Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist: The eBPF code requires CAP_SYS_ADMIN on recent kernels #14279

Open
2 of 3 tasks
rgacogne opened this issue Jun 4, 2024 · 0 comments
Open
2 of 3 tasks

dnsdist: The eBPF code requires CAP_SYS_ADMIN on recent kernels #14279

rgacogne opened this issue Jun 4, 2024 · 0 comments
Labels
defect dnsdist
Milestone
dnsdist-2.1.0

Comments

@rgacogne
Copy link
Member

rgacogne commented Jun 4, 2024
edited
Loading

  • Program: dnsdist
  • Issue type: Bug report

Short description

We used to be able to run our eBPF socket filtering code with CAP_BPF, but the eBPF verifier has been made more strict in recent kernels and our existing code now requires CAP_SYS_ADMIN, failing with attempt to corrupt spilled pointer on stack otherwise.
Note that some distributions have already backported the more strict verifier to "stable" kernels.

For now the work-around is simple: we need to keep CAP_SYS_ADMIN instead of CAP_BPF. I'll edit the documentation and our systemd unit file shortly.
Then we need to figure out if we can write eBPF code that does not generate such an issue. I tried re-generating the code with a recent version of LLVM (17.0.6) but it did not help. I also tried eliminating the offending code by hand, but there is at least two other occurrences triggering the issue and one of them seems quite hard to fix.

Action points for me:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect dnsdist
Projects
None yet
Milestone
dnsdist-2.1.0
Development

No branches or pull requests
1 participant
@rgacogne