USB-hotplugging fails with "failed to load cgroup BPF prog: Operation not permitted" on cgroups v2

Pol Van Aubel libvirt at qwfp.nl
Wed May 13 14:41:50 UTC 2020 

Hi,

Top-posting a quick update to this: it has magically started working
with linux 5.6.10. Didn't on 5.5.13 nor 5.4.35-lts. So the problem has
been solved, even though I never got to trace it to its source.

-- Pol


Quoting Pol Van Aubel (2020-02-15 17:16:14)
> Hi,
> 
> Quoting Pol Van Aubel (2020-01-21 23:41:48)
> > Hi,
> > 
> > Quoting Pavel Hrdina (2020-01-21 12:53:49)
> > > Thanks for the logs, but it did not help to figure out where the issue
> > > is.  I was hoping to see some error output from the syscall but the line
> > > that should contain it is empty:
> > > 
> > > 2020-01-20 19:47:15.589+0000: 8579: debug : virBPFLoadProg:78 :
> > > 
> > > Can you please check system logs and output of dmesg?
> > > 
> > > I've managed to run into this article [1] that explains that even if you
> > > have all permissions and no SELinux you can still be blocked by
> > > something called kernel_lockdown and it should appear in dmesg.
> > > 
> > > Pavel
> > > 
> > > [1] <https://gehrcke.de/2019/09/running-an-ebpf-program-may-require-lifting-the-kernel-lockdown/>
> > 
> > Unfortunately, nothing related to kernel lockdowns. My kernel sysrq also
> > doesn't seem to recognize x, and neither dmesg nor system journal
> > indicate the system is even booted with lockdowns. I don't run
> > Secure Boot, so that makes sense. I do get an audit message but that
> > doesn't really enlighten me any further; there's only 4 messages in the
> > journal related to this action.
> > 
> > <snip>
> > 
> > I honestly don't know how to even begin debugging what's happening, what
> > the reason for the rejection is.
> 
> I've spent a long afternoon reading into BPF, checking that I'm really
> running this as root, with CAP_SYS_ADMIN, etc, and am drawing a blank.
> Everything I'm looking at is telling me this *should* work, but it
> doesn't.
> 
> Does anyone have a suggestion of how to either efficiently debug this
> issue (I'm not too familiar with tracing, but figuring out where the
> rejection actually happens might help?), or where to put the question
> instead?
> 
> -- Pol
> 
>

More information about the libvirt-users mailing list