-
-
Notifications
You must be signed in to change notification settings - Fork 520
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) #774
Comments
Good that now an alert / notification will be shown to better explain what the problem is! Maybe a link to this page or some page on the documentation with all these explanations could be added. |
Added flag to check system requirements. Related: #774
Starting from the next version (> v1.6.3), if the ebpf proc monitor doesn't work we'll fallback to PROC CONNECTOR: 7a9bb17 |
Hi, Getting warning message: "Unable to set new process monitor (ebpf) method from disk: exit status 32. Unable to access debugfs filesystem, needed for eBPF to work, likely caused by a hardened or customized kernel. Change process monitor method to 'proc' to stop receiving this alert" How to resolve this warning message in Archlinux Hardened kernel without change process monitor method to 'proc'? SPECS: opensnitchd --version pacman --query | grep opensnitch SYSCTL: (sorry for the dump, I don't know which parameter is actually important) KCONFIG: [r@station ~]$ zgrep KPROBE /proc/config.gz [r@station ~]$ zgrep UPROBE /proc/config.gz [r@station ~]$ zgrep SYSCALL /proc/config.gz [r@station ~]$ zgrep BPF /proc/config.gz [r@station r]$ zgrep DEBUGFS /proc/config.gz [r@station r]$ zgrep DEBUG_FS /proc/config.gz BOOT OPTIONS (systemd-boot) DEBUGFS |
Removing lockdown=confidentiality from grub boot parameters fixed eBPF disabling for me. |
hi @moisesmsf , I've got an Arch installation with a hardened kernel as well, where this error pop-ups. As far as I can tell, we (gobpf+opensnitch) depend on 2 options to configure the kprobes/tracepoints: DEBUGFS and TRACEFS. DEBUGFS is usually mounted under /sys/kernel/debug, and TRACEFS under /sys/kernel/debug/tracing On this Arch installation, I can mount TRACEFS under any directory (i.e.: tracefs mount option is available): ~ # mkdir x
~ # mount -t tracefs none x/
~ # ls x/
README dyn_ftrace_total_info instances saved_cmdlines set_ftrace_notrace_pid synthetic_events trace_stat
available_events dynamic_events kprobe_events saved_cmdlines_size set_ftrace_pid timestamp_mode tracing_cpumask
(...) I think that this should be enough to configure the hook points. however! if I try to mount DEBUGFS, it fails: ~ # mount -t debugfs none /sys/kernel/debug
mount: /home/ga/x: unknown filesystem type 'debugfs' Apparently this behaviour is governed by the kernel config option DEBUG_FS_ALLOW_NONE:
So:
|
@moisesmsf - when you post that much content, consider using
|
also for Manjaro, the build file needs to be edited - an example path is
might be good to add this stuff to the wiki??? |
Hi, I'm trying to install opensnitch on a SBC I'm using devuan, rpi image
output (only the failed)CONFIG_KPROBES_ON_FTRACECONFIG_HAVE_KPROBES_ON_FTRACE CONFIG_UPROBES CONFIG_UPROBE_EVENTS CONFIG_FTRACE_SYSCALLS CONFIG_INET_UDP_DIAG CONFIG_INET_DIAG_DESTROY I'm only running the daemon, so I believe I have either the choice to recompile my kernel with the necessary or use is What would you advice ? Thanks. |
Hi @BobSquarePants . With proc MonitorMethod we are not able to get process of a connection. If you enable |
We've had several issues in the past regarding compatibility with this type of kernels and eBPF.
Custom kernels (xanmod, liquorix, others)
In order to use eBPF as process monitor method, the kernel must have some features enabled:
Basic:
(Without this option, the path
/sys/kernel/debug/tracing/
is not created.)Additionally:
(Without these options, opensnitch-procs.o module will fail)
Extras:
(Without this option, the path
/sys/kernel/debug/tracing/uprobe_events
is not created. Thus the opensnitch-dns.o module, and any other that hooks userland libs won't work.)You can check these options out with the following command:
$ grep FTRACE /boot/config-$(uname -r)
(or KPROBE, etc)On the other hand, the path
/sys/kernel/debug/tracing/kprobe_events
must exist. Usually it's created when debugfs is mounted.Since version 1.6.0rc2 opensnitch will try to mount it (some distros like devuan do not mount it by default). If we fail to mount it, then much probably one of the mentioned kernel features is not enabled.
xanmod kernels:
CONFIG_FTRACE is not set, thus
ebpf
proc monitor method doesn't work.liquorix kernels:
ebpf
proc monitor method works partially: connections are intercepted, but new/exit processes don't (CONFIG_FTRACE_SYSCALLS not set).DNS passive requests interception doesn't work either (CONFIG_UPROBE_EVENTS not set).
Arch / Manjaro hardened kernels (as of 29/10/2023)
/sys/kernel/debug/tracing/ path does not exist, thus we cannot configure kprobes or tracepoints. See this comment: eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) #774 (comment)
Hardened kernels / systems
There're some configurable kernel options that prevent us from working as expected (eBPF only, AFAIK). #767
In particular these scripts seem to block some eBPF features: https://github.com/Kicksecure/security-misc#enhances-miscellaneous-security-settings
One of these options is
lockdown=confidentiality
:(thank you @tjbbjt for reporting this!)
What happen if eBPF is not supported
We fallback to
proc
monitor method. Starting from v1.6.0rc3 you'll receive an alert on the desktop. If you want to stop seeing those alerts: 1) you can change proc monitor method toproc
(Preferences -> Nodes), or 2) run a kernel with needed requirements.For example, a desktop notification alerting that opensnitch-procs.o failed loading on liquorix kernel:
For iptables rules to work, you need at least this option enabled in your kernel configuration:
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
The text was updated successfully, but these errors were encountered: