eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) #774
Description
We've had several issues in the past regarding compatibility with this type of kernels and eBPF.
Custom kernels (xanmod, liquorix, others)
In order to use eBPF as process monitor method, the kernel must have some features enabled:
Basic:
- CONFIG_FTRACE=y
(Without this option, the path/sys/kernel/debug/tracing/is not created.) - CONFIG_KPROBES=y , CONFIG_KPROBES_ON_FTRACE=y, CONFIG_HAVE_KPROBES=y , CONFIG_HAVE_KPROBES_ON_FTRACE=y, CONFIG_KPROBE_EVENTS=y
Additionally:
- CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
- CONFIG_FTRACE_SYSCALLS=y
(Without these options, opensnitch-procs.o module will fail)
Extras:
- CONFIG_UPROBE_EVENTS=y
(Without this option, the path/sys/kernel/debug/tracing/uprobe_eventsis not created. Thus the opensnitch-dns.o module, and any other that hooks userland libs won't work.)
You can check these options out with the following command: $ grep FTRACE /boot/config-$(uname -r) (or KPROBE, etc)
On the other hand, the path /sys/kernel/debug/tracing/kprobe_events must exist. Usually it's created when debugfs is mounted.
Since version 1.6.0rc2 opensnitch will try to mount it (some distros like devuan do not mount it by default). If we fail to mount it, then much probably one of the mentioned kernel features is not enabled.
-
xanmod kernels:
CONFIG_FTRACE is not set, thusebpfproc monitor method doesn't work. -
liquorix kernels:
ebpfproc monitor method works partially: connections are intercepted, but new/exit processes don't (CONFIG_FTRACE_SYSCALLS not set).
DNS passive requests interception doesn't work either (CONFIG_UPROBE_EVENTS not set). -
Arch / Manjaro hardened kernels (as of 29/10/2023)
/sys/kernel/debug/tracing/ path does not exist, thus we cannot configure kprobes or tracepoints. See this comment: eBPF compatibility with custom and hardened kernels (xanmod, liquorix, etc) #774 (comment)
Hardened kernels / systems
There're some configurable kernel options that prevent us from working as expected (eBPF only, AFAIK). #767
In particular these scripts seem to block some eBPF features: https://github.com/Kicksecure/security-misc#enhances-miscellaneous-security-settings
One of these options is lockdown=confidentiality:
tjbbjt said:
Removing lockdown=confidentiality from grub boot parameters fixed eBPF disabling for me.
(thank you @tjbbjt for reporting this!)
What happen if eBPF is not supported
We fallback to proc monitor method. Starting from v1.6.0rc3 you'll receive an alert on the desktop. If you want to stop seeing those alerts: 1) you can change proc monitor method to proc (Preferences -> Nodes), or 2) run a kernel with needed requirements.
For example, a desktop notification alerting that opensnitch-procs.o failed loading on liquorix kernel:
For iptables rules to work, you need at least this option enabled in your kernel configuration:
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y