SELinux prevents usage of execsnoop in enforcing mode #509
Description
Description
Observed into flatcar/mantle#233 - SELinux in enforcing mode (default test behavior) prevents execsnoop (and certainly other BPF tools related) to run correctly:
logs
$ getenforce
Enforcing
$ docker inspect execsnoop | jq '.[] | .Path'
"/usr/share/bcc/tools/execsnoop"
$ docker inspect execsnoop | jq '.[] | .Args'
[
"-n",
"docker",
"-l",
"ps"
]
$ docker logs execsnoop
bpf: Failed to load program: Invalid argument
Unrecognized arg#0 type PTR
; int syscall__execve(struct pt_regs *ctx)
0: (bf) r6 = r1
; struct pt_regs * __ctx = ctx->di;
1: (79) r7 = *(u64 *)(r6 +112)
; const char __user *filename; bpf_probe_read(&filename, sizeof(filename), &__ctx->di);
2: (bf) r3 = r7
3: (07) r3 += 112
4: (bf) r1 = r10
;
5: (07) r1 += -16
; const char __user *filename; bpf_probe_read(&filename, sizeof(filename), &__ctx->di);
6: (b7) r2 = 8
7: (85) call bpf_probe_read#4
unknown func bpf_probe_read#4
processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
Traceback (most recent call last):
File "/usr/share/bcc/tools/execsnoop", line 229, in <module>
b.attach_kprobe(event=execve_fnname, fn_name="syscall__execve")
File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 829, in attach_kprobe
fn = self.load_func(fn_name, BPF.KPROBE)
File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 528, in load_func
(func_name, errstr))
Exception: Failed to load BPF program syscall__execve: Invalid argument
$ docker inspect execsnoop | jq '.[] | .Mounts'
[
{
"Type": "bind",
"Source": "/sys/fs/cgroup",
"Destination": "/sys/fs/cgroup",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/sys/fs/bpf",
"Destination": "/sys/fs/bpf",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/lib/modules",
"Destination": "/lib/modules",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/sys/kernel/debug",
"Destination": "/sys/kernel/debug",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
]
[ 395.688880] audit: type=1400 audit(1631716436.621:321): avc: denied { perfmon } for pid=1979 comm="runc" capability=38 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
[ 395.693540] audit: type=1400 audit(1631716436.621:321): avc: denied { bpf } for pid=1979 comm="runc" capability=39 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
Impact
it prevents bpf tools to run.
Additional information
We could try to add this patch: SELinuxProject/refpolicy@497cb3c#diff-a4d8dfc6445231bbccad2b1010d93829e7e19637c00be1eabe3f888b20304552R270 to the sec-policy/base-policy we have (or wait for a ::gentoo release to sync with the upstream)