You are not logged in.

#1 2018-05-16 18:21:44

RickDeckard
Member
From: Acworth, Georgia, USA
Registered: 2016-02-19
Posts: 50

BPF kernel defaults in 4.16.8-1-hardened cause AIDE to segfault

Hi, I know that the bugtracker might be a good place to post this but I'm doing this to help anyone who might be using this software and segfaulting every time they try to run an AIDE update or check.  I have a pretty good feeling that "unprivileged_bpf_disabled" is causing this because journalctl always spits out messages to the effect of "BPF deny maps failed" when this happens to me.  I've excluded all possible file-based problems (.go files which scanning crashes on, etc.) for this.  Can someone who is more knowledgeable about BPF tell me what I'd be chancing by manually tuning the sysctl to 0 to get AIDE working again?

Last edited by RickDeckard (2018-05-16 18:22:52)

Offline

#2 2018-05-16 20:05:35

rsmarples
Member
Registered: 2009-05-12
Posts: 202

Re: BPF kernel defaults in 4.16.8-1-hardened cause AIDE to segfault

BPF is the Berkley Packet Filter. On Linux it's implemented in PF_PACKET.
Many applications use BPF to work with low level IPv4 networking, such DHCP and ARP. There is no need for it for IPv6 because the needed glue is baked into the IPv6 protocol itself.

What sysctl are you talking about? If it's sys.net.core.bpf_jit_enable that should be fine setting it to zero.
This just disables BPF JIT optimisations. If it's anything like the NetBSD implementation then BPF will still work fine, just slower.

Last edited by rsmarples (2018-05-16 20:05:59)

Offline

#3 2018-05-16 20:55:24

RickDeckard
Member
From: Acworth, Georgia, USA
Registered: 2016-02-19
Posts: 50

Re: BPF kernel defaults in 4.16.8-1-hardened cause AIDE to segfault

I'm talking about /proc/sys/kernel/unprivileged_bpf_disabled.  Given that explanation, I'm now only more confused as to why an IDS/file integrity checker which is not in any way network based would want unfettered BPF access.

Offline

#4 2018-05-16 23:20:01

Everette88
Member
Registered: 2018-02-17
Posts: 28

Re: BPF kernel defaults in 4.16.8-1-hardened cause AIDE to segfault

It's a lot more than networking these days: http://www.brendangregg.com/ebpf.html

'unprivileged_bpf_disabled setting' to '1' restricts bpf to root only.

Offline

#5 2018-05-17 17:46:18

loqs
Member
Registered: 2014-03-06
Posts: 6,424

Re: BPF kernel defaults in 4.16.8-1-hardened cause AIDE to segfault

Does AIDE use eBPF?  A cursory inspection through the source code I could not find any use of it.  Could the message be coming from something else such as systemd which does use eBPF?

Offline

Board footer

Powered by FluxBB