Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check CAP_BPF should use bit shift #714

Closed
hengyoush opened this issue Jan 3, 2025 · 5 comments · Fixed by #715
Closed

check CAP_BPF should use bit shift #714

hengyoush opened this issue Jan 3, 2025 · 5 comments · Fixed by #715
Labels
🐞 bug Something isn't working

Comments

@hengyoush
Copy link
Contributor

Describe the bug
Current code:

ecapture/cli/cmd/env_detection.go

Lines 46 to 61 in 91b8be1

func detectBpfCap() error {
// BPF 权限检测
hdr := unix.CapUserHeader{Version: unix.LINUX_CAPABILITY_VERSION_3}
var data [2]unix.CapUserData // why 2? pls check https://github.com/golang/go/issues/44312
err := unix.Capget(&hdr, &data[0])
if err != nil {
return fmt.Errorf("failed to get the capabilities of the current process: %v", err)
}
haveBpfCap := data[0].Permitted&unix.CAP_BPF != 0
if !haveBpfCap {
return fmt.Errorf("the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.")
}
return nil
}

Use haveBpfCap := data[0].Permitted&unix.CAP_BPF != 0 .
But according to the linux man pages: https://man7.org/linux/man-pages/man2/capset.2.html:

Note that the CAP_* values are bit indexes and need to be bit-shifted before ORing into the bit fields.

It should change to haveBpfCap := data[0].Permitted&(1<<unix.CAP_BPF) != 0.

If this is indeed a mistake, i can submit a pr to fix it.
@dosubot DosuBot
Copy link

dosubot bot commented Jan 3, 2025

The current implementation haveBpfCap := data[0].Permitted&unix.CAP_BPF != 0 is incorrect because CAP_* values are bit indexes and should be bit-shifted before being used in bitwise operations. The correct implementation should be haveBpfCap := data[0].Permitted&(1<<unix.CAP_BPF) != 0, as per the Linux man pages [1].

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@dosubot dosubot bot added the 🐞 bug Something isn't working label Jan 3, 2025
@Asphaltt
Copy link
Member

Asphaltt commented Jan 3, 2025

If this is indeed a mistake, i can submit a pr to fix it.

Indeed. Pls send a PR to fix it.

https://github.com/torvalds/linux/blob/0bc21e701a6ffacfdde7f04f87d664d82e8a13bf/include/uapi/linux/capability.h#L383-L412

If CAP_BPF is not available, pls check CAP_SYS_ADMIN instead.

@hengyoush
Copy link
Contributor Author

Okay, i will send a pr later today.

@Asphaltt
Copy link
Member

Asphaltt commented Jan 3, 2025
edited
Loading

More hint for you:

static inline bool bpf_capable(void)
{
	return capable(CAP_BPF) || capable(CAP_SYS_ADMIN);
}

From commit torvalds/linux@a17b53c ("bpf, capability: Introduce CAP_BPF") v5.8 kernel.

@Asphaltt
Copy link
Member

Asphaltt commented Jan 3, 2025

The way to check whether CAP_BPF is available is to read /proc/sys/kernel/cap_last_cap.

@hengyoush hengyoush mentioned this issue Jan 3, 2025
Merged
@cfc4n cfc4n closed this as completed in #715 Jan 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐞 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: incorrect CAP_BPF check method hengyoush/ecapture
2 participants
@Asphaltt @hengyoush