Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Need help] run bpf programs as non root user with bpftime #353

Open
nalreddy opened this issue Sep 27, 2024 · 6 comments
Open

[Need help] run bpf programs as non root user with bpftime #353

nalreddy opened this issue Sep 27, 2024 · 6 comments

Comments

@nalreddy
Copy link

In our current product, we execute BPF programs without needing sudo by using setcap to grant the necessary capabilities to the executable (specifically, we set bpf_cap before running the BPF program).

setcap CAP_BPF,CAP_SYS_RESOURCE,CAP_PERFMON=+eip tracer

How can we achieve the same functionality with bpftime?

Are there instances where we must run bpftime with sudo?

Modes of Running bpftime

  1. Attach mode
./example/malloc/victim & echo $!  # This outputs the PID, e.g., 101771

To attach to it:

$ sudo bpftime attach 101771  # Note: You may need to run `make install` as root
Inject: "/root/.bpftime/libbpftime-agent.so"
Successfully injected. ID: 1
  1. you can load the BPF program and start it:
bpftime load ./example/malloc/malloc
bpftime start ./example/malloc/victim
  1. You can also run with LD_PRELOAD directly.

Questions:

  1. Why is sudo necessary in the first method? Is it required?
  2. System call tracing examples also run with sudo—is this mandatory?

Could you clarify in which cases we need to use sudo and which cases do not require it?

We would prefer to avoid using sudo with BPF programs and run them as non-root. Is it possible to use the attach method without sudo?
@Officeyutong
Copy link
Contributor

  1. The first requires root privileged because it uses ptrace to inject a dynamic library into your desired process. Using ptrace to do such thing requires root
  2. Syscall trace needs root since it needs to call mprotect to switch access flags of code pages (so we can modify them and implement userspace syscall trace)

Root is not necessary for uprobe/uretprobe/usdt

@yunwei37
Copy link
Member

You nay try grant the CAP_SYS_PTRACE for the first method, since it's using ptrace here.

Actually both of them can run in unprivileged containers, e.g. you can try github codespace.

@yunwei37
Copy link
Member

Thanks for pointing out the problem! We will provide a document for all the permission related questions.

@nalreddy
Copy link
Author

nalreddy commented Oct 8, 2024
edited
Loading

Thanks for pointing out the problem! We will provide a document for all the permission related questions.

You nay try grant the CAP_SYS_PTRACE for the first method, since it's using ptrace here.

Actually both of them can run in unprivileged containers, e.g. you can try github codespace.

@yunwei37 do you mean to provide CAP_SYS_PTRACE to victim executable or bpf program executable (malloc) .

@yunwei37
Copy link
Member

yunwei37 commented Oct 8, 2024
edited
Loading

CAP_SYS_PTRACE should be add to command sudo bpftime attach 101771. This is not the victim executable or bpf program executable (malloc).

@nalreddy
Copy link
Author

nalreddy commented Oct 8, 2024
edited
Loading

Tried following steps to run bpftime with non root user and attach mode.
malloc example.

Please do let me know anything wrong.

  1. Running victim (get pid of victim)
    /bpftime$ ./example/malloc/victim

  2. Setcap to bpftime command

~/.bpftime$ ls
bpftime bpftime_daemon bpftimetool libbpftime-agent.so libbpftime-agent-transformer.so libbpftime-syscall-server.so runtime.log
sudo setcap CAP_SYS_PTRACE=+eip bpftime

~/.bpftime$ getcap bpftime
bpftime cap_sys_ptrace=eip

3 . Attach without sudo

bpftime attach 8390
  1. bpftime load ./example/malloc/malloc
    i don't see any prints here, added debug in malloc code , return ENOENTRY from bpfmaps.(malloc.c)
    no bpf_printk from malloc.bpf.c

tail -f ~/.bpftime/runtime.log
[2024-10-08 04:58:19][info][8391] Injecting to 8390
[2024-10-08 04:58:19][info][8391] Successfully injected. ID: 1
[2024-10-08 04:58:19][info][8395] Global shm constructed. shm_open_type 1 for bpftime_maps_shm
[2024-10-08 04:58:19][info][8395] Global shm initialized
[2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_func_arg, index 183
[2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_func_ret_id, index 184
[2024-10-08 04:58:19][info][8395] Register attach-impl defined helper bpf_get_retval, index 186
[2024-10-08 04:58:19][info][8395] Initializing agent..
[2024-10-08 04:58:19][info][8395] Executable path: /home/satya/data/bpftime/example/malloc/victim
[2024-10-08 04:58:19][info][8395] Attach successfully
[2024-10-08 04:59:11][info][8412] Initialize syscall server
[2024-10-08 04:59:11][info][8412] Global shm constructed. shm_open_type 0 for bpftime_maps_shm
[2024-10-08 04:59:11][info][8412] Global shm initialized
[2024-10-08 04:59:11][info][8412] bpftime-syscall-server started
[2024-10-08 04:59:11][info][8412] Created uprobe/uretprobe perf event handler, module name /lib/x86_64-linux-gnu/libc.so.6, offset 9f920

 @yunwei37

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Officeyutong @nalreddy @yunwei37