Hi,
What is the best way to install eBPF? It doesn’t seem to be available. Could the project team add it to the Fedora repository?
AFAIK ebpf is enabled by default.
Check with sudo bpftool feature probe. (The tool needs to be installed.)
I think you need to check with the opensnitch folk how they are checking for eBPF support and which features exactly are needed.
For the future: please always include exact error messages.
I don’t have the exact quote anymore but it said “Unable to set new process monitor (ebpf)” and recommended switching to the proc process monitor method, which I did. ebpf was not detected on my system. I ran the command inside toolbox to avoid layering a new package on Silverblue. It might be the reason it’s not detected.
⬢ [milesfernie@toolbx ~]$ sudo bpftool feature probe
Scanning system configuration...
bpf() syscall restricted to privileged users (admin can change)
JIT compiler is enabled
Unable to retrieve JIT hardening status
Unable to retrieve JIT kallsyms export status
Unable to retrieve global memory limit for JIT compiler for unprivileged users
skipping kernel config, can't open file: No such file or directory
Scanning system call availability...
bpf() syscall is available
Scanning eBPF program types...
eBPF program_type socket_filter is NOT available
eBPF program_type kprobe is NOT available
eBPF program_type sched_cls is NOT available
eBPF program_type sched_act is NOT available
eBPF program_type tracepoint is NOT available
eBPF program_type xdp is NOT available
eBPF program_type perf_event is NOT available
eBPF program_type cgroup_skb is NOT available
eBPF program_type cgroup_sock is NOT available
eBPF program_type lwt_in is NOT available
eBPF program_type lwt_out is NOT available
eBPF program_type lwt_xmit is NOT available
eBPF program_type sock_ops is NOT available
eBPF program_type sk_skb is NOT available
eBPF program_type cgroup_device is NOT available
eBPF program_type sk_msg is NOT available
eBPF program_type raw_tracepoint is NOT available
eBPF program_type cgroup_sock_addr is NOT available
eBPF program_type lwt_seg6local is NOT available
eBPF program_type lirc_mode2 is NOT available
eBPF program_type sk_reuseport is NOT available
eBPF program_type flow_dissector is NOT available
eBPF program_type cgroup_sysctl is NOT available
eBPF program_type raw_tracepoint_writable is NOT available
eBPF program_type cgroup_sockopt is NOT available
eBPF program_type tracing is NOT available
eBPF program_type struct_ops is NOT available
eBPF program_type ext is NOT available
eBPF program_type lsm is NOT available
eBPF program_type sk_lookup is NOT available
eBPF program_type syscall is NOT available
eBPF program_type netfilter is NOT available
Scanning eBPF map types...
eBPF map_type hash is NOT available
eBPF map_type array is NOT available
eBPF map_type prog_array is NOT available
eBPF map_type perf_event_array is NOT available
eBPF map_type percpu_hash is NOT available
eBPF map_type percpu_array is NOT available
eBPF map_type stack_trace is NOT available
eBPF map_type cgroup_array is NOT available
eBPF map_type lru_hash is NOT available
eBPF map_type lru_percpu_hash is NOT available
eBPF map_type lpm_trie is NOT available
eBPF map_type array_of_maps is NOT available
eBPF map_type hash_of_maps is NOT available
eBPF map_type devmap is NOT available
eBPF map_type sockmap is NOT available
eBPF map_type cpumap is NOT available
eBPF map_type xskmap is NOT available
eBPF map_type sockhash is NOT available
eBPF map_type cgroup_storage is NOT available
eBPF map_type reuseport_sockarray is NOT available
eBPF map_type percpu_cgroup_storage is NOT available
eBPF map_type queue is NOT available
eBPF map_type stack is NOT available
eBPF map_type sk_storage is NOT available
eBPF map_type devmap_hash is NOT available
eBPF map_type struct_ops is NOT available
eBPF map_type ringbuf is NOT available
eBPF map_type inode_storage is NOT available
eBPF map_type task_storage is NOT available
eBPF map_type bloom_filter is NOT available
eBPF map_type user_ringbuf is NOT available
eBPF map_type cgrp_storage is NOT available
eBPF map_type arena is NOT available
Scanning eBPF helper functions...
eBPF helpers supported for program type socket_filter:
Program type not supported
eBPF helpers supported for program type kprobe:
Program type not supported
eBPF helpers supported for program type sched_cls:
Program type not supported
eBPF helpers supported for program type sched_act:
Program type not supported
eBPF helpers supported for program type tracepoint:
Program type not supported
eBPF helpers supported for program type xdp:
Program type not supported
eBPF helpers supported for program type perf_event:
Program type not supported
eBPF helpers supported for program type cgroup_skb:
Program type not supported
eBPF helpers supported for program type cgroup_sock:
Program type not supported
eBPF helpers supported for program type lwt_in:
Program type not supported
eBPF helpers supported for program type lwt_out:
Program type not supported
eBPF helpers supported for program type lwt_xmit:
Program type not supported
eBPF helpers supported for program type sock_ops:
Program type not supported
eBPF helpers supported for program type sk_skb:
Program type not supported
eBPF helpers supported for program type cgroup_device:
Program type not supported
eBPF helpers supported for program type sk_msg:
Program type not supported
eBPF helpers supported for program type raw_tracepoint:
Program type not supported
eBPF helpers supported for program type cgroup_sock_addr:
Program type not supported
eBPF helpers supported for program type lwt_seg6local:
Program type not supported
eBPF helpers supported for program type lirc_mode2:
Program type not supported
eBPF helpers supported for program type sk_reuseport:
Program type not supported
eBPF helpers supported for program type flow_dissector:
Program type not supported
eBPF helpers supported for program type cgroup_sysctl:
Program type not supported
eBPF helpers supported for program type raw_tracepoint_writable:
Program type not supported
eBPF helpers supported for program type cgroup_sockopt:
Program type not supported
eBPF helpers supported for program type tracing:
Program type not supported
eBPF helpers supported for program type struct_ops:
Program type not supported
eBPF helpers supported for program type ext:
Program type not supported
eBPF helpers supported for program type lsm:
Program type not supported
eBPF helpers supported for program type sk_lookup:
Program type not supported
eBPF helpers supported for program type syscall:
Program type not supported
eBPF helpers supported for program type netfilter:
Program type not supported
Scanning miscellaneous eBPF features...
Large program size limit is NOT available
Bounded loop support is NOT available
ISA extension v2 is NOT available
ISA extension v3 is NOT available
When running in toolbx you now would need to check if the container has the capabilities (CAP_*) to succesfully assess if ebpf is enabled.
Probably easier to layer it.
I layered it. Everything looks good.
[milesfernie@silverblue ~]$ sudo bpftool feature probe
Scanning system configuration…
bpf() syscall restricted to privileged users (admin can change)
JIT compiler is enabled
JIT compiler hardening is disabled
JIT compiler kallsyms exports are enabled for root
Global memory limit for JIT compiler for unprivileged users is 528482304 bytes
skipping kernel config, can’t open file: No such file or directory
Scanning system call availability…
bpf() syscall is available
Scanning eBPF program types…
eBPF program_type socket_filter is available
eBPF program_type kprobe is available
eBPF program_type sched_cls is available
eBPF program_type sched_act is available
eBPF program_type tracepoint is available
eBPF program_type xdp is available
eBPF program_type perf_event is available
eBPF program_type cgroup_skb is available
eBPF program_type cgroup_sock is available
eBPF program_type lwt_in is available
eBPF program_type lwt_out is available
eBPF program_type lwt_xmit is available
eBPF program_type sock_ops is available
eBPF program_type sk_skb is available
eBPF program_type cgroup_device is available
eBPF program_type sk_msg is available
eBPF program_type raw_tracepoint is available
eBPF program_type cgroup_sock_addr is available
eBPF program_type lwt_seg6local is available
eBPF program_type lirc_mode2 is available
eBPF program_type sk_reuseport is available
eBPF program_type flow_dissector is available
eBPF program_type cgroup_sysctl is available
eBPF program_type raw_tracepoint_writable is available
eBPF program_type cgroup_sockopt is available
eBPF program_type tracing is available
eBPF program_type struct_ops is available
eBPF program_type ext is available
eBPF program_type lsm is available
eBPF program_type sk_lookup is available
eBPF program_type syscall is available
eBPF program_type netfilter is available
… Output troncated
Scanning miscellaneous eBPF features…
Large program size limit is available
Bounded loop support is available
ISA extension v2 is available
ISA extension v3 is available
I found the cause.
opensnitchd: use of bpf to read kernel RAM is restricted; see man kernel_lockdown.7
I had the most restrictive lockdown mode enabled (lockdown=confidentiality). Changing it to lockdown=integrity was the solution.
1 Like
Uhhhh, reading kernel RAM by network processes that are not part of kernel is a security issue.
Yeah, it is a security issue. On the other hand eBPF is more secure and more efficient than procFS. I’m still unsure which trade-off is better.
eBPF programs are isolated from direct kernel memory manipulation, so why is opensnitch trying to bypass this?
Speaking of procFS, why is Fedora still not setting hidepid to 2 by default on default installations?
All I can say is that kernel lockdown can block eBPF operations. Don’t ask me why. Regarding hidepid not being set to 2 by default, I guess the forces of convenience have won that battle. I will look into it.
I’ve decided to revert to confidentiality mode for now. I’m satisfied with the hardening it brings to procFS.