ffff))
137: (05) goto pc+4
; ({ typeof(mystat.key) _key = RB_BYTES; typeof(mystat.leaf) *_leaf = bpf_map_lookup_elem_(bpf_pseudo_fd(1, -3), &_key); if (_leaf) lock_xadd(_leaf, *i+8);}); // # of bytes ATTEMPTED to send
142: (79) r9 = *(u64 *)(r10 -48) ; R9_w=scalar() R10=fp0 fp-48=mmmmmmmm
143: (79) r4 = *(u64 *)(r10 -56) ; R4_w=1 R10=fp0 fp-56=1
144: (b7) r1 = 16184 ; R1_w=16184
; sz = min(sz, BUFSIZE-64);
145: (2d) if r1 > r8 goto pc+1 147: R0=0 R1_w=16184 R3_w=scalar(smin=umin=smin32=umin32=12169,smax=umax=smax32=umax32=0x10007,var_off=(0x0; 0x1ffff)) R4_w=1 R6=map_value(map=buf,ks=4,vs=16320) R7=scalar(id=2) R8=scalar(id=79,smin=umin=smin32=umin32=12161,smax=umax=smax32=umax32=16183,var_off=(0x2000; 0x1fff)) R9_w=scalar() R10=fp0 fp-8=mmmm???? fp-16=mmmmmmmm fp-24=mmmm???? fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=1
; b->tsrec = TS_RECORD(MS_BITS(b->start_ts));
147: (79) r1 = *(u64 *)(r6 +48) ; R1_w=scalar() R6=map_value(map=buf,ks=4,vs=16320)
148: (57) r1 &= -16777216 ; R1_w=scalar(smax=0x7fffffffff000000,umax=0xffffffffff000000,smax32=0x7f000000,umax32=0xff000000,var_off=(0x0; 0xffffffffff000000))
149: (47) r1 |= 3024249 ; R1_w=scalar(smin=0x80000000002e2579,smax=0x7fffffffff2e2579,umin=umin32=0x2e2579,umax=0xffffffffff2e2579,smin32=0x802e2579,smax32=0x7f2e2579,umax32=0xff2e2579,var_off=(0x2e2579; 0xffffffffff000000))
; b->tsrec = TS_RECORD(MS_BITS(b->start_ts));
150: (7b) *(u64 *)(r6 +56) = r1 ; R1_w=scalar(smin=0x80000000002e2579,smax=0x7fffffffff2e2579,umin=umin32=0x2e2579,umax=0xffffffffff2e2579,smin32=0x802e2579,smax32=0x7f2e2579,umax32=0xff2e2579,var_off=(0x2e2579; 0xffffffffff000000)) R6=map_value(map=buf,ks=4,vs=16320)
; err = bpf_ringbuf_output((void *)bpf_pseudo_fd(1, -10), &b->tsrec, sz, flag);
151: (18) r1 = 0xffff9a2c468ffc00 ; R1_w=map_ptr(map=events,ks=0,vs=0)
; b->tsrec = TS_RECORD(MS_BITS(b->start_ts));
153: (bf) r2 = r6 ; R2_w=map_value(map=buf,ks=4,vs=16320) R6=map_value(map=buf,ks=4,vs=16320)
154: (07) r2 += 56 ; R2_w=map_value(map=buf,ks=4,vs=16320,off=56)
; err = bpf_ringbuf_output((void *)bpf_pseudo_fd(1, -10), &b->tsrec, sz, flag);
155: (85) call bpf_ringbuf_output#130
invalid access to map value, value_size=16320 off=56 size=65543
R2 min value is outside of the allowed memory range
processed 2240 insns (limit 1000000) max_states_per_insn 9 total_states 166 peak_states 106 mark_read 9
Traceback (most recent call last):
File "/home/yskot/eprov-dev/eauditd.py", line 514, in <module>
b = BPF(text=src);
File "/usr/lib/python3/dist-packages/bcc-0.31.0+052022b0-py3.10.egg/bcc/__init__.py", line 488, in __init__
File "/usr/lib/python3/dist-packages/bcc-0.31.0+052022b0-py3.10.egg/bcc/__init__.py", line 1490, in _trace_autoload
File "/usr/lib/python3/dist-packages/bcc-0.31.0+052022b0-py3.10.egg/bcc/__init__.py", line 527, in load_func
Exception: Failed to load BPF program b'tracepoint__syscalls__sys_enter_clone': Permission denied
Command exited with non-zero status 1
8.67user 0.80system 0:10.42elapsed 90%CPU (0avgtext+0avgdata 256916maxresident)k
24592inputs+0outputs (91major+59362minor)pagefaults 0swaps```
