-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd[1]: bpf-lsm: Failed to load BPF object: No such process #93
Comments
I haven't taken the time to look into that yet. I'm also running into this on my custom kernel config, which is a zen-kernel with hardened patches applied. I'm having a feeling it's the case of an unset kernel config option. Next time I'll build my kernel I'll make sure to set those BPF options and report back if needed. |
Another potential clue: under https://wiki.archlinux.org/title/Security#Kernel_lockdown_mode it says:
i don't think integrity mode is set by default though, when I saw that I was running linux-hardened and integrity mode was off |
It is not, but it would explain why it's not working on my machine, since I use |
While I cannot specifically recall what if any other changes elsewhere may result in similar breakage the main issue is most likely your config having
As indicated by your logs this is something SystemD wants but does not explicitly need, that's because it's used to implement the That said unlike some other situations these will be silent failures should they occur so I would suggest confirming their functionality with your current configuration via simple service units if this is of particular concern to you. For reference this document can give you some idea of what kernel functionality SystemD depends on, though as is often the case with such things it's likely not all encompassing: |
Interesting, that's good to know. Even if RestrictFileSystems is a relatively minor feature, it seems like linux-hardened would want to enable it if it can improve hardening? Especially considering that the default kernel enables it, unless there's some other tradeoff I'm not aware of? |
Unfortunately it's complicated and I'm woefully unfit to offer any meaningful insight on the hardening significance of those changes which will vary depending on your particular threat model. Regardless these are things you'll see recommended against commonly in various places, particularly based on the references used by this project: https://github.com/a13xp0p0v/kernel-hardening-checker While this is unrelated to SystemD here are some discussions that center around some of the aforementioned dependencies of BPF_LSM: lkrg-org/lkrg#27 (comment) Aside from that though this isn't a bug/issue in the linux-hardened project itself as it's not responsible for the configuration you're using, if you believe the decision to not support BPF_LSM by the maintainer of your system's linux-hardened package should be reconsidered that's something you'd have to handle via your distribution's communication channels for such things. |
Ah I see, I'll close this ticket and talk to the maintainer. Thanks for the insight! |
So I recently updated my kernel and config and did a bit of testing. I did enable the following:
And I also disabled kernel lockdown. And in this case systemd still gives me the error that there's no such process. |
What about |
|
Have you first confirmed that this is not also an issue when using the same kernel parameters (sysctl+cmdline) on your distro kernel, i.e. not linux-hardened? Your problem is most likely due to enforcing a lockdown mode considering relevant documentation suggestions and that the same message appears on machines of my own which are not running linux-hardened, but do include additional parameter hardening. Whether this results in bpf-lsm being unsupported is not something I've tested though doing so would require only a simple service unit to confirm. It's unlikely this issue is related to bpf-lsm being broken due to linux-hardened's patchset. |
I don't use lockdown on non-hardened kernels, so I haven't tested that configuration. I checked my sysctl list for anything that might be interfering with it, but no dice. I might be able to test an Arch VM with a regular kernel later and enabling lockdown, but to be honest my level of care for this is rapidly dwindling since I have more pressing issues to get to. (Like my kernel panicing very often with GVT-g.) If there's any interest in my current kernel config I can post it, but it's very specific to my own machine. |
Okay, upon briefly searching that error myself while I didn't see anything like a clearly relevant solution the following discussion makes mention of the error in passing, and reminded me of a time when I was seeking to source/resolve syslog messages which may have included yours: https://bugzilla.redhat.com/show_bug.cgi?id=2084955 The issue was due to initramfs generation failing to include the library file "libbpf.so" (or whatever your distro's versioned name of the library is) based on some set of circumstances. If you check the files in your initramfs do you see that such a file is included? Exactly what the impact of missing this during that stage of the boot process would have is uncertain to me, but I'd assume things would work fine afterwards assuming there is no other conflict. In my case with Fedora + dracut whatever the complaint I'd been looking at was resolved by installing the "dracut-network" package which happened to result in pulling in that library during initramfs generation, there are of course a number of ways to approach this depending on your preferences. Should this not be the cause of your issue then yes, attachments of any custom kernel parameters unless you mean you tested these by disabling them and booting with a freshly generated initramfs, as well as the configuration itself would greatly aid in preventing a game of twenty questions between yourself and anyone with a guess on the likely cause. |
For what it's worth, adding /usr/lib/libbpf.so to BINARIES or FILES in mkinitcpio.conf didn't work. lsinitcpio showed them, but the error persisted (they weren't there before adding them to BINARIES/FILES) |
If you haven't I would ensure that you include every reference to be sure, meaning both 32bit and 64bit versions, the symlinks, and actual files. For example on my current system which has no multilib support this is:
Honestly I'm a bit surprised that file exists with such a name on your system, if you confirmed that it does. I was not intending that as something to follow exactly, but to check your lib+lib64 directories for what the actual names would be as this will vary between distros, and when the relevant package was last updated. |
As you'd previously said you were on Arch, according to the latest package sources for libbpf following my suggestion would require:
That is assuming your system is fully updated as well as both the libbpf, and lib32-libbpf packages are installed - if you're on a multilib system, otherwise I'm not implying lib32-libbpf should be necessary. This can likely be narrowed down if it solves the issue, though you should start with everything to see if there's any difference. https://archlinux.org/packages/core/x86_64/libbpf/files/ If there's no improvement I'll test what is causing the message on my non linux-hardened systems and report back what I found. |
Yep, it automatically brought in the symlinked versions, I don't have the lib32 version installed |
That's unfortunate, I don't see any reason to believe installing lib32-libbpf would change anything. I'll report back my findings when time allows, so in the next 24-48hrs I should likely have something to say again. |
So unfortunately I have relatively little to add from the point of a non linux-hardened system. Starting from a base line of the test system these were the active custom parameter changes, excluding only sysctl's for networking by which I mean those that exist under either net/ipv4, and net/ipv6 on an updated Fedora 39 installation. [Kernel parameters] - sysctl's:
[Kernel parameters] - cmdline:
On this system with only some clearly unrelated, or duplicate messages removed these were what appeared when running
Installing "dracut-network" as referenced previously actually did nothing more than add an additional, earlier "bpf-lsm: Failed to load BPF object: Invalid argument" message to the syslog under any circumstances without the following lockdown changes despite including libbpf libraries which weren't there otherwise. In the end the only change which produced the desired results was either not using lockdown mode at all, or using
(when dracut-network was active in these scenarios it simply produced an additional "bpf-lsm: LSM BPF program attached") So suffice it to say that if upon a confirmation of If the kernel configuration possesses the settings I referenced here: #93 (comment) - thus far despite what was shared previously I have not seen a confirmation that either of the For reference a number of other commonly recommended parameter hardening settings are active by default in the current Fedora 39 kernel and therefore not explicitly included in my changes, but no more likely to be the source of this issue. |
This didn't work for me either.
Nit: Please don't use "all but" as it is a confusing idiom (even to some native speakers) and can easily be misconstrued to mean the opposite.
From a vanilla
Maybe relevant sysctl settings:
|
When I use linux-hardened on arch linux, the following error gets logged:
Mar 01 08:12:46 linux systemd[1]: bpf-lsm: Failed to load BPF object: No such process
Searching the logs for "bpf", I see:
Booting with the standard linux kernel, when I search the logs for "bpf" I find:
I found some discussion mentioning that linux-hardened had issues with bpf here systemd/systemd#27705. @RA-Kooi, you mentioned you'd look into why that is. Did you find anything?
The text was updated successfully, but these errors were encountered: