Probe loading failure on GKE (COS_CONTAINERD)

On GKE 1.32 with image flavor==COS_CONTAINERD (Linux 6.6.93+), Fact fails to start with message:

```
Error: the BPF_PROG_LOAD syscall failed. Verifier output: reg type unsupported for arg#0 function trace_file_open#40
0: R1=ctx(off=0,imm=0) R10=fp0
; int BPF_PROG(trace_file_open, struct file* file) {
0: (79) r7 = *(u64 *)(r1 +0)
func 'bpf_lsm_file_open' arg0 has btf_id 220 type STRUCT 'file'
1: R1=ctx(off=0,imm=0) R7_w=trusted_ptr_file(off=0,imm=0)
1: (b7) r1 = 0                        ; R1_w=0
; uint32_t key = 0;
2: (63) *(u32 *)(r10 -84) = r1        ; R1_w=0 R10=fp0 fp-88=0000????
; if ((file->f_mode & (FMODE_WRITE | FMODE_PWRITE)) == 0) {
3: (61) r1 = *(u32 *)(r7 +20)         ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R7_w=trusted_ptr_file(off=0,imm=0)
; if ((file->f_mode & (FMODE_WRITE | FMODE_PWRITE)) == 0) {
4: (57) r1 &= 18                      ; R1_w=scalar(umax=18,var_off=(0x0; 0x12))
; if ((file->f_mode & (FMODE_WRITE | FMODE_PWRITE)) == 0) {
5: (15) if r1 == 0x0 goto pc+123      ; R1_w=scalar(umax=18,var_off=(0x0; 0x12))
6: (bf) r2 = r10                      ; R2_w=fp0 R10=fp0
7: (07) r2 += -84                     ; R2_w=fp-84
; struct helper_t* helper = bpf_map_lookup_elem(&helper_map, &key);
8: (18) r1 = 0xffff8881548e7200       ; R1_w=map_ptr(off=0,ks=4,vs=8320,imm=0)
10: (85) call bpf_map_lookup_elem#1   ; R0=map_value_or_null(id=1,off=0,ks=4,vs=8320,imm=0)
11: (bf) r6 = r0                      ; R0=map_value_or_null(id=1,off=0,ks=4,vs=8320,imm=0) R6_w=map_value_or_null(id=1,off=0,ks=4,vs=8320,imm=0)
; if (helper == NULL) {
12: (55) if r6 != 0x0 goto pc+5 18: R0=map_value(off=0,ks=4,vs=8320,imm=0) R6=map_value(off=0,ks=4,vs=8320,imm=0) R7=trusted_ptr_file(off=0,imm=0) R10=fp0 fp-88=mmmm????
; struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
18: (18) r1 = 0xffff8881548e4800      ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
20: (b7) r2 = 28736                   ; R2_w=28736
21: (b7) r3 = 0                       ; R3_w=0
22: (85) call bpf_ringbuf_reserve#131         ; R0_w=ringbuf_mem_or_null(id=3,ref_obj_id=3,off=0,imm=0) refs=3
23: (bf) r9 = r0                      ; R0_w=ringbuf_mem_or_null(id=3,ref_obj_id=3,off=0,imm=0) R9_w=ringbuf_mem_or_null(id=3,ref_obj_id=3,off=0,imm=0) refs=3
; if (event == NULL) {
24: (55) if r9 != 0x0 goto pc+5 30: R0_w=ringbuf_mem(ref_obj_id=3,off=0,imm=0) R6=map_value(off=0,ks=4,vs=8320,imm=0) R7=trusted_ptr_file(off=0,imm=0) R9_w=ringbuf_mem(ref_obj_id=3,off=0,imm=0) R10=fp0 fp-88=mmmm???? refs=3
; return 0;
30: (b7) r2 = 152                     ; R2_w=152 refs=3
31: (bf) r1 = r7                      ; R1_w=trusted_ptr_file(off=0,imm=0) R7=trusted_ptr_file(off=0,imm=0) refs=3
32: (0f) r1 += r2                     ; R1_w=trusted_ptr_file(off=152,imm=0) R2_w=152 refs=3
; if (bpf_d_path(&file->f_path, event->filename, PATH_MAX) < 0) {
33: (bf) r2 = r9                      ; R2_w=ringbuf_mem(ref_obj_id=3,off=0,imm=0) R9_w=ringbuf_mem(ref_obj_id=3,off=0,imm=0) refs=3
34: (07) r2 += 20544                  ; R2_w=ringbuf_mem(ref_obj_id=3,off=20544,imm=0) refs=3
; if (bpf_d_path(&file->f_path, event->filename, PATH_MAX) < 0) {
35: (b7) r3 = 4096                    ; R3_w=4096 refs=3
36: (85) call bpf_d_path#147          ; R0=scalar() refs=3
; if (bpf_d_path(&file->f_path, event->filename, PATH_MAX) < 0) {
37: (65) if r0 s> 0xffffffff goto pc+5 43: R0=scalar(umax=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R6=map_value(off=0,ks=4,vs=8320,imm=0) R7=trusted_ptr_file(off=0,imm=0) R9=ringbuf_mem(ref_obj_id=3,off=0,imm=0) R10=fp0 fp-88=mmmm???? refs=3
; goto end;
43: (7b) *(u64 *)(r10 -144) = r7      ; R7=trusted_ptr_file(off=0,imm=0) R10=fp0 fp-144_w=trusted_ptr_ refs=3
44: (7b) *(u64 *)(r10 -128) = r6      ; R6=map_value(off=0,ks=4,vs=8320,imm=0) R10=fp0 fp-128_w=map_value refs=3
; event->timestamp = bpf_ktime_get_boot_ns();
45: (85) call bpf_ktime_get_boot_ns#125       ; R0_w=scalar() refs=3
; event->timestamp = bpf_ktime_get_boot_ns();
46: (7b) *(u64 *)(r9 +0) = r0         ; R0_w=scalar() R9=ringbuf_mem(ref_obj_id=3,off=0,imm=0) refs=3
; struct task_struct* task = (struct task_struct*)bpf_get_current_task();
47: (85) call bpf_get_current_task#35         ; R0_w=scalar() refs=3
48: (bf) r7 = r0                      ; R0_w=scalar(id=4) R7_w=scalar(id=4) refs=3
49: (b7) r8 = 0                       ; R8_w=0 refs=3
; uint32_t key = 0;
50: (63) *(u32 *)(r10 -60) = r8       ; R8_w=0 R10=fp0 fp-64=0000???? refs=3
; uint64_t uid_gid = bpf_get_current_uid_gid();
51: (85) call bpf_get_current_uid_gid#15      ; R0=scalar() refs=3
; p->uid = uid_gid & 0xFFFFFFFF;
52: (63) *(u32 *)(r9 +12316) = r0     ; R0=scalar() R9=ringbuf_mem(ref_obj_id=3,off=0,imm=0) refs=3
; p->gid = (uid_gid >> 32) & 0xFFFFFFFF;
53: (77) r0 >>= 32                    ; R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) refs=3
; p->gid = (uid_gid >> 32) & 0xFFFFFFFF;
54: (63) *(u32 *)(r9 +12320) = r0     ; R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R9=ringbuf_mem(ref_obj_id=3,off=0,imm=0) refs=3
55: (85) call unknown#195896080
invalid func unknown#195896080
verification time 511 usec
stack depth 144
processed 60 insns (limit 1000000) max_states_per_insn 0 total_states 6 peak_states 6 mark_read 2


Caused by:
    Invalid argument (os error 22)
```

The unknown helper seems to be `bpf_get_current_pid_tgid` and indeed, bpftool shows that while the function exists, it is not available for LSM programs. I was added in 6.8.

Initial attempt at trying to access the tgid directly in the task struct did solve the unresolved symbol issue, but the verifier is then unhappy about another later line.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Probe loading failure on GKE (COS_CONTAINERD) #34

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Probe loading failure on GKE (COS_CONTAINERD) #34

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions