tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[BUG] non CO-RE code permission denied without cancel-drop

Open rafaeldtinoco opened this issue 3 years ago • 1 comments
trafficstars

Prerequisites

  • [ ] This affects latest released version.
  • [x] This affects current development tree (origin/HEAD).
  • [ ] There isn't an issue describing the bug.

Select one OR another:

  • [ ] I'm going to create a PR to solve this (assign to yourself).
  • [x] Someone else should solve this.

Bug description

non CO-RE code permission denied without cancel-drop

This is how I'm executing tracee (cmdline):

$ sudo TRACEE_BPF_FILE=/tmp/tracee/tracee.bpf.5_15_65-1-MANJARO.v0_8_3-12-gb567f6bc.o ./dist/tracee-ebpf --debug -o none
OSInfo: BUILD_ID: rolling
OSInfo: PRETTY_NAME: "Manjaro Linux"
OSInfo: KERNEL_RELEASE: 5.15.65-1-MANJARO
OSInfo: ARCH: x86_64
OSInfo: ID: manjaro
OSInfo: ID_LIKE: arch
RuntimeSockets: failed to register default containerd socket:
failed to register runtime socket stat /var/run/containerd/containerd.sock: no such file or directory
RuntimeSockets: failed to register default crio socket:
failed to register runtime socket stat /var/run/crio/crio.sock: no such file or directory
RuntimeSockets: failed to register default podman socket:
failed to register runtime socket stat /var/run/podman/podman.sock: no such file or directory
OSInfo: Security Lockdown is 'none'
BTF: bpfenv = true, btfenv = false, vmlinux = true
BPF: using BPF object from environment: /tmp/tracee/tracee.bpf.5_15_65-1-MANJARO.v0_8_3-12-gb567f6bc.o
Enricher: error registering enricher: unsupported runtime containerd
Enricher: error registering enricher: unsupported runtime crio
libbpf: prog 'tc_egress': BPF program load failed: Operation not permitted
libbpf: permission error while running as root; try raising 'ulimit -l'? current value: 512.0 MiB
libbpf: failed to load program 'tc_egress'
libbpf: failed to load object '/tmp/tracee/tracee.bpf.5_15_65-1-MANJARO.v0_8_3-12-gb567f6bc.o'
2022/09/23 17:02:07 error initializing Tracee: failed to load BPF object

Context

Relevant information about my setup:

  • Linux version: manjaro
  • Linux kernel version: 5.15.65-1-MANJARO
  • Tracee version (or commit id of your tree): b567f6bc
  • LLVM version: 14.0.6
  • Golang version: 1.19

Additional Information (files, logs, etc)

rafaeldtinoco avatar Sep 23 '22 20:09 rafaeldtinoco

@AlonZivony FYI (no obligation to fix, just for awareness)

rafaeldtinoco avatar Sep 23 '22 20:09 rafaeldtinoco

Closing this. Capabilities code was reimplemented by @rafaeldtinoco and fixed this

yanivagman avatar Oct 26 '22 15:10 yanivagman