Project

General

Profile

Actions

Bug #6933

open

dpdk: landlock support

Added by Victor Julien 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Not sure if this is a doc issue or a bug. Trying to enable landlock with dpdk in IDS mode, but getting stuck.

Testing with:

security:
  # if true, prevents process creation from Suricata by calling
  # setrlimit(RLIMIT_NPROC, 0)
  limit-noproc: true
  # Use landlock security module under Linux
  landlock:
    enabled: yes
    directories:
      write:
        - /var/run/
        - /dev/hugepages/mm
        - /dev/hugepages
        - /proc/self/task
      # /usr and /etc folders are added to read list to allow
      # file magic to be used.
      read:
        - /proc
        - /usr/
        - /etc/
        - /etc/suricata/
        - /sys/
        - /sys/devices/system/
        - /dev/hugepages
        - /sys/kernel/mm/hugepages/
        - /var/lib/suricata/
        - /var/run/dpdk/

and
dpdk:
  eal-params:
    proc-type: primary

  # DPDK capture support
  # RX queues (and TX queues in IPS mode) are assigned to cores in 1:1 ratio
  interfaces:
    - interface: 0000:01:00.0
    - interface: default
      interrupt-mode: true
      threads: 6
      promisc: true
      multicast: true
      checksum-checks: true
      checksum-checks-offload: true
      mtu: 1500
      rss-hash-functions: auto
      mempool-size: 65535
      mempool-cache-size: 257
      rx-descriptors: 1024
      tx-descriptors: 1024
      copy-mode: none
      copy-iface: none

Suricata fails with:

sudo ./src/suricata -c dpdk-ids.yaml --dpdk --disable-detection -vv
Notice: suricata: This is Suricata version 7.0.5-dev (65e1c37913 2024-04-09) running in SYSTEM mode [LogVersion:suricata.c:1146]
Info: cpu: CPUs/cores online: 8 [UtilCpuPrintSummary:util-cpu.c:182]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2682]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:200]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:617]
Warning: runmodes: No output module named eve-log.arp [RunModeInitializeEveOutput:runmodes.c:747]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:617]
Info: conf: Running in live mode, activating unix socket [ConfUnixSocketIsEnable:util-conf.c:154]
Error: landlock: Can't open /var/run/suricata/ [LandlockSandboxingAddRule:util-landlock.c:144]
Error: landlock: Can't open /var/lib/suricata/rules [LandlockSandboxingAddRule:util-landlock.c:144]
Error: landlock: Can't open /var/lib/suricata/ [LandlockSandboxingAddRule:util-landlock.c:144]
Error: landlock: Can't open /dev/hugepages/mm [LandlockSandboxingAddRule:util-landlock.c:144]
mlx5_common: Failed to open IB device "rocep1s0f0".
mlx5_common: Failed to initialize device context.
EAL: Requested device 0000:01:00.0 cannot be used
mlx5_common: Failed to open IB device "rocep1s0f1".
mlx5_common: Failed to initialize device context.
EAL: Requested device 0000:01:00.1 cannot be used
TELEMETRY: No legacy callbacks, legacy socket not created
Error: dpdk: Interface "0000:01:00.0": No such device [ConfigSetIface:runmode-dpdk.c:352]

With strace -Z:

openat(AT_FDCWD, "/dev/dsa", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/sys/bus/vmbus/devices", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/sys/bus/pci/devices/0000:00:00.0/iommu/intel-iommu/cap", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/sys/devices/platform/soc/soc:fsl,dpaa", F_OK) = -1 ENOENT (No such file or directory)
access("/sys/devices/platform/fsl,dpaa", F_OK) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/sys/module/vfio", 0x7ffd7fbc9a00, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/dev/cpu/0/msr", O_RDONLY) = -1 EACCES (Permission denied)
newfstatat(AT_FDCWD, "/dev/hugepages/rtemap_0", 0x7ffd7fbc8380, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/dev/infiniband/uverbs0", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/infiniband/uverbs0", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:192", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
mlx5_common: Failed to open IB device "rocep1s0f0".
mlx5_common: Failed to initialize device context.
EAL: Requested device 0000:01:00.0 cannot be used
openat(AT_FDCWD, "/dev/infiniband/uverbs1", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/infiniband/uverbs1", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/dev/char/231:193", O_RDWR|O_CLOEXEC) = -1 EACCES (Permission denied)
mlx5_common: Failed to open IB device "rocep1s0f1".
mlx5_common: Failed to initialize device context.
EAL: Requested device 0000:01:00.1 cannot be used
newfstatat(AT_FDCWD, "/sys/module/vfio", 0x7ffd7fbc9a10, 0) = -1 ENOENT (No such file or directory)
flock(50, LOCK_EX|LOCK_NB)              = -1 EAGAIN (Resource temporarily unavailable)
flock(50, LOCK_EX|LOCK_NB)              = -1 EAGAIN (Resource temporarily unavailable)
flock(50, LOCK_EX|LOCK_NB)              = -1 EAGAIN (Resource temporarily unavailable)
flock(50, LOCK_EX|LOCK_NB)              = -1 EAGAIN (Resource temporarily unavailable)
flock(50, LOCK_EX|LOCK_NB)              = -1 EAGAIN (Resource temporarily unavailable)
TELEMETRY: No legacy callbacks, legacy socket not created
Error: dpdk: Interface "0000:01:00.0": No such device [ConfigSetIface:runmode-dpdk.c:352]
+++ exited with 1 +++

It seems at least the /dev/char/ path needs adding, but even if it is part of read and write it doesn't seem to make a difference. Maybe O_CLOEXEC is relevant here.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #6936: landlock: enable by defaultNewOISF DevActions
Actions #1

Updated by Victor Julien 9 months ago

Maybe it's unrelated to dpdk. Trying to address this when using af-packet:

openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

By adding the path to the "read" section:
security:
  # if true, prevents process creation from Suricata by calling
  # setrlimit(RLIMIT_NPROC, 0)
  limit-noproc: true
  # Use landlock security module under Linux
  landlock:
    enabled: yes
    directories:
      write:
        #- /var/run/
      # /usr and /etc folders are added to read list to allow
      # file magic to be used.
      read:
        - /sys/devices/system/cpu/online
        - /etc/magic
        - /etc/magic.mime
        - /etc/suricata/
        - /var/lib/suricata/
        - /usr/share/misc/magic

But it gives an error when loading the landlock config:
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = -1 ENOTDIR (Not a directory)
Error: landlock: Can't open /sys/devices/system/cpu/online [LandlockSandboxingAddRule:util-landlock.c:144]

Guess I can only add directories, not files?

Actions #2

Updated by Victor Julien 9 months ago

Ok, yes, specifying only /sys/devices/system/cpu/ works.

Actions #3

Updated by Victor Julien 9 months ago

Actions

Also available in: Atom PDF