Comments (5)
FOLLOW-UP
The above error is only
thrown when running the Linux kernel I've been using as my main one for a while now, linux-cachyos-tt. While picosnitch worked fine on version 5.15.10
of that kernel, on the latest 5.15.11
version picosnitch started to break
.
On linux 5.15.10.arch1-1
(Arch Linux default kernel from Core repo) it works
, allthough I noticed something odd in the systemd service status output (the tar and xz lines):
● picosnitch.service - Network Connections Monitor
Loaded: loaded (/usr/lib/systemd/system/picosnitch.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/picosnitch.service.d
└─hardening.conf
Active: active (running) since Thu 2021-12-23 04:42:41 CET; 3s ago
Main PID: 4914 (picosnitch)
Tasks: 11 (limit: 4636)
Memory: 160.0M
CPU: 2.218s
CGroup: /system.slice/picosnitch.service
├─4914 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4949 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4950 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4951 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4952 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4994 tar -xf /sys/kernel/kheaders.tar.xz -C /tmp/kheaders-5.15.10-arch1-1-9VNGsE
└─4998 xz -d
Dec 23 04:42:41 lab16 systemd[1]: Started Network Connections Monitor.
Dec 23 04:42:43 lab16 picosnitch[4914]: starting picosnitch in simple mode
On linux 5.15.11.arch2-1
(currently in the Arch Linux testing repo) it works
too, and the systemd status output is back to 'normal':
● picosnitch.service - Network Connections Monitor
Loaded: loaded (/usr/lib/systemd/system/picosnitch.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/picosnitch.service.d
└─hardening.conf
Active: active (running) since Thu 2021-12-23 05:04:54 CET; 15s ago
Main PID: 4786 (picosnitch)
Tasks: 9 (limit: 4636)
Memory: 265.5M
CPU: 11.911s
CGroup: /system.slice/picosnitch.service
├─4786 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4833 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4834 /usr/bin/python /usr/bin/picosnitch start-no-daemon
├─4835 /usr/bin/python /usr/bin/picosnitch start-no-daemon
└─4836 /usr/bin/python /usr/bin/picosnitch start-no-daemon
Dec 23 05:04:54 lab16 systemd[1]: Started Network Connections Monitor.
Dec 23 05:04:55 lab16 picosnitch[4786]: starting picosnitch in simple mode
FWIW, I had to change the default SUDO_UID=1000 in /usr/lib/systemd/system/picosnitch.service to the actual UID of my user (which is 1001). While playing around with picosnitch the last couple of days I also added some systemd hardening
options, which is why the above systemd output shows the Drop-In.
I was planning on opening a seperate issue on systemd hardening for the picosnitch service later on, but I might as well throw it in here. This is what has been working fine, ever since picosnitch 0.6.0:
$ cat /etc/systemd/system/picosnitch.service.d/hardening.conf
[Service]
## Extra hardening options for picosnitch, WIP
#AmbientCapabilities=
#CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
MountFlags=private
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
#ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SecureBits=noroot-locked
SystemCallArchitectures=native
ProtectHome=read-only
ReadWritePaths=/home/glitsj16/.config/picosnitch
InaccessiblePaths=-/media
InaccessiblePaths=-/mnt
InaccessiblePaths=-/run/media
InaccessiblePaths=-/run/mount
## firejail's hardcoded blacklist
InaccessiblePaths=-/boot
#InaccessiblePaths=-/dev/kmsg
#InaccessiblePaths=-/dev/port
#InaccessiblePaths=-/lib/modules
InaccessiblePaths=-/proc/bus
#InaccessiblePaths=-/proc/config.gz
InaccessiblePaths=-/proc/irq
#InaccessiblePaths=-/proc/kallsyms
#InaccessiblePaths=-/proc/kcore
#InaccessiblePaths=-/proc/kmem
#InaccessiblePaths=-/proc/kmsg
InaccessiblePaths=-/proc/mem
InaccessiblePaths=-/proc/sched_debug
InaccessiblePaths=-/proc/sys/efi/vars
InaccessiblePaths=-/proc/sys/fs/binfmt_misc
#InaccessiblePaths=-/proc/sys/kernel/core_pattern
#InaccessiblePaths=-/proc/sys/kernel/hotplug
#InaccessiblePaths=-/proc/sys/kernel/modprobe
InaccessiblePaths=-/proc/sys/security
#InaccessiblePaths=-/proc/sys/vm/panic_on_oom
InaccessiblePaths=-/proc/sysrq-trigger
InaccessiblePaths=-/proc/timer_list
InaccessiblePaths=-/proc/timer_stats
InaccessiblePaths=-/selinux
InaccessiblePaths=-/sys/firmware
InaccessiblePaths=-/sys/fs
InaccessiblePaths=-/sys/hypervisor
#InaccessiblePaths=-/sys/kernel/debug
#InaccessiblePaths=-/sys/kernel/uevent_helper
#InaccessiblePaths=-/sys/kernel/vmcoreinfo
#InaccessiblePaths=-/sys/module
InaccessiblePaths=-/sys/power
#InaccessiblePaths=-/usr/lib/debug
InaccessiblePaths=-/usr/src/linux
from picosnitch.
Hi, thanks for the detailed follow up! I looked into the kernel you're using, and it looks like this may be the reason, in this commit they removed the line CONFIG_BPF_EVENTS=y
from linux-cachyos-tt/config
(they also changed a couple other BPF things, not sure if those matter as well), however it looks like it is still enabled in their linux-cachyos-rc
kernel so you may be able to try using that.
Also as for the default SUDO_UID=1000, I may have a nicer solution for that shortly by using listdir("/home") and getting the UID from the user name, right now picosnitch systemd
can also regenerate the service file with the correct UID. AFAIK, this is the simplest way to set the DBUS_SESSION_BUS_ADDRESS to create desktop notifications (and provide a systemd service file for people who install from PyPI, but that command also works for the AUR and PPA). And thanks for providing your hardening config so far!
from picosnitch.
I looked into the kernel you're using, and it looks like this may be the reason, in this commit they removed the line CONFIG_BPF_EVENTS=y from linux-cachyos-tt/config
Thank you kindly for the great detective work! I'll contact the cachyos team about those BPF changes. It's a bit unusual for them to change kernel configs in between minor versionsed kernel updates, but I can always patch those out and build their kernel myself. I was mainly looking for a nicely behaving CPU scheduler after MuQSS development halted anyway. The TT worked best on my old laptop, but I'll check out RC too.
I've seen your fix for the hardcoded SUDO_UID=1000, so thanks for that too :-)
AFAIK, this is the simplest way to set the DBUS_SESSION_BUS_ADDRESS to create desktop notifications
I've been gathering info on whether it would be possible to run picosnitch with a unprivileged (systemd) user instead of running the service as root (and having root-owned, world-readable files in ${HOME}/.config/picosnitch). Even though I think this is doable using Linux capabilities and/or PAM, it's too early to go into that here, as it would imply a larger overhaul to picosnitch as is. But during that research I've stumbled onto systembus-notify and a Python implementation of the same idea here. Just a FYI.
Thanks again for this very interesting project. All the best and enjoy a safe and pleasant end-of-year holiday season!
from picosnitch.
You're welcome! Thank you and happy holidays!
I've been gathering info on whether it would be possible to run picosnitch with a unprivileged (systemd) user instead of running the service as root (and having root-owned, world-readable files in ${HOME}/.config/picosnitch). Even though I think this is doable using Linux capabilities and/or PAM, it's too early to go into that here, as it would imply a larger overhaul to picosnitch as is.
Yep, that would probably be a lot of work, if it's doable (don't have the time to look into it myself). After my most recent overhauls though (0.5 and 0.6) and finally getting it into a state that I'd say is feature complete (0.7), my plan now (0.8+) is to mainly focus on just fixing things related to reliability and performance, and improving usability.
from picosnitch.
The kind folks at CachyOS have reverted some of their BPF-related kernel config options. My picosnitch is back on track, so I'll close this. Thanks again for your input.
from picosnitch.
Related Issues (20)
- BPF.support_kfunc() was not True HOT 2
- picosnitch dash returns: touch ~/.config/picosnitch/dash: permission denied HOT 4
- Support for Flatpak/Snap/Appimage HOT 2
- Dashboard bind ip / interface not configurable HOT 1
- Possible to ignore all program/connections where src and dst ip is in 'local' list HOT 2
- chrome webdriver HOT 3
- Database HOT 1
- Can we please see a Fedora RPM be created? HOT 2
- Piconsitch crashes when kernel doesn't have CONFIG_SECURITY_NETWORK set
- picosnitch dash/start-dash not working HOT 8
- SQL execute OperationalError('table connections has 16 columns but 10 values were supplied',) on line 763 HOT 1
- picosnitch not reporting data on void linux (musl libc) HOT 9
- Support dash installed via pipx
- Errors are being redireceted to /dev/null HOT 1
- Incorrect reporting in logs/db HOT 2
- Feature: Add map view for visualizing connections
- Better website HOT 1
- No sent data displayed. HOT 8
- Seperate the project into better structure HOT 2
- Doas instead of sudo. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from picosnitch.