libs
libs copied to clipboard
falcosecurity
Cannot compile sysdig/libscap bpf driver in 6.11.2-zen kernel
Describe the bug
When trying to use sysdig --bpf ... I was unable to download the prebuilt bpf probe, and compiling the bpf probe resulted in the error.
How to reproduce it
run sysdig --bpf ...
Expected behaviour
*Capturing events with sysdig.
Screenshots
* Running scap-driver-loader for: driver version=0.17.2, arch=x86_64, kernel release=6.11.2-zen1-1-zen, kernel version=1
* Running scap-driver-loader with: driver=bpf, compile=yes, download=yes
* Filename 'scap_arch_6.11.2-zen1-1-zen_1.o' is composed of:
- driver name: scap
- target identifier: arch
- kernel release: 6.11.2-zen1-1-zen
- kernel version: 1
* Trying to download a prebuilt eBPF probe from https://download.sysdig.com/scap-drivers/0.17.2/x86_64/scap_arch_6.11.2-zen1-1-zen_1.o
curl: (22) The requested URL returned error: 404
Unable to find a prebuilt scap eBPF probe
* Trying to compile the eBPF probe (scap_arch_6.11.2-zen1-1-zen_1.o)
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
In file included from ./arch/x86/include/asm/current.h:10:
In file included from ./include/linux/cache.h:6:
In file included from ./arch/x86/include/asm/cache.h:5:
In file included from ./include/linux/linkage.h:8:
In file included from ./arch/x86/include/asm/linkage.h:6:
./arch/x86/include/asm/ibt.h:77:8: warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]
77 | extern __noendbr u64 ibt_save(bool disable);
| ^
./arch/x86/include/asm/ibt.h:32:34: note: expanded from macro '__noendbr'
32 | #define __noendbr __attribute__((nocf_check))
| ^
./arch/x86/include/asm/ibt.h:78:8: warning: 'nocf_check' attribute ignored; use -fcf-protection to enable the attribute [-Wignored-attributes]
78 | extern __noendbr void ibt_restore(u64 save);
| ^
./arch/x86/include/asm/ibt.h:32:34: note: expanded from macro '__noendbr'
32 | #define __noendbr __attribute__((nocf_check))
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
./arch/x86/include/asm/current.h:47:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
47 | return this_cpu_read_const(const_pcpu_hot.current_task);
| ^
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
577 | #define this_cpu_read_const(pcp) __raw_cpu_read_const(pcp)
| ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
163 | #define __raw_cpu_read_const(pcp) __raw_cpu_read(, , pcp)
| ^
./arch/x86/include/asm/percpu.h:155:30: note: expanded from macro '__raw_cpu_read'
155 | *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp)); \
| ^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
94 | #define __my_cpu_type(var) typeof(var) __percpu_seg_override
| ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
45 | # define __percpu_seg_override __seg_gs
| ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
358 | #define __seg_gs __attribute__((address_space(256)))
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:12:
./arch/x86/include/asm/current.h:47:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
577 | #define this_cpu_read_const(pcp) __raw_cpu_read_const(pcp)
| ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
163 | #define __raw_cpu_read_const(pcp) __raw_cpu_read(, , pcp)
| ^
./arch/x86/include/asm/percpu.h:155:9: note: expanded from macro '__raw_cpu_read'
155 | *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp)); \
| ^
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
94 | #define __my_cpu_type(var) typeof(var) __percpu_seg_override
| ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
45 | # define __percpu_seg_override __seg_gs
| ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
358 | #define __seg_gs __attribute__((address_space(256)))
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:13:
./arch/x86/include/asm/processor.h:543:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
543 | return this_cpu_read_const(const_pcpu_hot.top_of_stack);
| ^
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
577 | #define this_cpu_read_const(pcp) __raw_cpu_read_const(pcp)
| ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
163 | #define __raw_cpu_read_const(pcp) __raw_cpu_read(, , pcp)
| ^
./arch/x86/include/asm/percpu.h:155:30: note: expanded from macro '__raw_cpu_read'
155 | *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp)); \
| ^
note: (skipping 1 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
94 | #define __my_cpu_type(var) typeof(var) __percpu_seg_override
| ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
45 | # define __percpu_seg_override __seg_gs
| ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
358 | #define __seg_gs __attribute__((address_space(256)))
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:17:
In file included from ./include/linux/sched.h:13:
./arch/x86/include/asm/processor.h:543:10: warning: multiple identical address spaces specified for type [-Wduplicate-decl-specifier]
./arch/x86/include/asm/percpu.h:577:36: note: expanded from macro 'this_cpu_read_const'
577 | #define this_cpu_read_const(pcp) __raw_cpu_read_const(pcp)
| ^
./arch/x86/include/asm/percpu.h:163:35: note: expanded from macro '__raw_cpu_read_const'
163 | #define __raw_cpu_read_const(pcp) __raw_cpu_read(, , pcp)
| ^
./arch/x86/include/asm/percpu.h:155:9: note: expanded from macro '__raw_cpu_read'
155 | *(qual __my_cpu_type(pcp) *)__my_cpu_ptr(&(pcp)); \
| ^
./arch/x86/include/asm/percpu.h:94:40: note: expanded from macro '__my_cpu_type'
94 | #define __my_cpu_type(var) typeof(var) __percpu_seg_override
| ^
./arch/x86/include/asm/percpu.h:45:32: note: expanded from macro '__percpu_seg_override'
45 | # define __percpu_seg_override __seg_gs
| ^
<built-in>:358:33: note: expanded from macro '__seg_gs'
358 | #define __seg_gs __attribute__((address_space(256)))
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:766:9: warning: cast to 'void *' from smaller integer type 'compat_uptr_t' (aka 'unsigned int') [-Wint-to-void-pointer-cast]
766 | (void*)compat_iov[j].iov_base))
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/src/scap-0.17.2/bpf/fillers.h:2525:48: warning: passing 'volatile long *' to parameter of type 'long *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
2525 | res = bpf_accumulate_argv_or_env(data, argv, &args_len);
| ^~~~~~~~~
/usr/src/scap-0.17.2/bpf/fillers.h:2063:19: note: passing argument to parameter 'args_len' here
2063 | long *args_len)
| ^
/usr/src/scap-0.17.2/bpf/fillers.h:3032:22: error: no member named '__i_ctime' in 'struct inode'
3032 | time = _READ(inode->__i_ctime);
| ~~~~~ ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:21:28: note: expanded from macro '_READ'
21 | #define _READ(P) ({ typeof(P) _val; \
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3032:22: error: no member named '__i_ctime' in 'struct inode'
3032 | time = _READ(inode->__i_ctime);
| ~~~~~ ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:22:51: note: expanded from macro '_READ'
22 | bpf_probe_read_kernel(&_val, sizeof(_val), &P); \
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3041:22: error: no member named '__i_mtime' in 'struct inode'
3041 | time = _READ(inode->__i_mtime);
| ~~~~~ ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:21:28: note: expanded from macro '_READ'
21 | #define _READ(P) ({ typeof(P) _val; \
| ^
In file included from /usr/src/scap-0.17.2/bpf/probe.c:27:
/usr/src/scap-0.17.2/bpf/fillers.h:3041:22: error: no member named '__i_mtime' in 'struct inode'
3041 | time = _READ(inode->__i_mtime);
| ~~~~~ ^
/usr/src/scap-0.17.2/bpf/plumbing_helpers.h:22:51: note: expanded from macro '_READ'
22 | bpf_probe_read_kernel(&_val, sizeof(_val), &P); \
| ^
8 warnings and 4 errors generated.
make[3]: *** [/usr/src/scap-0.17.2/bpf/Makefile:74: /usr/src/scap-0.17.2/bpf/probe.o] Error 1
make[2]: *** [/usr/lib/modules/6.11.2-zen1-1-zen/build/Makefile:1924: /usr/src/scap-0.17.2/bpf] Error 2
make[1]: *** [Makefile:224: __sub-make] Error 2
make: *** [Makefile:23: all] Error 2
mv: cannot stat '/usr/src/scap-0.17.2/bpf/probe.o': No such file or directory
Unable to load the scap eBPF probe
Unable to load the BPF probe
BPF probe is compiled for 6.10.10-zen1-1-zen, but running version is 6.11.2-zen1-1-zen
Environment
- Falco version: not installed falco, from sysdig:
sysdig version 0.38.1 - System info: not installed falco, none
- Cloud provider or hardware configuration: VirtualBox 7.1.0
- OS: Arch
- Kernel: Linux arch 6.11.2-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Fri, 04 Oct 2024 21:51:07 +0000 x86_64 GNU/Linux
- Installation method: pacman
Additional context
In Arch, the patch from https://github.com/falcosecurity/libs/pull/1884 fixes the problem that kmod cannot be compiled in 6.10+ kernel, but does not solve the problem that bpf cannot be used.
Hi! Thanks for opening this issue! Driver 7.3.0+driver fixed build against linux 6.11 on x86_64; unfortunately, a small typo prevented the same fix to be applied to arm64 too (and that will be fixed by next driver release). That's not your case because you are on x86_64 though. You need to use version 0.39.0 that includes latest driver release: https://github.com/draios/sysdig/releases/tag/0.39.0
@FedeDP: Closing this issue.
In response to this:
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
