webvictim
commented
3 years ago Try adding this to your systemd unit file:
[Service]
AmbientCapabilities=CAP_BPFthen systemctl daemon-reload and systemctl restart teleport.
Open benarent opened 3 years ago
webvictim
commented
3 years ago Try adding this to your systemd unit file:
[Service]
AmbientCapabilities=CAP_BPFthen systemctl daemon-reload and systemctl restart teleport.
benarent
commented
3 years ago Thanks @webvictim I tried this but no luck. I'll keep poking around.,
webvictim
commented
3 years ago Interesting. Are you running Teleport as root in your systemd unit file? If not, does that fix the issue?
It may be that systemd has some other kernel capabilities to set or limits that need to be lifted to allow BPF to work.
benarent
commented
3 years ago I'm using this SystemD file
[Unit]
Description=Teleport SSH Service
After=network.target
[Service]
Type=simple
#AmbientCapabilities=CAP_BPF
User=fedora
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=8192
AmbientCapabilities=CAP_BPF
[Install]
WantedBy=multi-user.targetand this is the result of systemd-analyze security teleport.service
[fedora@ip-10-0-0-16 ~]$ systemd-analyze security teleport.service
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✓ User=/DynamicUser= Service runs under a static non-root user identity
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3
✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user namespaces 0.3
✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2
✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2
✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2
✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2
✗ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has raw I/O access 0.2
✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2
✗ DeviceAllow= Service has no device ACL 0.2
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✓ KeyringMode= Service doesn't share key material with other services
✗ NoNewPrivileges= Service processes may acquire new privileges 0.2
✓ NotifyAccess= Service child processes cannot alter service state
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateMounts= Service may install system mounts 0.2
✗ PrivateTmp= Service has access to other software's temporary files 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ ProtectClock= Service may write to the hardware clock or system clock 0.2
✗ ProtectControlGroups= Service may modify the control group file system 0.2
✗ ProtectHome= Service has full access to home directories 0.2
✗ ProtectKernelLogs= Service may read from or write to the kernel log ring buffer 0.2
✗ ProtectKernelModules= Service may load or read kernel modules 0.2
✗ ProtectKernelTunables= Service may alter kernel tunables 0.2
✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2
✗ ProtectSystem= Service has full access to the OS file hierarchy 0.2
✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2
✗ SystemCallArchitectures= Service may execute system calls with all ABIs 0.2
✗ SystemCallFilter=~@clock Service does not filter system calls 0.2
✗ SystemCallFilter=~@debug Service does not filter system calls 0.2
✗ SystemCallFilter=~@module Service does not filter system calls 0.2
✗ SystemCallFilter=~@mount Service does not filter system calls 0.2
✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2
✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2
✗ SystemCallFilter=~@swap Service does not filter system calls 0.2
✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2
✗ SystemCallFilter=~@resources Service does not filter system calls 0.2
✗ AmbientCapabilities= Service process receives ambient capabilities 0.1
✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1
✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1
✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1
✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1
✗ RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWNET Service may create network namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWNS Service may create file system namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWPID Service may create process namespaces 0.1
✗ RestrictRealtime= Service may acquire realtime scheduling 0.1
✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1
✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✓ SupplementaryGroups= Service has no supplementary groups
✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1
✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1
✓ Delegate= Service does not maintain its own delegated control group subtree
✗ LockPersonality= Service may change ABI personality 0.1
✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1
✗ RemoveIPC= Service user may leave SysV IPC objects around 0.1
✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname namespaces 0.1
✗ UMask= Files created by service are world-readable by default 0.1
✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1
✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1
✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1
✗ ProtectHostname= Service may change system host/domainname 0.1
✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1
✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1
✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1
✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1
✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the system 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for teleport.service: 9.3 UNSAFE 😨I think this could be a SELinux issue ( see https://github.com/gravitational/teleport/issues/4032 ) .. going to try changing that the config and check permissions
benarent
commented
3 years ago @eyakubovich Thanks for looking at the other issue. This is another eBPF related bug I ran into recently, I think my lack of knowledge in Fedora might be the issue, I've turned off SELinux but I still can't get it running on Fedora using SystemD
eyakubovich
commented
3 years ago Try adding CAP_TRACING
wadells
commented
2 years ago I was messing around on Fedora 34 today, ran into this, and made a bit of progress. This appears to be selinux related. AmbientCapabilities=CAP_BPF,CAP_TRACING seemed like a red herring to me.
[fedora@ip-10-53-0-23 systemd]$ sudo ausearch -c 'teleport' --raw | awk '{$2=$9=""; print $0}' | sort | uniq -c
110 type=AVC avc: denied { confidentiality } for comm="teleport" lockdown_reason="unsafe use of perf" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0
10 type=AVC avc: denied { confidentiality } for comm="teleport" lockdown_reason="use of kprobes" scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=lockdown permissive=0This led me to discussion of Multi Category Security and confidentiality:
I haven't gotten the proper solution yet, but as a hack:
sudo ausearch -c 'teleport' --raw | audit2allow -M teleport
sudo semodule -i teleport.pp
Description
What happened:
While testing out the new https://goteleport.com/docs/server-access/guides/bpf-session-recording/, I was unable to get Teleport to work using our standard SystemD setup. It works when I start teleport with
sudo teleport start, this would make me believe it's an issue with my SystemD setup. I'm not that familiar with Fedora, but I've exhausted my StackOverflow level of debugging.,What you expected to happen:
Reproduction Steps
As minimally and precisely as possible, describe step-by-step how to reproduce the problem. 1. 2. 3.
Server Details
teleport version):/etc/os-release):Client Details
tsh version):Debug Logs
Please include or attach debug logs, when appropriate. Obfuscate sensitive information!
teleport --debug)tsh --debug)