bpf: Failed to load program: Invalid argument about picosnitch HOT 5 CLOSED

FOLLOW-UP
The above error is only thrown when running the Linux kernel I've been using as my main one for a while now, linux-cachyos-tt. While picosnitch worked fine on version 5.15.10 of that kernel, on the latest 5.15.11 version picosnitch started to break.

On linux 5.15.10.arch1-1 (Arch Linux default kernel from Core repo) it works, allthough I noticed something odd in the systemd service status output (the tar and xz lines):

● picosnitch.service - Network Connections Monitor
     Loaded: loaded (/usr/lib/systemd/system/picosnitch.service; disabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/picosnitch.service.d
             └─hardening.conf
     Active: active (running) since Thu 2021-12-23 04:42:41 CET; 3s ago
   Main PID: 4914 (picosnitch)
      Tasks: 11 (limit: 4636)
     Memory: 160.0M
        CPU: 2.218s
     CGroup: /system.slice/picosnitch.service
             ├─4914 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4949 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4950 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4951 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4952 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4994 tar -xf /sys/kernel/kheaders.tar.xz -C /tmp/kheaders-5.15.10-arch1-1-9VNGsE
             └─4998 xz -d

Dec 23 04:42:41 lab16 systemd[1]: Started Network Connections Monitor.
Dec 23 04:42:43 lab16 picosnitch[4914]: starting picosnitch in simple mode

On linux 5.15.11.arch2-1 (currently in the Arch Linux testing repo) it works too, and the systemd status output is back to 'normal':

● picosnitch.service - Network Connections Monitor
     Loaded: loaded (/usr/lib/systemd/system/picosnitch.service; disabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/picosnitch.service.d
             └─hardening.conf
     Active: active (running) since Thu 2021-12-23 05:04:54 CET; 15s ago
   Main PID: 4786 (picosnitch)
      Tasks: 9 (limit: 4636)
     Memory: 265.5M
        CPU: 11.911s
     CGroup: /system.slice/picosnitch.service
             ├─4786 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4833 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4834 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             ├─4835 /usr/bin/python /usr/bin/picosnitch start-no-daemon
             └─4836 /usr/bin/python /usr/bin/picosnitch start-no-daemon

Dec 23 05:04:54 lab16 systemd[1]: Started Network Connections Monitor.
Dec 23 05:04:55 lab16 picosnitch[4786]: starting picosnitch in simple mode

FWIW, I had to change the default SUDO_UID=1000 in /usr/lib/systemd/system/picosnitch.service to the actual UID of my user (which is 1001). While playing around with picosnitch the last couple of days I also added some systemd hardening options, which is why the above systemd output shows the Drop-In.

I was planning on opening a seperate issue on systemd hardening for the picosnitch service later on, but I might as well throw it in here. This is what has been working fine, ever since picosnitch 0.6.0:

[Service]
## Extra hardening options for picosnitch, WIP

#AmbientCapabilities=
#CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
MountFlags=private
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
#ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SecureBits=noroot-locked
SystemCallArchitectures=native

ProtectHome=read-only
ReadWritePaths=/home/glitsj16/.config/picosnitch

InaccessiblePaths=-/media
InaccessiblePaths=-/mnt
InaccessiblePaths=-/run/media
InaccessiblePaths=-/run/mount

## firejail's hardcoded blacklist
InaccessiblePaths=-/boot
#InaccessiblePaths=-/dev/kmsg
#InaccessiblePaths=-/dev/port
#InaccessiblePaths=-/lib/modules
InaccessiblePaths=-/proc/bus
#InaccessiblePaths=-/proc/config.gz
InaccessiblePaths=-/proc/irq
#InaccessiblePaths=-/proc/kallsyms
#InaccessiblePaths=-/proc/kcore
#InaccessiblePaths=-/proc/kmem
#InaccessiblePaths=-/proc/kmsg
InaccessiblePaths=-/proc/mem
InaccessiblePaths=-/proc/sched_debug
InaccessiblePaths=-/proc/sys/efi/vars
InaccessiblePaths=-/proc/sys/fs/binfmt_misc
#InaccessiblePaths=-/proc/sys/kernel/core_pattern
#InaccessiblePaths=-/proc/sys/kernel/hotplug
#InaccessiblePaths=-/proc/sys/kernel/modprobe
InaccessiblePaths=-/proc/sys/security
#InaccessiblePaths=-/proc/sys/vm/panic_on_oom
InaccessiblePaths=-/proc/sysrq-trigger
InaccessiblePaths=-/proc/timer_list
InaccessiblePaths=-/proc/timer_stats
InaccessiblePaths=-/selinux
InaccessiblePaths=-/sys/firmware
InaccessiblePaths=-/sys/fs
InaccessiblePaths=-/sys/hypervisor
#InaccessiblePaths=-/sys/kernel/debug
#InaccessiblePaths=-/sys/kernel/uevent_helper
#InaccessiblePaths=-/sys/kernel/vmcoreinfo
#InaccessiblePaths=-/sys/module
InaccessiblePaths=-/sys/power
#InaccessiblePaths=-/usr/lib/debug
InaccessiblePaths=-/usr/src/linux

from picosnitch.

Hi, thanks for the detailed follow up! I looked into the kernel you're using, and it looks like this may be the reason, in this commit they removed the line CONFIG_BPF_EVENTS=y from linux-cachyos-tt/config (they also changed a couple other BPF things, not sure if those matter as well), however it looks like it is still enabled in their linux-cachyos-rc kernel so you may be able to try using that.

Also as for the default SUDO_UID=1000, I may have a nicer solution for that shortly by using listdir("/home") and getting the UID from the user name, right now picosnitch systemd can also regenerate the service file with the correct UID. AFAIK, this is the simplest way to set the DBUS_SESSION_BUS_ADDRESS to create desktop notifications (and provide a systemd service file for people who install from PyPI, but that command also works for the AUR and PPA). And thanks for providing your hardening config so far!

from picosnitch.

I looked into the kernel you're using, and it looks like this may be the reason, in this commit they removed the line CONFIG_BPF_EVENTS=y from linux-cachyos-tt/config

Thank you kindly for the great detective work! I'll contact the cachyos team about those BPF changes. It's a bit unusual for them to change kernel configs in between minor versionsed kernel updates, but I can always patch those out and build their kernel myself. I was mainly looking for a nicely behaving CPU scheduler after MuQSS development halted anyway. The TT worked best on my old laptop, but I'll check out RC too.

I've seen your fix for the hardcoded SUDO_UID=1000, so thanks for that too :-)

AFAIK, this is the simplest way to set the DBUS_SESSION_BUS_ADDRESS to create desktop notifications

I've been gathering info on whether it would be possible to run picosnitch with a unprivileged (systemd) user instead of running the service as root (and having root-owned, world-readable files in ${HOME}/.config/picosnitch). Even though I think this is doable using Linux capabilities and/or PAM, it's too early to go into that here, as it would imply a larger overhaul to picosnitch as is. But during that research I've stumbled onto systembus-notify and a Python implementation of the same idea here. Just a FYI.

Thanks again for this very interesting project. All the best and enjoy a safe and pleasant end-of-year holiday season!

from picosnitch.

You're welcome! Thank you and happy holidays!

I've been gathering info on whether it would be possible to run picosnitch with a unprivileged (systemd) user instead of running the service as root (and having root-owned, world-readable files in ${HOME}/.config/picosnitch). Even though I think this is doable using Linux capabilities and/or PAM, it's too early to go into that here, as it would imply a larger overhaul to picosnitch as is.

Yep, that would probably be a lot of work, if it's doable (don't have the time to look into it myself). After my most recent overhauls though (0.5 and 0.6) and finally getting it into a state that I'd say is feature complete (0.7), my plan now (0.8+) is to mainly focus on just fixing things related to reliability and performance, and improving usability.

from picosnitch.

The kind folks at CachyOS have reverted some of their BPF-related kernel config options. My picosnitch is back on track, so I'll close this. Thanks again for your input.

from picosnitch.