search

eunomia-bpf / bpftime

Userspace eBPF runtime for Observability, Network & General Extensions Framework
https://eunomia.dev/bpftime/
MIT License
799 stars 75 forks source link

[Need help] run bpf programs as non root user with bpftime #353

Open nalreddy opened 2 weeks ago

nalreddy commented 2 weeks ago

In our current product, we execute BPF programs without needing sudo by using setcap to grant the necessary capabilities to the executable (specifically, we set bpf_cap before running the BPF program).

setcap CAP_BPF,CAP_SYS_RESOURCE,CAP_PERFMON=+eip tracer

How can we achieve the same functionality with bpftime?

Are there instances where we must run bpftime with sudo?

Modes of Running bpftime

  1. Attach mode
./example/malloc/victim & echo $!  # This outputs the PID, e.g., 101771

To attach to it:

$ sudo bpftime attach 101771  # Note: You may need to run `make install` as root
Inject: "/root/.bpftime/libbpftime-agent.so"
Successfully injected. ID: 1
  1. you can load the BPF program and start it:
bpftime load ./example/malloc/malloc
bpftime start ./example/malloc/victim
  1. You can also run with LD_PRELOAD directly.

Questions:

  1. Why is sudo necessary in the first method? Is it required?
  2. System call tracing examples also run with sudo—is this mandatory?

Could you clarify in which cases we need to use sudo and which cases do not require it?

We would prefer to avoid using sudo with BPF programs and run them as non-root. Is it possible to use the attach method without sudo?

Officeyutong commented 2 weeks ago
  1. The first requires root privileged because it uses ptrace to inject a dynamic library into your desired process. Using ptrace to do such thing requires root
  2. Syscall trace needs root since it needs to call mprotect to switch access flags of code pages (so we can modify them and implement userspace syscall trace)

Root is not necessary for uprobe/uretprobe/usdt

yunwei37 commented 2 weeks ago

You nay try grant the CAP_SYS_PTRACE for the first method, since it's using ptrace here.

Actually both of them can run in unprivileged containers, e.g. you can try github codespace.

yunwei37 commented 2 weeks ago

Thanks for pointing out the problem! We will provide a document for all the permission related questions.

nalreddy commented 1 week ago

Thanks for pointing out the problem! We will provide a document for all the permission related questions.

You nay try grant the CAP_SYS_PTRACE for the first method, since it's using ptrace here.

Actually both of them can run in unprivileged containers, e.g. you can try github codespace.

@yunwei37 do you mean to provide CAP_SYS_PTRACE to victim executable or bpf program executable (malloc) .

yunwei37 commented 1 week ago

CAP_SYS_PTRACE should be add to command sudo bpftime attach 101771. This is not the victim executable or bpf program executable (malloc).

nalreddy commented 1 week ago

Tried following steps to run bpftime with non root user and attach mode. malloc example.

Please do let me know anything wrong.

  1. Running victim (get pid of victim) /bpftime$ ./example/malloc/victim

  2. Setcap to bpftime command

    ~/.bpftime$ ls bpftime bpftime_daemon bpftimetool libbpftime-agent.so libbpftime-agent-transformer.so libbpftime-syscall-server.so runtime.log sudo setcap CAP_SYS_PTRACE=+eip bpftime

    ~/.bpftime$ getcap bpftime bpftime cap_sys_ptrace=eip

3 . Attach without sudo 

bpftime attach 8390

  1. bpftime load ./example/malloc/malloc i don't see any prints here, added debug in malloc code , return ENOENTRY from bpfmaps.(malloc.c) no bpf_printk from malloc.bpf.c

    tail -f ~/.bpftime/runtime.log [2024-10-08 04:58:19][info][8391] Injecting to 8390 [2024-10-08 04:58:19][info][8391] Successfully injected. ID: 1 [2024-10-08 04:58:19][info][8395] Global shm constructed. shm_open_type 1 for bpftime_maps_shm [2024-10-08 04:58:19][info][8395] Global shm initialized [2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_func_arg, index 183 [2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_func_ret_id, index 184 [2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_retval, index 186 [2024-10-08 04:58:19][info][8395] Initializing agent.. [2024-10-08 04:58:19][info][8395] Executable path: /home/satya/data/bpftime/example/malloc/victim [2024-10-08 04:58:19][info][8395] Attach successfully [2024-10-08 04:59:11][info][8412] Initialize syscall server [2024-10-08 04:59:11][info][8412] Global shm constructed. shm_open_type 0 for bpftime_maps_shm [2024-10-08 04:59:11][info][8412] Global shm initialized [2024-10-08 04:59:11][info][8412] bpftime-syscall-server started [2024-10-08 04:59:11][info][8412] Created uprobe/uretprobe perf event handler, module name /lib/x86_64-linux-gnu/libc.so.6, offset 9f920

    @yunwei37