Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash with ebpf probe built by clang 15 on alpine #2462

Closed
tspearconquest opened this issue Mar 31, 2023 · 2 comments
Closed

Crash with ebpf probe built by clang 15 on alpine #2462

tspearconquest opened this issue Mar 31, 2023 · 2 comments
Labels
kind/bug

Comments

@tspearconquest
Copy link
Contributor

Describe the bug
When building the ebpf probe with falco-driver-loader --compile, the probe builds and loads properly, however falco crashes and burns upon trying to use the probe:

Fri Mar 31 16:59:17 2023: Falco version: 0.34.1 (x86_64)
Fri Mar 31 16:59:17 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Mar 31 16:59:17 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri Mar 31 16:59:17 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Fri Mar 31 16:59:18 2023: Loading rules from file /etc/falco/k8s_audit_rules.yaml
Fri Mar 31 16:59:18 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Fri Mar 31 16:59:18 2023: gRPC server threadiness equals to 8
Fri Mar 31 16:59:18 2023: Starting health webserver with threadiness 8, listening on port 8765
Fri Mar 31 16:59:18 2023: Enabled event sources: syscall
Fri Mar 31 16:59:18 2023: Opening capture with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Fri Mar 31 16:59:18 2023: Starting gRPC server at unix:///var/run/falco/falco.sock
-- BEGIN PROG LOAD LOG --
0: (bf) r6 = r1
1: (b7) r1 = 0
2: (63) *(u32 *)(r10 -4) = r1
last_idx 2 first_idx 0
regs=2 stack=0 before 1: (b7) r1 = 0
3: (bf) r2 = r10
4: (07) r2 += -4
5: (18) r1 = 0xffff9e7b0fa5ca00
7: (85) call bpf_map_lookup_elem#1
8: (85) call bpf_get_smp_processor_id#8
9: (bf) r9 = r0
10: (63) *(u32 *)(r10 -4) = r9
11: (bf) r2 = r10
12: (07) r2 += -4
13: (18) r1 = 0xffffac0b8b08d000
15: (85) call bpf_map_lookup_elem#1
16: (bf) r8 = r0
17: (63) *(u32 *)(r10 -4) = r9
18: (bf) r2 = r10
19: (07) r2 += -4
20: (18) r1 = 0xffff9e8156107800
22: (85) call bpf_map_lookup_elem#1
23: (bf) r7 = r0
24: (15) if r7 == 0x0 goto pc+246
 R0=map_value(id=0,off=0,ks=4,vs=181,imm=0) R6=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm????
25: (7b) *(u64 *)(r10 -16) = r6
26: (63) *(u32 *)(r10 -4) = r9
27: (bf) r2 = r10
28: (07) r2 += -4
29: (18) r1 = 0xffffac0b8bf5d000
31: (85) call bpf_map_lookup_elem#1
32: (18) r6 = 0xfffffffd
34: (15) if r0 == 0x0 goto pc+226
 R0=map_value(id=0,off=0,ks=4,vs=262144,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
35: (71) r1 = *(u8 *)(r7 +1)
 R0=map_value(id=0,off=0,ks=4,vs=262144,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
36: (67) r1 <<= 8
37: (71) r2 = *(u8 *)(r7 +0)
 R0=map_value(id=0,off=0,ks=4,vs=262144,imm=0) R1_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
38: (4f) r1 |= r2
39: (71) r2 = *(u8 *)(r7 +2)
 R0=map_value(id=0,off=0,ks=4,vs=262144,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
40: (71) r3 = *(u8 *)(r7 +3)
 R0=map_value(id=0,off=0,ks=4,vs=262144,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=inv(id=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
41: (67) r3 <<= 8
42: (4f) r3 |= r2
43: (67) r3 <<= 16
44: (4f) r3 |= r1
45: (63) *(u32 *)(r10 -4) = r3
46: (bf) r2 = r10
47: (07) r2 += -4
48: (18) r1 = 0xffffac0b8a9b5000
50: (85) call bpf_map_lookup_elem#1
51: (bf) r9 = r0
52: (18) r6 = 0xfffffffd
54: (15) if r9 == 0x0 goto pc+206
 R0=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9_w=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
55: (71) r1 = *(u8 *)(r7 +1)
 R0=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9_w=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
56: (67) r1 <<= 8
57: (71) r2 = *(u8 *)(r7 +0)
 R0=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R1_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9_w=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
58: (4f) r1 |= r2
59: (71) r2 = *(u8 *)(r7 +2)
 R0=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9_w=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
60: (71) r3 = *(u8 *)(r7 +3)
 R0=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9_w=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
61: (67) r3 <<= 8
62: (4f) r3 |= r2
63: (67) r3 <<= 16
64: (4f) r3 |= r1
65: (63) *(u32 *)(r10 -4) = r3
66: (bf) r2 = r10
67: (07) r2 += -4
68: (18) r1 = 0xffff9e79dd4e8000
70: (85) call bpf_map_lookup_elem#1
71: (18) r6 = 0xfffffffd
73: (15) if r0 == 0x0 goto pc+187
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
74: (71) r2 = *(u8 *)(r7 +29)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
75: (67) r2 <<= 8
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
76: (71) r1 = *(u8 *)(r7 +28)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R2_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
77: (4f) r2 |= r1
78: (71) r1 = *(u8 *)(r7 +31)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R2_w=inv(id=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
79: (67) r1 <<= 8
80: (71) r3 = *(u8 *)(r7 +30)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R2_w=inv(id=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
81: (4f) r1 |= r3
82: (67) r1 <<= 16
83: (4f) r1 |= r2
84: (71) r2 = *(u8 *)(r7 +33)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
85: (67) r2 <<= 8
86: (71) r3 = *(u8 *)(r7 +32)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
87: (4f) r2 |= r3
88: (71) r3 = *(u8 *)(r7 +34)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
89: (71) r5 = *(u8 *)(r7 +35)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
90: (67) r5 <<= 8
91: (4f) r5 |= r3
92: (67) r5 <<= 16
93: (4f) r5 |= r2
94: (67) r5 <<= 32
95: (4f) r5 |= r1
96: (15) if r5 == 0x0 goto pc+2
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5_w=inv(id=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
97: (61) r1 = *(u32 *)(r9 +40)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1_w=inv(id=0) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5_w=inv(id=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
98: (05) goto pc+75
174: (71) r3 = *(u8 *)(r7 +13)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv(id=0) R3_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
175: (67) r3 <<= 8
176: (71) r2 = *(u8 *)(r7 +12)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
177: (4f) r3 |= r2
178: (71) r2 = *(u8 *)(r7 +15)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R3_w=inv(id=0) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
179: (67) r2 <<= 8
180: (71) r4 = *(u8 *)(r7 +14)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R3_w=inv(id=0) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
181: (4f) r2 |= r4
182: (67) r2 <<= 16
183: (4f) r2 |= r3
184: (71) r3 = *(u8 *)(r7 +17)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
185: (67) r3 <<= 8
186: (71) r4 = *(u8 *)(r7 +16)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
187: (4f) r3 |= r4
188: (71) r4 = *(u8 *)(r7 +18)
 R0=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
189: (71) r0 = *(u8 *)(r7 +19)
 R0_w=map_value(id=0,off=0,ks=4,vs=58,imm=0) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
190: (67) r0 <<= 8
191: (4f) r0 |= r4
192: (67) r0 <<= 16
193: (4f) r0 |= r3
194: (67) r0 <<= 32
195: (4f) r0 |= r2
196: (18) r6 = 0xfffffffd
198: (5d) if r0 != r1 goto pc+62
 R0_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0) R6_w=inv4294967293 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
199: (18) r6 = 0xfffffffb
201: (25) if r5 > 0xfff3 goto pc+59
 R0_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R1=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv(id=0) R3_w=inv(id=0) R4_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R5=inv(id=0,umax_value=65523,var_off=(0x0; 0xffff)) R6_w=inv4294967291 R7=map_value(id=0,off=0,ks=4,vs=181,imm=0) R8=map_value_or_null(id=2,off=0,ks=4,vs=262144,imm=0) R9=map_value(id=0,off=0,ks=4,vs=1840,imm=0) R10=fp0 fp-8=mmmm???? fp-16=ctx
202: (bf) r1 = r5
203: (77) r1 >>= 24
204: (73) *(u8 *)(r8 +19) = r1
R8 invalid mem access 'map_value_or_null'
processed 119 insns (limit 1000000) max_states_per_insn 0 total_states 6 peak_states 6 mark_read 5

-- END PROG LOAD LOG --
Fri Mar 31 16:59:18 2023: An error occurred in an event source, forcing termination...
Fri Mar 31 16:59:18 2023: Shutting down gRPC server. Waiting until external connections are closed by clients
Fri Mar 31 16:59:18 2023: Waiting for the gRPC threads to complete
Fri Mar 31 16:59:18 2023: Draining all the remaining gRPC events
Fri Mar 31 16:59:18 2023: Shutting down gRPC server complete
Error: libscap: bpf_load_program() event=raw_tracepoint/filler/sys_empty: Operation not permitted

How to reproduce it
Build the falco driver loader from this dockerfile:

FROM falcosecurity/falco-driver-loader as oss

FROM alpine:3.17
ENV HOST_ROOT /host
RUN mkdir /host \
 && apk --quiet --update --no-cache add \
    akms \
    bash \
    bc \
    binutils \
    bison \
    clang15 \
    curl \
    flex \
    gcc \
    gcompat \
    libcrypto3 \
    libelf-static \
    libssl3 \
    llvm15 \
    m4 \
    make \
    openssl-dev \
    patch \
    patchelf \
 && ln -s "${HOST_ROOT}/lib/modules" /lib/modules \
 && ln -s akms /usr/bin/dkms
COPY --chown=0:0 --from=oss /docker-entrypoint.sh /
COPY --chown=0:0 --from=oss /usr/bin/falco-driver-loader /usr/bin
COPY --chown=0:0 --from=oss /usr/src /usr/src
ENTRYPOINT ["/docker-entrypoint.sh"]

Expected behaviour
The probe builds, and falco runs without issue

Screenshots

Environment

  • Falco version: 0.34.1
  • System info:
  • Cloud provider or hardware configuration: Azure AKS
  • OS: Ubuntu 18.04
  • Kernel: 5.4.x
  • Installation method: Kubernetes driver loader source compile

Additional context
Originally, I tried to build the driver loader image with the package libc6-compat but it failed to compile the bpf probe, so I switched to gcompat

I will also try clang 14 to see if it makes any difference.
I will also try installing glibc because there is a glibc for alpine build and we'll see if that makes any difference.
@tspearconquest
Copy link
Contributor Author

Building the probe with clang 14 works fine.

@FedeDP
Copy link
Contributor

FedeDP commented Mar 31, 2023

Hi! Just to track this down: the issue should be already fixed on libs master (and next Falco version): falcosecurity/libs#858

@Issif Issif mentioned this issue Apr 14, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FedeDP @tspearconquest