Tracee can't be compiled with clang 15

[rafaeldtinoco]

Description

PR: #2581 has created a macro for has_prefix() to make clang-14 unroll loops from the eBPF code correctly. It was reported by @geyslan that clang-15 won't unroll loops correctly even with the 2 approaches we currently have. So, for now, tracee can only be built correctly by clang-12, clang-13, and clang-14.

Current commit: c885025

In addition to this, @geyslan reported a verification error when loading the bpf program (compiled with clang-15) into the kernel (might be related to the above loop unrolling issue):

❯ sudo ./dist/tracee -f comm=uname
Place your finger on the fingerprint reader
{"level":"warn","ts":1685366140.1138046,"msg":"libbpf: prog 'trace_ret_vfs_write_tail': BPF program load failed: Permission denied"}
libbpf: prog 'trace_ret_vfs_write_tail': -- BEGIN PROG LOAD LOG --
0: R1=ctx(off=0,imm=0) R10=fp0
; int BPF_KPROBE(trace_ret_vfs_write_tail)
0: (7b) *(u64 *)(r10 -184) = r1       ; R1=ctx(off=0,imm=0) R10=fp0 fp-184_w=ctx
1: (b7) r1 = 0                        ; R1_w=0
; int zero = 0;
2: (63) *(u32 *)(r10 -80) = r1        ; R1_w=0 R10=fp0 fp-80=????0000
...
; if (path == NULL) {
3311: (15) if r9 == 0x0 goto pc+2     ; R9_w=map_value(off=0,ks=24,vs=4096,imm=0)
3312: (79) r6 = *(u64 *)(r10 -160)    ; R6_w=map_value(off=0,ks=4,vs=32152,imm=0) R10=fp0
3313: (05) goto pc+1945
; if (path_buf != NULL && !has_prefix("/dev/null", (char *) &path_buf, 10)) {
5259: (bf) r1 = r9                    ; R1_w=map_value(off=0,ks=24,vs=4096,imm=0) R9_w=map_value(off=0,ks=24,vs=4096,imm=0)
5260: (57) r1 &= 255
R1 bitwise operator &= on pointer prohibited
processed 1019 insns (limit 1000000) max_states_per_insn 0 total_states 61 peak_states 61 mark_read 35
-- END PROG LOAD LOG --
{"level":"warn","ts":1685366140.1271274,"msg":"libbpf: prog 'trace_ret_vfs_write_tail': failed to load: -13"}
{"level":"warn","ts":1685366140.1276152,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1685366140.1280177,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: permission denied"}

[geyslan]

Tried clang version 16.0.6, the build is completed but with an unique warning:

clang-16: warning: argument unused during compilation: '-march=bpf' [-Wunused-command-line-argument]

Execution continues to err in the same R1 bitwise operator &= on pointer prohibited.

[yanivagman]

I don't think this is still an error.
I just compiled Tracee with clang 16 with no errors.
@geyslan can you please verify on your environment and close if not an issue?

[geyslan]

I've compiled and ran integration tests successfully on these envs:

• Ubuntu, clang 12.0.1-19ubuntu3

• Ubuntu and Manjaro, clang 14.0.6

• Ubuntu, clang 15.0.7

• Ubuntu, clang 16.0.6

  clang: warning: argument unused during compilation: '-march=bpf' [-Wunused-command-line-argument]

• Ubuntu, clang 17.0.2

  clang: error: unsupported option '-march=' for target 'bpf'

  It compiled after removing the -march=bpf flag. This will be tackled in a chore PR - chore: remove clang march flag #3831.

---

In all cases, there's the unbounding issue #3830 when we expect to see 600 iterations and get only 60 in find_modules_from_module_kset_list().

Steps to check it:

• Get the prog ID: sudo bpftool prog list | grep lkm_seeker_kset
• Dump it: sudo bpftool prog dump xlated id ID > lkm_seeker_kset_tail_xlated
• Count a condition inside the loop: grep 'if (mod_kobj) {' lkm_seeker_kset_tail_xlated_clang | wc -l