ebpf_prog: compile out-of-tree feature request

[blshkv]

Currently, https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog requires some woo-doo:
copying source into a specific kernel linux kernel, patching kernel and installing opensnitch.o (binary) into /etc.

All that doesn't look not right.

Is it possible to make a proper kernel opensnitch_ebpf module and load it with modprobe?

[emdee-is]

I think these instructions are out of date, but the debian release installs without any kernel patching or modules: ebpf is specifically not a module: https://ebpf.io/

The Debian build instructions should help show the way forward: https://github.com/evilsocket/opensnitch/tree/master/debian/

[gustavo-iniguez-goya]

Hi @blshkv , as @emdee-is pointed out, the ebpf module is not a usual kernel module. But in any case, you'd need the kernel sources to compile kernel or ebpf modules.

Take a look at how the AUR package does it: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=opensnitch-ebpf-module-git

On the other hand, the deb/rpm packages installs a precompiled ebpf module. That avoids having to compile the module every time a user installs or updates the daemon, besides not having to install gcc+many other tools and download the kernel sources (externally or from your distro). . We should move to BTF+CO:RE, but that's another story.

[emdee-is]

Thanks @gustavo-iniguez-goya - that helps a lot.

Pentoo is a hardened version of Gentoo, so a recent kernel build from source is available on all Pentoos. The AUR recipe translates easily into a Gentoo ebuild file, although a Gentoo ebuild does more:
https://github.com/pentoo/pentoo-overlay/blob/master/app-admin/opensnitch/opensnitch-1.5.2.ebuild
A working Pentoo ebuild may mean it gets taken up upstream by Gentoo.

But a few questions on how you are building opensnitch.o; I'll list them all here and then I can break them into individual issues as needed.

1. Is the patch to bpf_helpers.h opensnitch specific or can it be merged into the upstream mainline kernel? If it can be merged, can you open an issue to track the merging of the patch upstream?

2. If the patch is opensnitch specific, could you instead of patching the mainline kernel use a patched copy as a file that builds out-of-tree or in sample/, with your own names for the patched calls. If so, could you build opensnitch.o as a kernel module opensnitch.ko like any added kernel module as the issue suggests?

There are real reasons for wanting to do this: hardened people want kernel modules to be signed, and if in effect you are making and loading the equivalent to an unsigned kernel module, and that's very bad news.

Is opensnitch.o loaded like a kernel module, so that it could be signed like a kernel module, and the signature checked on loading?

3. The AUR recipe does not look to see what kernel config settings are required as a prerequisite. There is no documentation that says this exactly and your documentation is not up to date
   https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog

Could you update the documentation and list the configs required for ebpf and the kernel version the requirements are set for. A wiki page on building ebpf_prog/opensnitch.o that is kept up to date, with a copy in the release would be a good thing.

4. I think there are required modules you have to load to make opensnitch work, even without ebpf: nfnetlink_queue and/or nft_queue. These need kernel configs setting and should be checked by the AUR/Pentoo recipes. Could you document exactly what modules are required to run opensnitch?

5. Opensnitch adds a line to iptables that is a last line on -A OUTPUT that junps to opensnitch. This will not work if the iptables has a generic -A OUTPUT -j DROP line as a failsafe already in the rules. So all the build recipes AUR/Debian/Pentoo should run an iptables-save to look for the generic DROP line and warn that opensnitch will not work.

6. Does opensnitch work with iptables and iptables-legacy and nftables? Could you document this as the Linux world is in a transition phase. I can't get opensnitch to work at all and I use iptables-legacy

7. It's not clear to me under what conditions a mounted debugfs is required or useful. Could you update the documentation and list the configs required for debugfs and the kernel version the requirements are set for? I compiled my kernel with:
   CONFIG_DEBUG_FS=y
   CONFIG_DEBUG_FS_ALLOW_ALL=y
   but there is no /sys/kernel/debug and I cannot mount debugfs.
   Is there something I'm missing?

8. You are shipping unsigned releases and source code. The Gentoo package manager now supports openpgpg key signing on all sources, and for a security sensitive piece of software like opensnitch, I would expect it.

If you like, cut and paste this into individual issues to suit your taste.

[blshkv]

Hi @gustavo-iniguez-goya ,
It looks like you made a hack by overwriting linux-5.8/samples/bpf with your files, and that's the problem.

I guess what we really need it to be able to compile your source out-of-tree kernel module.
The Makefile should run something like this:

${MAKE} -C ${KERNEL_SOURCE} SUBDIRS=${PWD} modules
 or (may be more applicable)
clang -O2 -emit-llvm -c my_bpf_prog.c -o - | \
          llc -march=bpf -filetype=obj -o my_bpf_prog.o

Here is the offical documentation https://www.kernel.org/doc/Documentation/kbuild/modules.txt

[emdee-is]

See also #680

[blshkv]

See also #680

nop, not related. It's just a hack (not really using ebuild APIs) to compile it inline.

The out-of-tree version should be using libbpf (libbpf.so.0 and bpf*.h headers)

[blshkv]

https://github.com/netoptimizer/prototype-kernel
https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf

This directory [samples/bpf/](https://github.com/netoptimizer/prototype-kernel/blob/master/kernel/samples/bpf) maintains a different Makefile (than depending on the kernels) and maintains a copy of some bpf-header files to ease compiling outside the kernel source tree.

Simply run 'make' in that directory to build the bpf samples.

[ZeroChaos-]

I'm not a programmer, so maybe I'm missing something, but it looks to me like this is terrible programming practice.
https://github.com/evilsocket/opensnitch/blob/master/ebpf_prog/file.patch This patch literally just renames one function. Nothing uses the renamed function, it's only renamed so that the ebpf_prog/opensnitch.c code can define it's own version and use it.

Wouldn't it be easier for ebpf_prog to define and use bpf_map_defnew or something and then not need this patch at all?