The function security_path_chown arg1 type STRUCT is unsupported.

[chenhengqi]

#!/usr/bin/python

from bcc import BPF

bpf_text = '''
KFUNC_PROBE(security_path_chown, struct path *path)
{
    return 0;
}
'''

b = BPF(text=bpf_text)
print("BPF programs loaded")
b.trace_print()

This small program failed with the following error messages:

bpf: Failed to load program: Invalid argument
The function security_path_chown arg1 type STRUCT is unsupported.
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

Did not figure out what causes this error. Changing the function security_path_chown to security_path_chmod works fine.

[chenhengqi]

After reading this commit, I think this is not a bug but a limitation of BPF.

@yonghong-song Could you help confirming this ?

[chenhengqi]

A second thought:

Though arg1 and arg2 of int security_path_chown(struct path *path, kuid_t uid, kgid_t gid); have type struct, but both fit in an u64:

[507] STRUCT '(anon)' size=4 vlen=1
    'val' type_id=56 bits_offset=0
[508] TYPEDEF 'kuid_t' type_id=507
[509] STRUCT '(anon)' size=4 vlen=1
    'val' type_id=57 bits_offset=0
[510] TYPEDEF 'kgid_t' type_id=509

Maybe add an allowlist to kernel for these types would work.

[yonghong-song]

@chenhengqi You are correct. btf_ctx_access only allows scalar or pointer. The kuid_t, after removing typedef, it is a structure and hence verifier returns a failure.

It is tricky to handle structure argument. If the structure is small, which is the case for the above example, the compiler might pass the value. But if the structure is big, the compiler will allocate the structure on the caller stack and pass a reference. So this makes is hard to support structure argument. The potential implementation here COULD become compiler version dependent.

Let us do a little more research to see whether a suitable solution is possible.

[chenhengqi]

Ah, thanks. I didn't realize that compiler would do pass by reference for structure arguments.