Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1591440 - bpftool returns EPERM on all actions
Summary: bpftool returns EPERM on all actions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-14 17:56 UTC by jakub.kicinski
Modified: 2018-09-12 02:57 UTC (History)
22 users (show)

Fixed In Version: selinux-policy-3.14.2-34.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-12 02:57:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description jakub.kicinski 2018-06-14 17:56:45 UTC 
Description of problem:
bpftool does not work. I gets EPERM from the kernel on all actions.

Version-Release number of selected component (if applicable):
bpftool v4.16.0 (F28) bpftool-4.16.0-302.fc28.x86_64
bpftool v4.17.0 (Rawhide) bpftool-4.17.0-1.fc29.x86_64

How reproducible:
Each time (although I heard reports that it "used to work" from co-workers)

Steps to Reproduce:
Run as root:
bpftool prog
or as user:
sudo bpftool prog

Actual results:
Error: can't get next program: Operation not permitted

Expected results:
List of programs.

Additional info:
# trace-cmd record -p function -F bpftool prog
# trace-cmd report | grep bpf[^t]
         bpftool-3627  [002] 65056.383169: function:                         bpf_fd_pass
         bpftool-3627  [002] 65056.383188: function:                         bpf_fd_pass
         bpftool-3627  [002] 65056.386515: function:                            bpf_fd_pass
         bpftool-3627  [002] 65056.386566: function:                         bpf_fd_pass
         bpftool-3627  [002] 65056.387013: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.387557: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.387582: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.387610: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.387802: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.387824: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.387852: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.388129: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.388151: function:                   bpf_fd_pass
         bpftool-3627  [002] 65056.388179: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.388344: function:                            bpf_fd_pass
         bpftool-3627  [002] 65056.388372: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.388405: function:                               bpf_fd_pass
         bpftool-3627  [002] 65056.389144: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.389217: function:                   bpf_fd_pass
         bpftool-3627  [002] 65056.389269: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.389294: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.389359: function:                      bpf_fd_pass
         bpftool-3627  [002] 65056.389414: function:             bpf_fd_pass

There are only bpf_fd_pass calls in the kernel, so it looks like something is denying the permission at the security subsystem level, but I did setenforce 0 and it didn't help :S
Comment 1 Laura Abbott 2018-06-14 18:15:34 UTC 
So 'sudo bpftool prog' works for me on both F28 and rawhide. What kernel version are you running on? Are you running with secure boot on by any chance?
Comment 2 jakub.kicinski 2018-06-14 18:22:25 UTC 
Interesting, does it work for you when you're logged in as root?

I have Secure boot on on my F28 machine, but not on the Rawhide one.

The error is slightly different on the Rawhide:
Error: can't get prog by id (13): Permission denied
instead of:
Error: can't get next program: Operation not permitted

$ uname -r
4.16.14-300.fc28.x86_64

and
$ uname -r
4.18.0-0.rc0.git7.2.fc29.x86_64
Comment 3 jakub.kicinski 2018-06-14 18:35:13 UTC 
Oh, turns out on the Rawhide machine setenforce 0 fixes the issue, so it's Selinux related...
Does secure boot make it impossible to disable Selinux?
Comment 4 Laura Abbott 2018-06-14 18:47:04 UTC 
selinux and secureboot are not connected but it is expected that bpf is disabled when secureboot is enabled, so that explains F28. I forgot I have my rawhide machine in reporting only mode and I do see selinux failures there. So we could move this bug to selinux policy to fix it up there.
Comment 5 jakub.kicinski 2018-06-14 20:44:24 UTC 
Thank you!  I didn't know secure boot disables BPF, is it a Fedora/RHEL specific patch or does it happen on upstream kernels too?

I'm happy for the bug to be moved to selinux policy, FWIW:

AVC avc:  denied  { prog_run } for  pid=10409 comm="bpftool" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1
Comment 6 Laura Abbott 2018-06-15 14:08:30 UTC 
The secureboot work is still going upstream but yes, it's intended to be locked down upstream too. I'll move this over to selinux-policy.
Comment 7 Jan Kurik 2018-08-14 11:18:37 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 8 Fedora Update System 2018-09-11 12:51:34 UTC 
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
Comment 9 Fedora Update System 2018-09-12 02:57:54 UTC 
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.