Chris's Wiki :: blog/linux/ErrnoForLSMs Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/ErrnoForLSMs?atomcommentsDWiki2019-12-19T15:58:42ZRecent comments in Chris's Wiki :: blog/linux/ErrnoForLSMs.By sapphirepaw on /blog/linux/ErrnoForLSMstag:CSpace:blog/linux/ErrnoForLSMs:b51f6d9e697e6f5275a230065f4e8fbb1a34b124sapphirepawhttps://keybase.io/sapphirepaw<div class="wikitext"><p>Agreed; I wanted some stats on how much traffic was flowing somewhere once, so I tried to run tcpdump as a service, and somehow AppArmor applied a profile to that. I didn't know it existed, and only allowed writes to <code>*.pcap</code> filenames in some specific directories, so of course the service didn't work. (And only the service. The shell could run the same command just fine.) It took a while to dawn on me.</p>
</div>2019-12-19T15:58:42ZBy Perry Lorier on /blog/linux/ErrnoForLSMstag:CSpace:blog/linux/ErrnoForLSMs:6c6024e89e7edd739307b100df4509d0714b11fePerry Lorier<div class="wikitext"><p>I've run into very similar problems with EINVAL. It's nearly impossible to figure out what you've done wrong, and the kernel won't be helpful and tell you which part of what you're doing is invalid. So I've started using the below shell script to use ftrace:</p>
<pre>
$ cat ~/bin/ftrace
#!/bin/bash
export DEBUGFS=`awk '/debugfs/ { print $2; }' /proc/mounts`
(
echo Tracing $BASHPID
echo $BASHPID > $DEBUGFS/tracing/set_ftrace_pid
echo function_graph > $DEBUGFS/tracing/current_tracer
echo 1 > $DEBUGFS/tracing/options/func_stack_trace
exec "$@"
)
cat $DEBUGFS/tracing/trace
echo 0 > $DEBUGFS/tracing/options/func_stack_trace
echo nop > $DEBUGFS/tracing/current_tracer
</pre>
<p><em>Note:</em> that this will likely temporarily turn your machine to molasses as it performs all the tracing, so be wary of using this on a production host (although if you're using it on a production host, it's likely that the machine is already not doing it's day job so...)</p>
<p>This will show you all the stack traces inside the kernel, so you can see what was called just before it decided to give up and return back to userspace. Either that function is called something suspicious (eg aa_<something>), or when you look at the function source, it's pretty easy to guess which one has gone wrong.</p>
</div>2019-12-19T11:15:14Z