Actions
Bug #6933
opendpdk: landlock support
Affected Versions:
Effort:
Difficulty:
Label:
Description
Not sure if this is a doc issue or a bug. Trying to enable landlock with dpdk in IDS mode, but getting stuck.
Testing with:
security:
# if true, prevents process creation from Suricata by calling
# setrlimit(RLIMIT_NPROC, 0)
limit-noproc: true
# Use landlock security module under Linux
landlock:
enabled: yes
directories:
write:
- /var/run/
- /dev/hugepages/mm
- /dev/hugepages
- /proc/self/task
# /usr and /etc folders are added to read list to allow
# file magic to be used.
read:
- /proc
- /usr/
- /etc/
- /etc/suricata/
- /sys/
- /sys/devices/system/
- /dev/hugepages
- /sys/kernel/mm/hugepages/
- /var/lib/suricata/
- /var/run/dpdk/
and
dpdk:
eal-params:
proc-type: primary
# DPDK capture support
# RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio
interfaces:
- interface: 0000:01:00.0
- interface: default
interrupt-mode: true
threads: 6
promisc: true
multicast: true
checksum-checks: true
checksum-checks-offload: true
mtu: 1500
rss-hash-functions: auto
mempool-size: 65535
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none
Suricata fails with:
sudo ./src/suricata -c dpdk-ids.yaml --dpdk --disable-detection -vv Notice: suricata: This is Suricata version 7.0.5-dev (65e1c37913 2024-04-09) running in SYSTEM mode [LogVersion:suricata.c:1146] Info: cpu: CPUs/cores online: 8 [UtilCpuPrintSummary:util-cpu.c:182] Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2682] Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:200] Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617] Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617] Warning: runmodes: No output module named eve-log.arp [RunModeInitializeEveOutput:runmodes.c:747] Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:617] Info: conf: Running in live mode, activating unix socket [ConfUnixSocketIsEnable:util-conf.c:154] Error: landlock: Can't open /var/run/suricata/ [LandlockSandboxingAddRule:util-landlock.c:144] Error: landlock: Can't open /var/lib/suricata/rules [LandlockSandboxingAddRule:util-landlock.c:144] Error: landlock: Can't open /var/lib/suricata/ [LandlockSandboxingAddRule:util-landlock.c:144] Error: landlock: Can't open /dev/hugepages/mm [LandlockSandboxingAddRule:util-landlock.c:144] mlx5_common: Failed to open IB device "rocep1s0f0". mlx5_common: Failed to initialize device context. EAL: Requested device 0000:01:00.0 cannot be used mlx5_common: Failed to open IB device "rocep1s0f1". mlx5_common: Failed to initialize device context. EAL: Requested device 0000:01:00.1 cannot be used TELEMETRY: No legacy callbacks, legacy socket not created Error: dpdk: Interface "0000:01:00.0": No such device [ConfigSetIface:runmode-dpdk.c:352]
With strace -Z
:
openat(AT_FDCWD, "/dev/dsa", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/sys/bus/vmbus/devices", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/sys/bus/pci/devices/0000:00:00.0/iommu/intel-iommu/cap", O_RDONLY) = -1 ENOENT (No such file or directory) access("/sys/devices/platform/soc/soc:fsl,dpaa", F_OK) = -1 ENOENT (No such file or directory) access("/sys/devices/platform/fsl,dpaa", F_OK) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/sys/module/vfio", 0x7ffd7fbc9a00, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/dev/cpu/0/msr", O_RDONLY) = -1 EACCES (Permission denied) newfstatat(AT_FDCWD, "/dev/hugepages/rtemap_0", 0x7ffd7fbc8380, 0) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/dev/infiniband/uverbs0", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/infiniband/uverbs0", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) mlx5_common: Failed to open IB device "rocep1s0f0". mlx5_common: Failed to initialize device context. EAL: Requested device 0000:01:00.0 cannot be used openat(AT_FDCWD, "/dev/infiniband/uverbs1", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/infiniband/uverbs1", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied) mlx5_common: Failed to open IB device "rocep1s0f1". mlx5_common: Failed to initialize device context. EAL: Requested device 0000:01:00.1 cannot be used newfstatat(AT_FDCWD, "/sys/module/vfio", 0x7ffd7fbc9a10, 0) = -1 ENOENT (No such file or directory) flock(50, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) flock(50, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) flock(50, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) flock(50, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) flock(50, LOCK_EX|LOCK_NB) = -1 EAGAIN (Resource temporarily unavailable) TELEMETRY: No legacy callbacks, legacy socket not created Error: dpdk: Interface "0000:01:00.0": No such device [ConfigSetIface:runmode-dpdk.c:352] +++ exited with 1 +++
It seems at least the /dev/char/
path needs adding, but even if it is part of read and write it doesn't seem to make a difference. Maybe O_CLOEXEC is relevant here.
Updated by Victor Julien 9 months ago
Maybe it's unrelated to dpdk. Trying to address this when using af-packet:
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
By adding the path to the "read" section:
security:
# if true, prevents process creation from Suricata by calling
# setrlimit(RLIMIT_NPROC, 0)
limit-noproc: true
# Use landlock security module under Linux
landlock:
enabled: yes
directories:
write:
#- /var/run/
# /usr and /etc folders are added to read list to allow
# file magic to be used.
read:
- /sys/devices/system/cpu/online
- /etc/magic
- /etc/magic.mime
- /etc/suricata/
- /var/lib/suricata/
- /usr/share/misc/magic
But it gives an error when loading the landlock config:
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = -1 ENOTDIR (Not a directory) Error: landlock: Can't open /sys/devices/system/cpu/online [LandlockSandboxingAddRule:util-landlock.c:144]
Guess I can only add directories, not files?
Updated by Victor Julien 9 months ago
Ok, yes, specifying only /sys/devices/system/cpu/
works.
Updated by Victor Julien 9 months ago
- Related to Feature #6936: landlock: enable by default added
Actions