rr icon indicating copy to clipboard operation
rr copied to clipboard

Published 20 hours ago verified publisher icon rr-debugger

Uncertain permissions needed to enable use of BPF (async_event_filter.o).

Open bernhardu opened this issue 8 months ago • 4 comments

Trying to prepare reporting another issue, I found in Debian is now a BPF enabled rr version. Unfortunately I receive with my payload the below bpf failures on replay, while the replay itself succeeds.

When I manipulate /proc/sys/kernel/unprivileged_bpf_disabled the error changes slightly, but still shows up.

The failure does not show up when replaying as root (which I guess is the least desired method security-wise).

Is it known which permissions my user or the rr executable is missing and how they can be granted?

Would it be an improvement to make rr's use of BPF runtime selectable via command line or environment?

Details 
benutzer@debian:~$ ulimit -a | grep locked
max locked memory           (kbytes, -l) 8192
benutzer@debian:~$ rr --version
rr version 5.9.0 
benutzer@debian:~$ dpkg -l | grep " rr "
ii  rr                                   5.9.0-2                         amd64        application execution recorder, player and debugger
benutzer@debian:~$ which rr
/usr/bin/rr
benutzer@debian:~$ 


benutzer@debian:~$ export PATH=/opt/wine-devel/bin:$PATH_ORIG
benutzer@debian:~$ xterm &
[1] 97364
benutzer@debian:~$ debian_chroot=rr rr record bash
rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/bash-16'.
(rr)benutzer@debian:~$ wineserver -p60
                                                                # start in the xterm above `wine winemine` to have most wine processes started up outside of the recording
(rr)benutzer@debian:~$ wine timeout /T 3
waiting since 2 sec. press a key to continue...
(rr)benutzer@debian:~$ wineserver -k
(rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ stty sane
(rr)benutzer@debian:~$ exit
exit
benutzer@debian:~$ 


benutzer@debian:~$ rr replay -a bash-16
(rr)benutzer@debian:~$ wineserver -p60
(rr)benutzer@debian:~$ wine timeout /T 3
libbpf: Failed to bump RLIMIT_MEMLOCK (err = -1), you might need to do it explicitly!
libbpf: Error in bpf_object__probe_loading():Operation not permitted(1). Couldn't load trivial BPF program. Make sure your kernel supports BPF (CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big enough value.
libbpf: failed to load object '/usr/bin/../share/rr/async_event_filter.o'
[ERROR ./src/PerfCounters.cc:1207:get_or_create() errno: EPERM] Failed to load bpf at /usr/bin/../share/rr/async_event_filter.o into the kernel. Do we have permissions?
waiting since 2 sec. press a key to continue...
(rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ stty sane
(rr)benutzer@debian:~$ exit
exit
benutzer@debian:~$ 


root@debian:~# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
benutzer@debian:~$ rr replay -a bash-16
(rr)benutzer@debian:~$ wineserver -p60
(rr)benutzer@debian:~$ wine timeout /T 3
libbpf: prog 'match_registers': BPF program load failed: Operation not permitted
libbpf: prog 'match_registers': failed to load: -1
libbpf: failed to load object '/usr/bin/../share/rr/async_event_filter.o'
[ERROR ./src/PerfCounters.cc:1207:get_or_create() errno: EPERM] Failed to load bpf at /usr/bin/../share/rr/async_event_filter.o into the kernel. Do we have permissions?
waiting since 2 sec. press a key to continue...
(rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ stty sane
(rr)benutzer@debian:~$ exit
exit
benutzer@debian:~$ 


root@debian:~# which rr
/usr/bin/rr
root@debian:~# rr replay -a /home/benutzer/.local/share/rr/bash-16
(rr)benutzer@debian:~$ wineserver -p60
(rr)benutzer@debian:~$ wine timeout /T 3
waiting since 2 sec. press a key to continue...
(rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ (rr)benutzer@debian:~$ stty sane
(rr)benutzer@debian:~$ exit
exit
root@debian:~#

CC: @skitt

bernhardu avatar Mar 26 '25 17:03 bernhardu

Are you saying Debian is shipping a bpf-enabled rr by default? They really should not be doing that ...

In addition to the permissions issues the feature may not be fully baked. That's why it's off by default in our cmake config.

khuey avatar Mar 26 '25 17:03 khuey

Thanks for the prompt response. Yes, as far as I see it is enabled in Debian testing for amd64, rr version 5.9. It got enabled some weeks ago. It is not enabled in the rr package version 5.6 in the current release version in Debian 12/bookworm. Then I guess this is an important information for @skitt.

bernhardu avatar Mar 26 '25 18:03 bernhardu

Thanks for the information, I should really have done this in experimental… I’ll upload a new package without BPF forthwith.

skitt avatar Mar 26 '25 19:03 skitt

Since we have a distro maintainer here, are there any sort of standards or conventions to follow when it comes to packaging BPF programs?

khuey avatar Mar 26 '25 21:03 khuey