eBPF modules not loading #1197
Replies: 4 comments 4 replies
-
hi @Prateeknandle , Yes, that's basically the way of compiling the modules. verify that the modules were correctly generated. Execute Sometimes the modules will compile correctly, but the kernel verifier will fail loading the modules. Remember to initialize all variables, check bounds, etc. , or keep removing your changes until you find the problem. |
Beta Was this translation helpful? Give feedback.
-
hey @gustavo-iniguez-goya , |
Beta Was this translation helpful? Give feedback.
-
does the ebpf-solution has some problems currently? using opensnitch with xanmod does not throw errors anymore? or do they enable ebpf now as default? |
Beta Was this translation helpful? Give feedback.
-
Checking system requirements for kernel version 6.11.9-x64v4-xanmod1
xanmod seems to not have problems anymore (or currently or at least not with opensnitch...) |
Beta Was this translation helpful? Give feedback.
-
Hey folks, so I made some changes in eBPF code and i tried to compile it and generate modules, I am assuming there are two ways to do that:
ebpf_prog
, this way I got the modules, copied the modules to/usr/lib/opensnitchd/ebpf
and executesudo ./daemon/opensnitchd -debug
, these are the logs I get:Logs
prateek@bot:~/go/src/github.com/opensnitch (master*) $ sudo ./daemon/opensnitchd -debug
[2024-09-26 11:12:52] IMP Starting opensnitch-daemon v1.7.0
[2024-09-26 11:12:52] INF Loading configuration file /etc/opensnitchd/default-config.json ...
[2024-09-26 11:12:52] INF Loading rules from /etc/opensnitchd/rules/ ...
OK: libnetfiler_queue supports nfq_get_uid
OK: libnetfiler_queue supports nfq_get_uid
[2024-09-26 11:12:52] INF Using system fw configuration ...
[2024-09-26 11:12:52] DBG [DNS] Unable to use systemd-resolved monitor: /run/systemd/resolve/io.systemd.Resolve.Monitor doesn't exist
[2024-09-26 11:12:52] INF Running on netfilter queue #0 ...
[2024-09-26 11:12:52] DBG [eBPF] trying to load /usr/local/lib/opensnitchd/ebpf/opensnitch-dns.o
[2024-09-26 11:12:52] DBG [eBPF] trying to load /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
[2024-09-26 11:12:52] DBG UI not connected, queueing alert: 0
[2024-09-26 11:12:52] DBG UI service poller started for socket ///tmp/osui.sock
[2024-09-26 11:12:52] DBG UI auth: simple
[2024-09-26 11:12:52] DBG [eBPF] trying to load /etc/opensnitchd/opensnitch-dns.o
[2024-09-26 11:12:52] ERR [eBPF DNS]:
unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.8.0-40-generic) might not be compatible.
If this error persists, change process monitor method to 'proc'
[2024-09-26 11:12:52] WAR EBPF-DNS: Unable to attach ebpf listener:
unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.8.0-40-generic) might not be compatible.
If this error persists, change process monitor method to 'proc'
[2024-09-26 11:12:52] DBG UI not connected, queueing alert: 0
[2024-09-26 11:12:53] DBG [procmon exec event] 96710330268396, pid:967155 tgid:967155 sh, /usr/bin/dash -> /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() 967155, /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] updateItem() updating events store (total: 0), pid: 967155, path: /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() finished
[2024-09-26 11:12:53] DBG PID can't be read /proc/ 967156
[2024-09-26 11:12:53] DBG [procmon exec event] 96710330894097, pid:967156 tgid:967156 which, /usr/bin/dash ->
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() 967156, /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] updateItem() updating events store (total: 1), pid: 967156, path: /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() finished
[2024-09-26 11:12:53] DBG [procmon exec event] 96710334353403, pid:967165 tgid:967165 sh, /usr/bin/dash -> /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() 967165, /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] updateItem() updating events store (total: 2), pid: 967165, path: /usr/bin/dash
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() finished
[2024-09-26 11:12:53] DBG [procmon exec event] 96710334922688, pid:967166 tgid:967166 ps, /usr/bin/ps -> /usr/bin/ps
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() 967166, /usr/bin/ps
[2024-09-26 11:12:53] DBG [cache] updateItem() updating events store (total: 3), pid: 967166, path: /usr/bin/ps
[2024-09-26 11:12:53] DBG [cache] EventsStore.Add() finished
[2024-09-26 11:12:53] DBG client.disconnect()
./build_modules.sh
inutils/packaging
, but this throws an error:Error
prateek@bot:~/go/src/github.com/opensnitch/utils/packaging (master*) $ ./build_modules.sh
Dependencies needed to compile the eBPF modules:
sudo apt install -y wget flex bison ca-certificates wget python3 rsync bc libssl-dev clang llvm libelf-dev libzip-dev git libpcap-dev
[i] Deleting previous kernel sources v6.8.tar.gz: OK
[+] Downloading kernel sources:
v6.8.tar.gz [ <=> ] 223.77M 1.23MB/s in 3m 32s
2024-09-26 16:55:56 URL:https://codeload.github.com/torvalds/linux/tar.gz/refs/tags/v6.8 [234639378] -> "v6.8.tar.gz" [1]
[i] Deleting previous kernel sources dir linux-6.8/: OK
[+] Uncompressing kernel sources: OK
./build_modules.sh: 34: [: unexpected operator
[+] Preparing kernel sources... (1-2 minutes): ..config:10809:warning: symbol value 'm' invalid for ANDROID_BINDER_IPC
.config:10810:warning: symbol value 'm' invalid for ANDROID_BINDERFS
.. DONE
[+] Compiling eBPF modules...
:1:10: fatal error: '../linux-6.8/include/linux/kconfig.h' file not found
#include "../linux-6.8/include/linux/kconfig.h"
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
make: *** [Makefile:58: opensnitch.bc] Error 1
mv: cannot stat 'opensnitcho': No such file or directory
llvm-strip: error: 'ebpf_prog/modules/opensnitch.o': No such file or directory
-e
[WARN] opensnitch.o module not compiled
/usr/lib/opensnitchd/ebpf
and restarted the systemd service, I was aumming that now opensnitch would load new modules but I don't think it is doing that, bcz I tried removing the modules from/usr/lib/opensnitchd/ebpf
but opensitch works, which I thought should not and I tried printing few things which I dont see in/sys/kernel/debug/tracing/trace_pipe
.kernel version : 6.8.0-40-generic
Beta Was this translation helpful? Give feedback.
All reactions