app-admin/opensnitch does not build/install /etc/opensnitch/opensnitch.o #1168
Comments
|
Yean, there are some manual steps which involves kernel patching: That's just wrong. I have filed upstream bug report: Let's come back to it once they have a standard module so it can be added to an ebuild. Until then, you are on your own (unless you can provide a workaround) ;-) |
|
I really appreciate your putting it in pentoo - it's a bear to build and I dislike go's habit of downloading sources on its own... They say there's some real advantages to ebpf https://github.com/evilsocket/opensnitch/wiki/monitor-method-ebpf so I think it's worth trying to build the opensnitch.o But I'm guessing that those build instructions are way out of date and that there is no kernel patching and and no kernel module on Debian - see Even the list of kernel configs seem out of date as some are not in my .conf for pentoo-sources-5.15.26 (the rest are =y). So the easiest way may be to look at the debian control file and see what they do, and then copy that to the ebuild. There are 2 other related problems: to use it you need to have the debugfs mounted which does need a the CONFIG_KPROBES=y And I think you have to do an iptables-save and read the output to make sure there is not a terminal -A OUTPUT -h DROP rule because opensnitch appends a rule to iptables that will never be reached. I have opensnitch running with proc not ebpd but nothing is happening;/working. Thanks for your help. |
|
@blshkv I'd ask that you wouldn't close this issue until opensnitch runs with ebpf on Pentoo. You still need to modify the ebuild to check for CONFIG_KPROBES=y And I think you also have to make sure the kernel builds or includes the modules nfnetlink_queue and |
emdee-is
changed the title
|
Now that I have a better understanding of /etc/opensnitch/opensnitch.o for ebpf, I assume that loading it is the equivalent of loading an unsigned module into the kernel. If so, do you agree that there should security concerns with this approach? If so, you might want to wait for a real modprobe kernel module that can be signed to load the ebpf capabilities. PS: As a workaround, if I understand the discussions from their issues, the /etc/opensnitch/opensnitch.o is backwards compatible so that one compiled for a current kernel will work on any linux back to 4.4. So a opensnitch.o from Debian may work on any linux (e.g. Pentoo) for those who like to live on the bleeding edge... |
|
found some hints here: |
|
They break opensnitchd / opensnitch-ui into 2 packages for Debian but it doesn't matter to me for Gentoo - what matters is the proper packaging of opensnitch.o as a kernel module. Even if we can build it, their way of building in-tree I'm guessing is just laziness. so I'm glad you pointed out to them how to build a module. As I said, I'm very uncomfortable with them loading the equivalent of a kernel module - unsigned. (Side question you may easily know the answer to - does the hardened profile of Pentoo implement signed kernel modules? If not, I think it should...) |
|
so I downloaded opensnitch debian binaries, extracted opensnitch.o for each arch, stripped it and added to the ebuild. That's the workaround so far. |
app-admin/opensnitch does not build/install /etc/opensnitch/opensnitch.o
This is an oddball that is dynamically loaded iff the process monitor method is ebpf.
This is built and installed on Debian.
The text was updated successfully, but these errors were encountered: