Ubuntu
bpftrace package

[MIR] bpftrace

Bug #2052809 reported by Mate Kukri
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bpftrace (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
- The package bpftrace is already in Ubuntu universe.
- The package bpftrace build for the architectures it is designed to work on.
- It currently builds and works for architectures: any
- Link to package https://launchpad.net/ubuntu/+source/bpftrace

[Rationale]
- The package bpftrace is to be supported in Ubuntu main as part of Canonical's
  effort to make Ubuntu a great platform for performance engineering.
- There is no other/better way to solve this that is already in main or
  should go universe->main instead of this.
- The package bpftrace is required in Ubuntu main as part of the Noble Numbat
  realease, and hence should be promoted to main before NN feature freeze.

[Security]
- No CVEs/security issues in this software in the past
- No `suid` or `sgid` binaries
- Binary has *.bt in sbin, this is no problem because these are bpf tracers for
  various things, and are part of the expected functionality of the package
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
  patterns are in place utilizing the following features:
  the package is a debugging tool, and cannot be fully isolated.
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=bpftrace
  - Upstream's bug tracker: https://github.com/bpftrace/bpftrace/issues/
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a test at build time
- The package does not run an autopkgtest
- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package:
  https://launchpadlibrarian.net/711817587/buildlog_ubuntu-noble-amd64.bpftrace_0.20.1-1_BUILDING.txt.gz
- Please attach the full output you have got from `lintian --pedantic` as an
  extra post to this bug:
  ```
  W: bpftrace source: superfluous-file-pattern resources/*.h [debian/copyright:19]
  P: bpftrace source: silent-on-rules-requiring-root [debian/control]
  ```
- Lintian overrides are present, but ok because unstripped binaries are
  necessary for bpftrace to function
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to debian/rules:
  ```
  #!/usr/bin/make -f

  %:
    dh $@

  override_dh_auto_configure:
    dh_auto_configure -- -DBUILD_TESTING:BOOL=ON -DUSE_SYSTEM_BPF_BCC=1

  STRIP_CMD=strip --keep-symbol=BEGIN_trigger --keep-symbol=END_trigger --remove-section=.comment --remove-section=.note
  override_dh_strip:
    dh_strip -Xbpftrace -Xbpftrace-aotrt
    $(STRIP_CMD) debian/bpftrace/usr/bin/bpftrace
    $(STRIP_CMD) debian/bpftrace/usr/bin/bpftrace-aotrt

  override_dh_auto_install:
    dh_auto_install
    rm -rf debian/bpftrace/usr/share/bpftrace/tools/doc

    # Move binaries to /usr/sbin
    mkdir -p debian/bpftrace/usr/sbin
    mv debian/bpftrace/usr/share/bpftrace/tools/*.bt debian/bpftrace/usr/sbin
    rm -rf debian/bpftrace/usr/share/bpftrace/tools/old
    rmdir debian/bpftrace/usr/share/bpftrace/tools \
          debian/bpftrace/usr/share/bpftrace
  ```

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- There are further dependencies that are not yet in main, MIR for bpfcc is at
  LP: #2052813

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Foundations and I have their acknowledgement for
  that commitment
- The future owning team is not yet subscribed, but will subscribe to
  the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
  test rebuild

[Background information]
- The Package description explains the package well
- Upstream Name is bpftrace
- Link to upstream project: https://github.com/bpftrace/bpftrace
- This is part of an effort by Canonical to provide performance tooling

See original description
Tags: sec-3898

CVE References

Revision history for this message
Mate Kukri (mkukri) wrote :

NOTE: bpfcc MIR is WIP, and this have the issue of missing unit tests, and missing autopkgtest to resolve.

Mate Kukri (mkukri)
description: updated
Christian Ehrhardt  (paelzer)
Changed in bpftrace (Ubuntu):
assignee: nobody → James Page (james-page)
James Page (james-page)
Changed in bpftrace (Ubuntu):
status: New → In Progress
Revision history for this message
James Page (james-page) wrote :
Download full text (4.2 KiB)

Review for Source Package: bpftrace

[Summary]
Generally looks OK for promotion to main; due to the intended use of
this tool a security team review is required.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

Required TODOs:
- Enable test suite execution for build and autopkgtests

Recommended TODOs:
- The package should get a team bug subscriber before being promoted
  (detailed in original submission)

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
A team is committed to own long term maintenance of this package.
The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
OK:
- bpftrace checked with `check-mir`
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- one of the (potentially auto-generated) dependencies (Depends
  and Recommends) that are present after build are not in main
  - Binary only promotion of libclang1-17 to main will be required.
- Dependency on bpfcc covered under MIR bug 2052813

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking aside from a headers only library use (see below)
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems (maybe):
- Package BD's on libcereal-dev which is a headers only library that is
  not in main.

[Security]
OK:
- history of CVEs does not look concerning
  - NO CVE history - https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bpftrace
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems:
- None

Note:
Although bpftrace ticks the boxes above it is obviously designed to dive
deep into the internals of Linux so as such probably deserves a security
team review.

[Common blockers]
OK:
- does not FTBFS currently
- does not need special HW for build or test
- no new python2 dependency

Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest

TODO:
- package seems to have some tests - investigate running these during pac...

Read more...

Revision history for this message
James Page (james-page) wrote :

Marking incomplete pending completion of requested TODO tasks; I've subscribed ubuntu-security for awareness of the need for a security review to support the MIR.

Changed in bpftrace (Ubuntu):
status: In Progress → Incomplete
assignee: James Page (james-page) → nobody
Mark Esler (eslerm)
tags: added: sec-3898
Revision history for this message
Mate Kukri (mkukri) wrote :

#1
- build time tests doesn't pass unfortunately
- cant get it to pass as an autopkgtest either currently

Changed in bpftrace (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (14.9 KiB)

I don't have a noble vm up and running yet, has this issue been addressed yet?

https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/1969625
https://github.com/bpftrace/bpftrace/issues/954

It's pretty annoying to need to configure and install a ddeb package just to use these binaries. At least that was required on my 22.04 LTS machine:

sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 1 $ sudo apt install bpftrace
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libflashrom1 libftdi1-2
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libclang1-11
The following NEW packages will be installed:
  bpftrace libclang1-11
0 upgraded, 2 newly installed, 0 to remove and 61 not upgraded.
Need to get 0 B/6,682 kB of archives.
After this operation, 27.6 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 file:/srv/mirror/ubuntu jammy/universe amd64 libclang1-11 amd64 1:11.1.0-6 [6,053 kB]
Get:2 file:/srv/mirror/ubuntu jammy/universe amd64 bpftrace amd64 0.14.0-1 [628 kB]
Selecting previously unselected package libclang1-11.
(Reading database ... 156956 files and directories currently installed.)
Preparing to unpack .../libclang1-11_11.1.0-6_amd64.deb ...
Unpacking libclang1-11 (1:11.1.0-6) ...
Selecting previously unselected package bpftrace.
Preparing to unpack .../bpftrace_0.14.0-1_amd64.deb ...
Unpacking bpftrace (0.14.0-1) ...
Setting up libclang1-11 (1:11.1.0-6) ...
Setting up bpftrace (0.14.0-1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 9s $ sudo opensnoop.bt
Attaching 6 probes...
ERROR: Could not resolve symbol: /proc/self/exe:BEGIN_trigger
sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 255 $ sudo execsnoop.bt
Attaching 3 probes...
ERROR: Could not resolve symbol: /proc/self/exe:BEGIN_trigger
[...]
sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 255 $ sudo apt install bpftrace-dbgsym
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package bpftrace-dbgsym
sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 100 $ echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \
sudo tee -a /etc/apt/sources.list.d/ddebs.list
deb http://ddebs.ubuntu.com jammy main restricted universe multiverse
deb http://ddebs.ubuntu.com jammy-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com jammy-proposed main restricted universe multiverse
sarnold@wopr:/newsrv/trees/ubuntu/main/s/systemd/systemd_252.5-2ubuntu3 $ sudo apt update && sudo apt install bpftrace-dbgsym
Get:1 file:/srv/mirror/ubuntu jammy InRelease [270 kB]
Get:1 file:/srv/mirro...

Revision history for this message
Mate Kukri (mkukri) wrote :

This diff enables the bpftrace test suite as autopkgtests.

I was unable to get some sub-tests working, so some sub-tests are disables. Over 80% of the original test suite is executed, so it should still provide some useful coverage.

Revision history for this message
Mate Kukri (mkukri) wrote :

Added DEP3 header

Revision history for this message
Mark Esler (eslerm) wrote :

Assigning to Security early, so that this is not blocked for 24.04.

After Feature Freeze, if the MIR Team has requirements for a package, but is reasonably sure that the owning-team will accomplish them, please assign MIRs to the Security team immediately.

Changed in bpftrace (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Mark Esler (eslerm) wrote :
Download full text (4.1 KiB)

I reviewed bpftrace 0.20.1 as checked into noble. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson.

- CVE History:
  - none
- Build-Depends?
  - nothing concerning
  - except what MIR Team mentions (libcereal-dev)
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - ./usr/bin/bpftrace
  - ./usr/bin/bpftrace-aotrt
  - ./usr/sbin/*.bt
    - these are bpftrace tools/examples
    - they are based on bcc code included in bpfcc-tools
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - none !
  - the ./usr/sbin/*.bt files would make excellent test cases though !
- cron jobs?
  - none
- Build logs:
  - warning building bpftrace(8) man page
  - other binaries missing man pages
  - -Wmaybe-uninitialized
  - source: superfluous-file-pattern

- Processes spawned?
  - can run modprobe kheaders
  - exec rm -rf temp dir
  - execve and exec_system expected for tracing
  - ./src/bpftrace.cpp line 666 o.o
- Memory management?
  - relatively light, mostly sprintf and memcpy
  - see comments in bpftrace.cpp's perf_event_printer()
    - memory use is carefully thought out
- File IO?
  - opens /sys/kernel/kheaders.tar.xz (module must be loaded)
  - files, descriptors, pipes, and pcap used for tracing
- Logging?
  - extremely heavy use, as expected for tracing
- Environment variable usage?
  - mostly BPFTRACE_ variables
- Use of privileged functions?
  - ./src/attached_probe.cpp uses ioctl twice
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - yes, to load kheaders
    - temp path is predictable, `// already unpacked`
    - potentially, an unprivileged attacker could exploit this when a root user runs bpftrace and loads Kernel Headers
    - Resolved quickly by upstream! CVE-2024-2313
- Use of networking?
  - moderate use
  - potential danger for crafted input
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none, besides tests and scripts
- Any significant Coverity results?
  - appear to be false positives
- Any significant shellcheck results?
  - none, besides tests, scripts, and CI
- Any significant bandit results?
  - none

Running bpftrace without root privilege results in 'ERROR: bpftrace currently only supports running as the root user.' :)

In most cases a bug in bpftrace will not cause a loss of security; root already has complete control. Giving access to bpftrace to an unprivileged user, telnet, etc would not be a vulnerability in ...

Read more...

Changed in bpftrace (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Lukas Märdian (slyon) wrote :

Security review OK (comment #9). I just subscribed ~foundations-bugs.

- build-time tests not easily possible, due to kernel dependency
- autopkgtests rebased & sponsored: https://launchpad.net/ubuntu/+source/bpftrace/0.20.2-1ubuntu3

Changed in bpftrace (Ubuntu):
status: In Progress → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you, this IMHO is ready then once dependencies are as well

Changed in bpftrace (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote :

It's already seeded, so -> Fix Committed

Changed in bpftrace (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
bpftrace 0.20.2-1ubuntu1 in noble: universe/misc -> main
bpftrace 0.20.2-1ubuntu1 in noble arm64: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu1 in noble armhf: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu1 in noble ppc64el: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu1 in noble riscv64: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu1 in noble s390x: universe/utils/optional/100% -> main
6 publications overridden.

Changed in bpftrace (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Doesn't this also need the one in -updates and -proposed to be moved to main or it might later fall out of it again when the universe version migrates?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[18:20] <cpaelzer> vorlon: I saw on https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809 you only promoted -release, but the versions not -updates and -proposed. Would those not also be needed to not set back the component when it migrates?
[18:20] <vorlon> cpaelzer: -proposed yes, -updates will be deleted so doesn't matter. Can you take care of it?
[18:20] <cpaelzer> I will

Override component to main
bpftrace 0.20.2-1ubuntu3 in noble: universe/misc -> main
bpftrace 0.20.2-1ubuntu3 in noble amd64: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu3 in noble arm64: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu3 in noble armhf: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu3 in noble ppc64el: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu3 in noble riscv64: universe/utils/optional/100% -> main
bpftrace 0.20.2-1ubuntu3 in noble s390x: universe/utils/optional/100% -> main
Override [y|N]? y
7 publications overridden.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.