kmod compilation failed on rhel9

falcosecurity / falco

Cloud Native Runtime Security

https://falco.org

Apache License 2.0

7.16k stars 884 forks source link

kmod compilation failed on rhel9 #3196

Closed chenliu1993 closed 2 months ago

chenliu1993 commented 2 months ago

Describe the bug

I was trying to build the kernel module on rhel9 but the build process failed. However when I was building the module on another kernel, the process succeeded.

the error from dkms is Screenshot 2024-05-15 at 14 51 30

How to reproduce it

docker run -it --privileged -v /root/.falco:/root/.falco -v /etc:/host/etc:ro -v /usr:/host/usr:ro -v /lib/modules:/host/lib/modules:ro -v /proc:/host/proc:ro -v /etc:/host/etc:ro falcosecurity/falco-driver-loader --compile --download

Expected behaviour

the modules should be built and installed

Screenshots

Environment

Falco version: 0.37.1
System info: rhel9
Cloud provider or hardware configuration:
OS: the issued version rhel9.4 the successful version is rhel9.3
Kernel: the issued version rhel9.4 5.14.0-427.16.1.el9_4.x86_64 the successful version is rhel9.3 5.14.0-362.24.1.el9_3.x86_64
Installation method: just using the above docker command

Additional context

FedeDP commented 2 months ago

Hi! Yes this is because this specific kernel backported some patches from newer kernels. Specifically, this is a patch from linux 6.4 backported down to 5.14: https://github.com/torvalds/linux/commit/dcfbb67e48a2becfce7990386e985b9c45098ee5#diff-bf5afba571cf825f63da3977a19a898d0d724fa37f0f5fbe31f4770a9ca9e39b

Luckily enough, next driver version (to be released within 2-3 weeks with next Falco release) will be smarter thanks to https://github.com/falcosecurity/libs/pull/1452 and https://github.com/falcosecurity/libs/pull/1729, allowing us to probe for these backports in a flexible way.

The exact change that is causing your issue is already solved in libs master: https://github.com/falcosecurity/libs/blob/master/driver/configure/CLASS_CREATE_1/test.c

FedeDP commented 2 months ago

/milestone 0.38.0

chenliu1993 commented 2 months ago

Hi team, will 0.38.0 be released in this week? Is it postponed?

Andreagit97 commented 2 months ago

yes, it should! We are in line with the plan. I've seen that you have a compilation issue with the kmod, have you ever tried the modern_ebpf driver?

chenliu1993 commented 2 months ago

yes, it should! We are in line with the plan. I've seen that you have a compilation issue with the kmod, have you ever tried the modern_ebpf driver?

Yes we tried with modern_ebpf but also current-syscall-supprt, is this still a problem in the 0.37.1?

chenliu1993 commented 2 months ago

And may I know what is the recommended way from falco? modern_ebpf?

FedeDP commented 2 months ago

Yes we tried with modern_ebpf but also current-syscall-supprt, is this still a problem in the 0.37.1?

It is not :) modern bpf supports all syscalls since a couple of Falco releases! That blog post is a bit outdated now.

And may I know what is the recommended way from falco? modern_ebpf?

You only need to pass -o engine.kind=modern_ebpf as cmdline argument (or set it in the Falco configuration file).

Andreagit97 commented 2 months ago

And may I know what is the recommended way from falco? modern_ebpf?

Yes Falco 0.38.0 will ship the modern_ebpf as the default driver

LucaGuerra commented 2 months ago

This should be fixed in Falco 0.38.0 , released today. If not, feel free to open another issue!