Closed redanaheim closed 2 weeks ago
Hi @redanaheim ,
Thank you for reporting this issue.
Could you post the log lines indicating if any of the modules has been loaded? grep opensnitch.*o /var/log/opensnitchd.log
, it should output something like:
[2024-05-27 19:13:19] DBG [eBPF] trying to load /usr/lib/opensnitchd/ebpf/opensnitch-procs.o
[2024-05-27 19:13:25] INF [eBPF] module loaded: /usr/lib/opensnitchd/ebpf/opensnitch-procs.o
Is there any entry in /sys/kernel/debug/tracing/kprobe_events
?
I tested this on an aarch64 VM, ubuntu 20.04, kernel 5.8.0, and the modules load and work, although the behaviour is a bit erratic, for opesnitch-procs.o mainly.
I'll try to test it on another distro/hardware/kernel.
As it turns out, HAVE_KPROBES_ON_FTRACE is determined unset because the kernel on arm64 does not yet support KPROBES_ON_FTRACE (source: https://github.com/torvalds/linux/blob/master/Documentation/features/debug/kprobes-on-ftrace/arch-support.txt).
thank you for this info!
Side note - I don't understand why the error messages involve failure to attack uprobes while the uprobe kernel configuration options (and every other option, in fact) appear to be fine:
That problem seems to be the same than #1013 , particular to NixOS.
tested on a raspberry pi with kernel 6.1.21-v8+, ebpf network interception works, including the hook for VPNs/tunnels:
# cat /sys/kernel/debug/tracing/kprobe_events
p:kprobes/pudp_sendmsg udp_sendmsg
p:kprobes/pudpv6_sendmsg udpv6_sendmsg
p:kprobes/piptunnel_xmit iptunnel_xmit
p:kprobes/ptcp_v4_connect tcp_v4_connect
r10:kprobes/rtcp_v4_connect tcp_v4_connect
p:kprobes/ptcp_v6_connect tcp_v6_connect
r10:kprobes/rtcp_v6_connect tcp_v6_connect
[2024-05-29 14:26:22] DBG new connection tcp => 44070:192.168.0.13 -> 1.1.1.1 (one.one.one.one):443 uid: 0, mark: 0
[2024-05-29 14:26:22] DBG [ebpf conn] not in cache, but in execEvents: tcp44070192.168.0.131.1.1.1443, 4482 -> /usr/bin/curl
[2024-05-29 14:26:22] DBG [ebpf conn] adding item to cache: tcp44070192.168.0.131.1.1.1443
syscall execve hook doesn't work, but sched_process_exit do (so I guess sched_process_exec would work as well)
[2024-05-29 14:26:22] DBG [eBPF exit event] -> 4482
[2024-05-29 14:26:22] DBG [eBPF exit event inCache] -> 4482
[2024-05-29 14:26:22] DBG [eBPF exit event] -> 4482
Describe the bug
The eBPF monitoring mode cannot be used successfully on arm64.
24.11.20240524 Vicuña
Linux asahimbp 6.8.9-asahi #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan 1 00:00:00 UTC 1980 aarch64 GNU/Linux
I had been using OpenSnitch in proc monitoring mode but started using a WireGuard VPN, so I wished to enable eBPF monitoring mode as per the FAQ.
I checked the requirements using
opensnitchd -check-requirements
and added all the required kernel configuration options my NixOS configuration:I confirmed after rebuilding my configuration that the configuration options were listed in
/proc/config.gz
(that's what the comment after each option is). Unfortunately, I discovered thatHAVE_KPROBES_ON_FTRACE
andKPROBES_ON_FTRACE
were both not present (much lessy
). I initially thought that they were overwritten by configuration options from nixos-apple-silicon, but after combing through their files and the Asahi Linux kernel config, neither were present.As it turns out,
HAVE_KPROBES_ON_FTRACE
is determined unset because the kernel on arm64 does not yet supportKPROBES_ON_FTRACE
(source: https://github.com/torvalds/linux/blob/master/Documentation/features/debug/kprobes-on-ftrace/arch-support.txt).Therefore, I am unable to set the required configuration options on my Apple Silicon machine and
opensnitchd -check-requirements
displays the following:While the daemon produces the following error message:
Side note - I don't understand why the error messages involve failure to attack uprobes while the uprobe kernel configuration options (and every other option, in fact) appear to be fine:
Side note number 2 for which I will submit a PR: the check for CONFIG_KPROBES_ON_FTRACE is duplicated at https://github.com/evilsocket/opensnitch/blob/03747ea0e3efe2bd7274bbc8ee7039f97b80f861/daemon/core/system.go#L88.
To Reproduce
Steps to reproduce the behavior:
CONFIG_KPROBES_ON_FTRACE
option to true on an arm64 machine.opensnitchd.service
with eBPF monitoring mode enabled anyway, and when it displays a bewildering error message try runningopensnitchd -check-requirements
.Expected behavior (optional) arm64 supported with eBPF mode so that WireGuard connections can be filtered correctly.