eBPF modules compilation #942
gustavo-iniguez-goya
started this conversation in
Development
Replies: 1 comment
-
|
Great work ! 💪 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all,
Some users have complained over the time about why we were "patching" kernel sources in order to compile eBPF modules.
In reality, we weren't patching the kernel, we were patching the libbpf to avoid conflicts with the bpf_map_def struct.
This patching didn't interfere with the running kernel in any way. It was only used to generate a binary that had a
bpf_map_defwith the fields required by gobpf. Even inside the kernel itself, there're different definitions of thebpf_map_def struct:iovisor/gobpf#198
Quote from the gobpf project:
Map definitions must correspond to bpf_map_def from [the elf package](https://github.com/iovisor/gobpf/blob/master/elf/include/bpf_map.h). Otherwise, you will encounter an error like only one map with size 280 bytes allowed per section (check bpf_map_def).Besides, eBPF modules run on a kernel Virtual Machine, isolated from the rest of the system, so the chances to crash the system due to a bug in these modules are minimal, unlike with regular kernel modules.
Now, with latest changes, we no longer require patching the kernel sources: ba64379
In addition, we don't need to download the kernel sources anymore. Modules can be compiled just with the kernel headers distributed by the distributions. So we also don't need to copy modules sources to the kernel sources.
On the other hand, the
bpf_map_defstruct has been deprecated for quite some time now, and definitely removed on kernels >= 6.2.So, this is another reason not to patch the kernel sources.
Apart from this, previously we compiled the modules against kernel 5.8. Unfortunately on kernels >= 5.19 the interception of VPN connections stopped working.
The thing is that compiling against kernels 6.x, the modules work from kernel 4.4.0 to 6.2. We should use CO:RE, and verify that it fixes these issues (WIP, it somewhat works), but for the time being we'll use these ones.
Related: #454 , #685 , #753
Precompiled modules via Actions:
https://github.com/evilsocket/opensnitch/actions/runs/5002500385
Direct link: https://github.com/evilsocket/opensnitch/suites/12957037320/artifacts/700590704
Beta Was this translation helpful? Give feedback.
All reactions