Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPF_PROG_LOAD of "sys_exit" fails with EINVAL #3443

Closed
dcoppa opened this issue Jan 8, 2025 · 4 comments
Closed

BPF_PROG_LOAD of "sys_exit" fails with EINVAL #3443

dcoppa opened this issue Jan 8, 2025 · 4 comments
Assignees
@Andreagit97
Labels
kind/bug
Milestone
0.40.0

Comments

@dcoppa
Copy link

dcoppa commented Jan 8, 2025
edited
Loading

Describe the bug

Running Falco fails with:

[libs]: libbpf: prog 'sys_exit': BPF program load failed: Invalid argument
[libs]: libbpf: prog 'sys_exit': failed to load: -22
[libs]: libbpf: failed to load object 'bpf_probe'
[libs]: libbpf: failed to load BPF skeleton 'bpf_probe': -22
[libs]: libpman: failed to load BPF object (errno: 22 | message: Invalid argument)
An error occurred in an event source, forcing termination...
Stopping capture for event source 'syscall'

How to reproduce it

Running Falco, both as a pod on Kubernetes and from command line (falco -c ./falco.yaml -r ./falco_rules.yaml) on one of the worker nodes.

Expected behaviour

Falco works.

Screenshots

Environment

  • Falco version:

Falco version: 0.39.2
Libs version: 0.18.2
Plugin API: 3.7.0
Engine: 0.43.0
Driver:
API version: 8.0.0
Schema version: 2.0.0
Default driver: 7.3.0+driver

  • System info:

{
"machine": "x86_64",
"nodename": "kcoplane",
"release": "6.12.8-artix1-1",
"sysname": "Linux",
"version": "#1 SMP PREEMPT_DYNAMIC Fri, 03 Jan 2025 16:31:28 +0000"
}

  • Cloud provider or hardware configuration:

QEMU/KVM virtual hardware

  • OS:

NAME="Artix Linux"
PRETTY_NAME="Artix Linux"
ID=artix
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://artixlinux.org/"
DOCUMENTATION_URL="https://wiki.artixlinux.org/"
SUPPORT_URL="https://forum.artixlinux.org/"
BUG_REPORT_URL="https://bugs.artixlinux.org/"
PRIVACY_POLICY_URL="https://terms.artixlinux.org/docs/privacy-policy/"
LOGO=artixlinux-logo

  • Kernel:

Linux kcoplane 6.12.8-artix1-1 #1 SMP PREEMPT_DYNAMIC Fri, 03 Jan 2025 16:31:28 +0000 x86_64 GNU/Linux

  • Installation method:

Kubernetes and from source

Additional context

I've Attached the debug log and the output of strace.
falco-strace.log
falco-debug.log
@dcoppa dcoppa added the kind/bug label Jan 8, 2025
@Andreagit97 Andreagit97 self-assigned this Jan 8, 2025
@Andreagit97
Copy link
Member

Andreagit97 commented Jan 8, 2025
edited
Loading

Ei @dcoppa this will be solved by Falco 0.40.0, and should already be solved in Falco master branch. See the fix here falcosecurity/libs#2172

@dcoppa
Copy link
Author

dcoppa commented Jan 8, 2025

Indeed, compiling from master produces a working binary.
Thanks a lot for your answer!

@FedeDP
Copy link
Contributor

FedeDP commented Jan 10, 2025

/milestone 0.40.0
/close

@poiana
Copy link
Contributor

poiana commented Jan 10, 2025

@FedeDP: Closing this issue.

In response to this:

/milestone 0.40.0
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@poiana poiana closed this as completed Jan 10, 2025
@poiana poiana added this to the 0.40.0 milestone Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Andreagit97 Andreagit97

Labels
kind/bug
Projects
None yet
Milestone
0.40.0
Development

No branches or pull requests
4 participants
@dcoppa @FedeDP @poiana @Andreagit97