Closed mdafsanhossain closed 5 months ago
Hi! I just made a similar fix for old eBPF probe: https://github.com/falcosecurity/libs/pull/1794/files. I also increased the reccommented minimum kernel release version to 5.1 for old eBPF on ppc64.
I think the same fix (https://github.com/falcosecurity/libs/pull/1794/files#diff-93bba54bcdb415b3c7d9062c3a452b2dfd8518c230c2fcd7acfcfb81a3d32331R100) could also be ported to modern.
Note: kmod should not be affected since it uses kernel API task_thread_info
to retrieve the info.
Also, please note that this patch: https://github.com/stackrox/falcosecurity-libs/commit/33f4f0b67e7ec1817db806dadb38605e3d9872e2
is a bit wrong since you are testing against CONFIG_THREAD_INFO_IN_TASK
of the machine where the modern probe gets built, but with CORE, we should instead check against the machine where we run.
We will try to address this upstream asap :)
Thanks, will wait for the patch. Curiosity, how do we check against the machine where we run?
We can leverage libbpf core support, like eg: we do here: https://github.com/falcosecurity/libs/blob/master/driver/modern_bpf/helpers/extract/extract_from_kernel.h#L417
Here it is: https://github.com/falcosecurity/libs/pull/1806
Thanks @FedeDP and @Andreagit97. However, I ran a quick test on rhel 8.6 and it fails with the following
sudo ./libscap/examples/01-open/scap-open --modern_bpf
[SCAP-OPEN]: Hello!
--------------------------- SCAP SOURCE --------------------------
* Modern BPF probe, 1 ring buffer every 1 CPUs
------------------------------------------------------------------
------------------------- CONFIGURATIONS -------------------------
* Print single event type: -1 (`-1` means no event to print).
* Run until '18446744073709551615' events are catched.
------------------------------------------------------------------
---------------------- INTERESTING SYSCALLS ----------------------
* All sc codes are enabled!
------------------------------------------------------------------
libbpf: prog 'bind_e': BPF program load failed: ERROR: strerror_r(524)=22
libbpf: prog 'bind_e': -- BEGIN PROG LOAD LOG --
processed 170 insns (limit 1000000) max_states_per_insn 0 total_states 10 peak_states 10 mark_read 6
-- END PROG LOAD LOG --
libbpf: prog 'bind_e': failed to load: -524
libbpf: failed to load object 'bpf_probe'
libbpf: failed to load BPF skeleton 'bpf_probe': -524
(524)
libpman: failed to load BPF object (errno: 524 | message: Unknown error 524)
What I did:
cmake \
-DUSE_BUNDLED_DEPS=ON \
-DBUILD_LIBSCAP_MODERN_BPF=ON \
-DMODERN_BPF_DEBUG_MODE=ON ../;
make scap-open
sudo ./libscap/examples/01-open/scap-open --modern_bpf
errrno 524
means not supported so probably your machine doesn't support some helpers that are necessary for the modern ebpf probe... logs don't help here, could you try to run in verbose mode?
sudo ./libscap/examples/01-open/scap-open --modern_bpf --verbose 7
Verbose log but no additional info on the prog loading.
We've been investigating this unsupported error a fair bit the last couple of days, and we're not yet sure of the cause, whether that's the modern_bpf probe, clang (17), libbpf, or the RHEL kernel we're running on, but here's some additional context:
dmesg gives us an error indicating that an opcode is unsupported:
eBPF filter opcode 0039 (@2) unsupported
Which is BPF_LDX | BPF_DW | BPF_ABS
, but based on docs this opcode seems to be for packet inspection and that doesn't fit with the programs that seem to be affected. (cc @erthalion as he's the one who identified this)
Our current suspicion is libbpf, and I'm currently getting it to dump the program instructions just before loading so we can inspect them further.
uhm wow, maybe we can use perf trace
(https://github.com/iovisor/bcc/issues/3044#issuecomment-672573967) to dig into the root cause, we could also use retsnoop
(https://github.com/anakryiko/retsnoop) but i don't think the build is supported on ppc64le :/
@Andreagit97 @FedeDP should I open a new issue for tracking the unsupported opcode error?
yep it would be great thanks!
/milestone 7.1.0+driver
Describe the bug
When scap-open is executed on ppc64le RHEL 8.6 machine (kernel version:
4.18.0-372.9.1.el8.ppc64le
), modern-bpf loading fails withSame thing happens with RHEL 8.8
4.18.0-477.10.1.el8_8.ppc64le
but adding guards to check forCONFIG_THREAD_INFO_IN_TASK
resolves it and probe loads successfully.https://github.com/stackrox/falcosecurity-libs/commit/33f4f0b67e7ec1817db806dadb38605e3d9872e2
How to reproduce it
On a ppc64le RHEL 8.6 machine, after compiling scap with modern-bpf
sudo ./libscap/examples/01-open/scap-open --modern_bpf
Expected behaviour
Probe loads successfully.
Environment
Additional context
Not sure if relevant,
vmlinux.h
was generated on a fedora 35 ppc64le vm./cc @Stringy
Appreciate inputs to determine what's going on here.