search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.44k stars 903 forks source link

[MODERN_EBPF] failure in kernels that don't define `open_how.flags ` #3417

Open Andreagit97 opened 4 days ago

Andreagit97 commented 4 days ago 
auxmap__store_u32_param(auxmap, open_flags_to_scap(how.flags));
278: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [1685] struct open_how.flags (0:0 @ offset 0)
processed 232 insns (limit 1000000) max_states_per_insn 0 total_states 13 peak_states 13 mark_read 5
-- END PROG LOAD LOG --
Wed Nov 27 13:23:03 2024: [libs]: libbpf: prog 'openat2_e': failed to load: -22
Wed Nov 27 13:23:03 2024: [libs]: libbpf: failed to load object 'bpf_probe'
Wed Nov 27 13:23:03 2024: [libs]: libbpf: failed to load BPF skeleton 'bpf_probe': -22
Wed Nov 27 13:23:03 2024: [libs]: libpman: failed to load BPF object (errno: 22 | message: Invalid argument)
Wed Nov 27 13:23:03 2024: An error occurred in an event source, forcing termination...
Wed Nov 27 13:23:03 2024: Stopping capture for event source 'syscall'
Wed Nov 27 13:23:03 2024: [libs]: 
n_evts:49

Bests regards,

Originally posted by @salem017 in https://github.com/falcosecurity/falco/issues/3323#issuecomment-2503964168

salem017 commented 4 days ago

there is some details. Wed Nov 27 16:18:56 2024: The --cri option is deprecated and will be removed in Falco 0.40.0. Use -o container_engines.cri.sockets[]=<socket_path> instead. Wed Nov 27 16:18:56 2024: Falco version: 0.39.2 (x86_64) Wed Nov 27 16:18:56 2024: CLI args: /usr/bin/falco --cri /var/run/docker.sock --cri /run/containerd/containerd.sock --cri /run/crio/crio.sock -pk Wed Nov 27 16:18:56 2024: Falco initialized with configuration files: Wed Nov 27 16:18:56 2024: /etc/falco/config.d/engine-kind-falcoctl.yaml | schema validation: ok Wed Nov 27 16:18:56 2024: /etc/falco/falco.yaml | schema validation: ok Wed Nov 27 16:18:56 2024: System info: Linux version 4.18.0-372.119.1.el8_6.x86_64 (mockbuild@x86-64-02.build.eng.rdu2.redhat.com) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC)) #1 SMP Fri Aug 9 17:13:36 EDT 2024 Wed Nov 27 16:18:56 2024: Enabled container engine 'docker' Wed Nov 27 16:18:56 2024: Enabled container engine 'podman' Wed Nov 27 16:18:56 2024: Enabled container engine 'CRI' Wed Nov 27 16:18:56 2024: Enabled container engine 'lxc' Wed Nov 27 16:18:56 2024: Enabled container engine 'libvirt_lxc' Wed Nov 27 16:18:56 2024: Enabled container engine 'bpm' Wed Nov 27 16:18:56 2024: Enabled container runtime socket at '/var/run/docker.sock' via CLI args Wed Nov 27 16:18:56 2024: Enabled container runtime socket at '/run/containerd/containerd.sock' via CLI args Wed Nov 27 16:18:56 2024: Enabled container runtime socket at '/run/crio/crio.sock' via CLI args Wed Nov 27 16:18:56 2024: Configured rules filenames: Wed Nov 27 16:18:56 2024: /etc/falco/falco_rules.yaml Wed Nov 27 16:18:56 2024: /etc/falco/falco-incubating_rules.yaml Wed Nov 27 16:18:56 2024: /etc/falco/falco-sandbox_rules.yaml Wed Nov 27 16:18:56 2024: /etc/falco/falco_extended_rules.yaml Wed Nov 27 16:18:56 2024: Loading rules from: Wed Nov 27 16:18:56 2024: /etc/falco/falco_rules.yaml | schema validation: ok Wed Nov 27 16:18:56 2024: /etc/falco/falco-incubating_rules.yaml | schema validation: ok Wed Nov 27 16:18:56 2024: /etc/falco/falco-sandbox_rules.yaml | schema validation: ok Wed Nov 27 16:18:57 2024: /etc/falco/falco_extended_rules.yaml | schema validation: ok Wed Nov 27 16:18:57 2024: /etc/falco/falco_extended_rules.yaml: Ok, with warnings 12 Warnings:

Bests regards

salem017 commented 4 days ago

env: Openshift cluster Behavior: crashloopback and falco never start