libs: [REGRESSION] Modern bpf probe in least privileged mode

Describe the bug

After this PR https://github.com/falcosecurity/libs/pull/1062 we are no more able to run the modern bpf probe in least privileged mode and so using these capabilities:

* CAP_BPF
* CAP_PERFMON
* CAP_RESOURCE

The issue is that on non-COS systems the struct audit_task_info is not defined in the kernel vmlinux, so what libbpf does is to search this type into modules BTF but unfortunately this requires CAP_SYS_ADMIN https://github.com/torvalds/linux/blob/692b7dc87ca6d55ab254f8259e6f970171dc9d01/kernel/bpf/syscall.c#L3704

How to reproduce it

  1. Compile scap-open example
  2. Provide the right capabilities
 sudo setcap CAP_PERFMON,CAP_BPF,CAP_SYS_RESOURCE=+ep ./libscap/examples/01-open/scap-open
  1. Run it
./libscap/examples/01-open/scap-open --modern_bpf

Error

libbpf: failed to iterate BTF objects: -1
libbpf: prog 't1_execve_x': relo #791: target candidate search failed for [1238] struct audit_task_info: -1
libbpf: prog 't1_execve_x': relo #791: failed to relocate: -1
libbpf: failed to perform CO-RE relocations: -1
libbpf: failed to load object 'bpf_probe'
libbpf: failed to load BPF skeleton 'bpf_probe': -1
libpman: failed to load BPF object (errno: 1 | message: Operation not permitted)

If you provide the CAP_SYS_ADMIN capability all will work fine

Solution

We will have a libs patch release in the next few days and I would like to have this issue solved since it is causing some regressions, see here: https://github.com/falcosecurity/falco/issues/2487

Unfortunately, I don’t see many solutions right now, the ideal one would be to disable this BTF module check in libbpf but it doesn’t seem to be configurable 😕

The only one seems to revert the PR and don’t capture this info on COS, I don’t like it but if we have to choose between having a working least privileged mode and the loginuid info on COS I would choose the first one since it is also a regression. Of course, I will try to find alternative solutions in the meanwhile but not sure about the outcome…WDYT? @erthalion @FedeDP @leogr

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 15 (15 by maintainers)

Most upvoted comments

yeah, we are just waiting for a stable tag of libbpf whit the fix. I would close it once we bump libbpf to a stable tag and we revert the corresponding workaround in libs https://github.com/falcosecurity/libs/pull/1160

+1
Andreagit97 on Oct 24, 2023

I would keep this to track it and find a long-term solution

+1
Andreagit97 on Jun 22, 2023
Read more comments on GitHub
← libs: modpost failing message for bpf
libs: [Tracking] Params inconsistencies in our drivers →