Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing compilation clang depency while running the tracee binary in android #11

Open
JacquesJurado opened this issue May 24, 2023 · 5 comments
Open

Missing compilation clang depency while running the tracee binary in android #11

JacquesJurado opened this issue May 24, 2023 · 5 comments

Comments

@JacquesJurado
Copy link

JacquesJurado commented May 24, 2023
edited
Loading

I managed to build BPFroid for Google Pixel 4, even for the binary i did also clone your bugfix of the last two days. However when i run tracee in the directory /data/local/tmp/dist then there occurs the following message:
image

HERE an debug execution:
image

NOTE: The second issue that i fixed was, that for running tracee i have to rename tracee.bpf..o to tracee.bpf.o, because he couldnt open the file.
@yanivagman
Copy link
Owner

If you get to the point where BPFroid/tracee tries to build the bpf object then it failed to find the bpf object file. This probably happens due to renaming the file like you did.
Anyway, you can set the TRACEE_BPF_FILE environment variable to point to the correct object location in the filesystem. More info on how tracee locates the file is found here: https://github.com/yanivagman/BPFroid/blob/main/main.go#L1051

@JacquesJurado
Copy link
Author

Thank you, i've set the TRACEE_BPF_FILE environment variable and then the following error occurs:
image
image
I work with an kernel with the appropriate root rights. The phone is rooted and SELinux is set to permissive, but the binary can't open and read the tracee.bpf..o file. Did you also have this issue on you phone? If yes, you could say how to resolve it?

@yanivagman
Copy link
Owner

Seems like a verifier error, not a permissions problem.
This means that the bpf program was rejected by the verifier when trying to load it.
In the above case, the program that failed to load is sys_exit tracepoint. I didn't see this issue in my setup.
I would first check if that is consistent (always happen on sys_exit), and then try to find which lines are causing the failure. You can start by simply returning 0 in the entry of the sys_exit tracepoint program to see if the error is resolved (it might be that other program will fail then). If you don't get an error (for sys_exit) after placing return at the beginning of the program, move the return line by line until finding what is causing the issue. I will need more information to see if I can help here...

@JacquesJurado
Copy link
Author

I didn't notice that the kernel has to patched in order to run tracee successfully. For the Google Pixel 4 i run all patches from your repository, but some failed, especially the 0008-add-uprobe-support. I have to figure out why. Therefore, my question. Where i can find the patches of your repository for Google Pixel 4? Are this patches selfwritten from you? It would be nice to run tracee also on Google Pixel 4 Android 10 or 11.

@yanivagman
Copy link
Owner

Actually, I had to backport some features to the pixel 3a kernel since it was an old kernel (4.9) and some features were missing for ARM (e.g. working with uprobes) so I backported some required commits and disabled the verifier.
If you use a newer kernel (4.14 and later), it should simply work without using these patches.
Which kernel does your phone uses?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yanivagman @JacquesJurado