opensnitchd service is not starting after kernel version change

[miguelconde91]

For a compatibility issue of my hardware I was working with a non stable version of kernel 4.20 using this kernel I installed opensnitch and it worked fine, recently I deleted the non stable kernels and I kept the last one signed in Kubuntu repos 18.10 (4.18) and now not the opensnitch works, I have this error: Error while enabling probe descriptor for opensnitch_exec_probe: write /sys/kernel/debug/tracing/kprobe_events: operation not permitted How I can fix it?

[CanntAim]

Running 4.18 kernel on one of my machines running an 18.04 LTS Ubuntu flavor called popOS. Last time the machine was used was early December (opensnitch worked fine then) turned on today and updated. Had similar issue around accessing that kprobe_events file. In my case log says no such file or directory although the file is present.

I have referred to this issue, this does not appear to be that: https://github.com/evilsocket/opensnitch/issues/184

I have another 18.04 box that uses 4.15 kernel on which opensnitch works fine. I haven't tried using grub to try the older kernel.

[andreiple]

Ah. I ran into this issue again. In my case after digging through syslogs I noticed this message: Lockdown: opensnitchd: Use of kprobes is restricted; see man kernel_lockdown.7

Since kernel 4.17 if you have UEFI Secure Boot enabled then kernel does lockdown - using kernel probes, 3rd party kernel modules (even signed), etc is restricted. So if you want to use opensnitch there are two options either disable Secure Boot or use pre-4.17 kernel.

[miguelconde91]

I can not use kernel <4.18 because my laptop hardware is not well supported in pre-4.18, is a new model of gaming laptop of June 2018. I'm go to check the Secure Boot.

[1kenthomas]

So basically: opensnitch will not work with a modern kernel or with secure boot?

[gustavo-iniguez-goya]

@1kenthomas see #276 The other options are 1) listen to audit events 2) add eBPF.

[gustavo-iniguez-goya]

Fixed with latest version.