Description of problem: bpftool does not work. I gets EPERM from the kernel on all actions. Version-Release number of selected component (if applicable): bpftool v4.16.0 (F28) bpftool-4.16.0-302.fc28.x86_64 bpftool v4.17.0 (Rawhide) bpftool-4.17.0-1.fc29.x86_64 How reproducible: Each time (although I heard reports that it "used to work" from co-workers) Steps to Reproduce: Run as root: bpftool prog or as user: sudo bpftool prog Actual results: Error: can't get next program: Operation not permitted Expected results: List of programs. Additional info: # trace-cmd record -p function -F bpftool prog # trace-cmd report | grep bpf[^t] bpftool-3627 [002] 65056.383169: function: bpf_fd_pass bpftool-3627 [002] 65056.383188: function: bpf_fd_pass bpftool-3627 [002] 65056.386515: function: bpf_fd_pass bpftool-3627 [002] 65056.386566: function: bpf_fd_pass bpftool-3627 [002] 65056.387013: function: bpf_fd_pass bpftool-3627 [002] 65056.387557: function: bpf_fd_pass bpftool-3627 [002] 65056.387582: function: bpf_fd_pass bpftool-3627 [002] 65056.387610: function: bpf_fd_pass bpftool-3627 [002] 65056.387802: function: bpf_fd_pass bpftool-3627 [002] 65056.387824: function: bpf_fd_pass bpftool-3627 [002] 65056.387852: function: bpf_fd_pass bpftool-3627 [002] 65056.388129: function: bpf_fd_pass bpftool-3627 [002] 65056.388151: function: bpf_fd_pass bpftool-3627 [002] 65056.388179: function: bpf_fd_pass bpftool-3627 [002] 65056.388344: function: bpf_fd_pass bpftool-3627 [002] 65056.388372: function: bpf_fd_pass bpftool-3627 [002] 65056.388405: function: bpf_fd_pass bpftool-3627 [002] 65056.389144: function: bpf_fd_pass bpftool-3627 [002] 65056.389217: function: bpf_fd_pass bpftool-3627 [002] 65056.389269: function: bpf_fd_pass bpftool-3627 [002] 65056.389294: function: bpf_fd_pass bpftool-3627 [002] 65056.389359: function: bpf_fd_pass bpftool-3627 [002] 65056.389414: function: bpf_fd_pass There are only bpf_fd_pass calls in the kernel, so it looks like something is denying the permission at the security subsystem level, but I did setenforce 0 and it didn't help :S
So 'sudo bpftool prog' works for me on both F28 and rawhide. What kernel version are you running on? Are you running with secure boot on by any chance?
Interesting, does it work for you when you're logged in as root? I have Secure boot on on my F28 machine, but not on the Rawhide one. The error is slightly different on the Rawhide: Error: can't get prog by id (13): Permission denied instead of: Error: can't get next program: Operation not permitted $ uname -r 4.16.14-300.fc28.x86_64 and $ uname -r 4.18.0-0.rc0.git7.2.fc29.x86_64
Oh, turns out on the Rawhide machine setenforce 0 fixes the issue, so it's Selinux related... Does secure boot make it impossible to disable Selinux?
selinux and secureboot are not connected but it is expected that bpf is disabled when secureboot is enabled, so that explains F28. I forgot I have my rawhide machine in reporting only mode and I do see selinux failures there. So we could move this bug to selinux policy to fix it up there.
Thank you! I didn't know secure boot disables BPF, is it a Fedora/RHEL specific patch or does it happen on upstream kernels too? I'm happy for the bug to be moved to selinux policy, FWIW: AVC avc: denied { prog_run } for pid=10409 comm="bpftool" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=1
The secureboot work is still going upstream but yes, it's intended to be locked down upstream too. I'll move this over to selinux-policy.
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.