opensnitch icon indicating copy to clipboard operation
opensnitch copied to clipboard
verified publisher icon evilsocket

[Bug Report] eBPF listeners can't be created: error enabling tracepoint, Failed to attach uprobe uprobe/getaddrinfo, uretprobe/getaddrinfo, uretprobe/gethostbyname

Open Morriz opened this issue 9 months ago • 5 comments

Describe the bug:

I think essential information can't be gathered and some important events are not created. Why do I say that? I see a lot of outbound IP traffic logged (via reverse DNS that open snitch does, right?) but none of the tcp traffic that usually follows it. This outbound traffic is originated in containers behind a Traefik proxy, so maybe there lies an answer?

I see this in the logs:

[2025-04-03 23:01:10]  ERR  [eBPF events] error enabling tracepoint tracepoint/syscalls/sys_enter_execve: cannot read tracepoint id "/sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/id": open /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/id: no such file or directory
[2025-04-03 23:01:10]  ERR  [eBPF events] error enabling tracepoint tracepoint/syscalls/sys_enter_execveat: cannot read tracepoint id "/sys/kernel/debug/tracing/events/syscalls/sys_enter_execveat/id": open /sys/kernel/debug/tracing/events/syscalls/sys_enter_execveat/id: no such file or directory
[2025-04-03 23:01:10]  ERR  [eBPF events] error enabling tracepoint tracepoint/syscalls/sys_exit_execve: cannot read tracepoint id "/sys/kernel/debug/tracing/events/syscalls/sys_exit_execve/id": open /sys/kernel/debug/tracing/events/syscalls/sys_exit_execve/id: no such file or directory
[2025-04-03 23:01:10]  ERR  [eBPF events] error enabling tracepoint tracepoint/syscalls/sys_exit_execveat: cannot read tracepoint id "/sys/kernel/debug/tracing/events/syscalls/sys_exit_execveat/id": open /sys/kernel/debug/tracing/events/syscalls/sys_exit_execveat/id: no such file or directory
[2025-04-03 23:01:10]  WAR  EBPF-DNS: Failed to attach uprobe uprobe/getaddrinfo : cannot open uprobe_events: open /sys/kernel/debug/tracing/uprobe_events: no such file or directory, (/lib/aarch64-linux-gnu/libc.so.6, 860176)
[2025-04-03 23:01:10]  WAR  EBPF-DNS: Failed to attach uprobe uretprobe/getaddrinfo : cannot open uprobe_events: open /sys/kernel/debug/tracing/uprobe_events: no such file or directory, (/lib/aarch64-linux-gnu/libc.so.6, 860176)
[2025-04-03 23:01:10]  WAR  EBPF-DNS: Failed to attach uprobe uretprobe/gethostbyname : cannot open uprobe_events: open /sys/kernel/debug/tracing/uprobe_events: no such file or directory, (/lib/aarch64-linux-gnu/libc.so.6, 1016320)
[2025-04-03 23:01:10]  WAR  EBPF-DNS: Failed to find symbols for uprobes.
[2025-04-03 23:01:10]  WAR  EBPF-DNS: Unable to attach ebpf listener: Failed to find symbols for uprobes

Maybe this has to do with my Rpi5, which is arm based?

Include the following information:

  • OpenSnitch version: 1.6.6
  • OS: Debian GNU/Linux 12 (bookworm)
  • OS version: 2025-03-19
  • Window Manager: ?
  • Kernel version: Linux raspberrypi 6.12.20+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.12.20-1+rpt1~bpo12+1 (2025-03-19) aarch64 GNU/Linux

To Reproduce:

Steps to reproduce the behavior:

  1. install on Rpi5 and start
  2. observe errors

Post error logs:

Expected behavior (optional):

Opensnitch to pick up that information.

Screenshots:

Additional context:

Morriz avatar Apr 04 '25 09:04 Morriz

As far as I remember, on arm64 all the kernel probes should work.

Could you post the output of opensnitchd -check-requirements? In the meantime I'll test on a aarch64 system.

gustavo-iniguez-goya avatar Apr 04 '25 12:04 gustavo-iniguez-goya

It works at least on a Ubuntu 20.x kernel 5.8:

~ # cat /sys/kernel/debug/tracing/kprobe_events 
p:kprobes/pudp_sendmsg udp_sendmsg
p:kprobes/ptcp_v6_connect tcp_v6_connect
p:kprobes/pudpv6_sendmsg udpv6_sendmsg
p:kprobes/pinet_dgram_connect inet_dgram_connect
r1:kprobes/rinet_dgram_connect inet_dgram_connect
p:kprobes/piptunnel_xmit iptunnel_xmit
p:kprobes/ptcp_v4_connect tcp_v4_connect
r1:kprobes/rtcp_v4_connect tcp_v4_connect
r1:kprobes/rtcp_v6_connect tcp_v6_connect

~ # cat /sys/kernel/debug/tracing/uprobe_events 
r:uprobes/r___lib_aarch64_linux_gnu_libc_so_6_e72a0_gobpf_626 /lib/aarch64-linux-gnu/libc.so.6:0x00000000000e72a0
p:uprobes/p___lib_aarch64_linux_gnu_libc_so_6_c2a50_gobpf_626 /lib/aarch64-linux-gnu/libc.so.6:0x00000000000c2a50
r:uprobes/r___lib_aarch64_linux_gnu_libc_so_6_c2a50_gobpf_626 /lib/aarch64-linux-gnu/libc.so.6:0x00000000000c2a50

So probably the options CONFIG_HAVE_SYSCALL_TRACEPOINTS=y and/or CONFIG_FTRACE_SYSCALLS=y are disabled for your kernel.

gustavo-iniguez-goya avatar Apr 04 '25 13:04 gustavo-iniguez-goya

I don't like to rebuild kernels but if I have to I will. Here's the output of opensnitchd -check-requirements (seems like a lot of missing caps):

	Checking system requirements for kernel version 6.12.20+rpt-rpi-v8
------------------------------------------------------------------------------

	Checking => CONFIG_KPROBES=y
	Checking => CONFIG_KPROBES_ON_FTRACE=y
	 - KPROBES not fully supported by this kernel.
	Checking => CONFIG_HAVE_KPROBES=y
	Checking => CONFIG_HAVE_KPROBES_ON_FTRACE=y
	 - KPROBES not fully supported by this kernel.
	Checking => CONFIG_KPROBE_EVENTS=y

	* kprobes	 ✘

	Checking => CONFIG_UPROBES=y
	 * UPROBES not supported. Common error => cannot open uprobe_events: open /sys/kernel/debug/tracing/uprobe_events
	Checking => CONFIG_UPROBE_EVENTS=y
	 * UPROBES not supported. Common error => cannot open uprobe_events: open /sys/kernel/debug/tracing/uprobe_events

	* uprobes	 ✘

	Checking => CONFIG_FTRACE=y

	* ftrace	 ✔

	Checking => CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
	Checking => CONFIG_FTRACE_SYSCALLS=y
	 - CONFIG_FTRACE_SYSCALLS or CONFIG_HAVE_SYSCALL_TRACEPOINTS not set. Common error => error enabling tracepoint tracepoint/syscalls/sys_enter_execve: cannot read tracepoint id

	* syscalls	 ✘

	Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
	Checking => CONFIG_NFT_QUEUE=[my]
	Checking => CONFIG_NETFILTER_XT_TARGET_NFQUEUE=[my]

	* nfqueue	 ✔

	Checking => CONFIG_NETFILTER_NETLINK=[my]
	Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
	Checking => CONFIG_NETFILTER_NETLINK_ACCT=[my]

	* netlink	 ✔

	Checking => CONFIG_INET_DIAG=[my]
	Checking => CONFIG_INET_TCP_DIAG=[my]
	Checking => CONFIG_INET_UDP_DIAG=[my]
	 * One or more socket monitoring interfaces are not enabled (CONFIG_INET_DIAG, CONFIG_INET_TCP_DIAG, CONFIG_INET_UDP_DIAG, CONFIG_DIAG_DESTROY (Reject feature)).
	Checking => CONFIG_INET_DIAG_DESTROY=[my]
	 * One or more socket monitoring interfaces are not enabled (CONFIG_INET_DIAG, CONFIG_INET_TCP_DIAG, CONFIG_INET_UDP_DIAG, CONFIG_DIAG_DESTROY (Reject feature)).

	* net diagnostics	 ✘


WARNING: Your kernel doesn't support some of the features OpenSnitch needs:
Read more: https://github.com/evilsocket/opensnitch/issues/774

Morriz avatar Apr 06 '25 08:04 Morriz

I tested outbound direct ip traffic from docker containers does not get detected now. Because of these missing capabilities you think?

Morriz avatar Apr 06 '25 08:04 Morriz

I don't like to rebuild kernels but if I have to I will. Here's the output of opensnitchd -check-requirements (seems like a lot of missing caps):

Yeah, you'll need to recompile the kernel for tracepoints and uprobes to work. Connections interception should work, and you should have several kprobes entries in /sys/kernel/debug/tracing/kprobe_events

I tested outbound direct ip traffic from docker containers does not get detected now. Because of these missing capabilities you think?

This is a limitation we have for now, since Netfilter rules created in the host does not affect those created in containers (net namespace).

Enable the rule "7d7394e1-100d-4b87-a90a-cd68c46edb0b" in your /etc/opensnitchd/system-fw.json to intercept forwarded connections.

gustavo-iniguez-goya avatar Apr 07 '25 23:04 gustavo-iniguez-goya