
At LPC I raised the observation that currently it doesn't seem
feasible to insert a BPF probe from within a container that sees
events happening outside of the container, while it is possible to
insert a kernel module.

It was suggested that this is not the case, and things should just work.
I wanted to get a minimal reproduction of what I've seen in Docker
containers, so if somebody could take a look, I'd appreciate any
comments on the right way of doing this.

The kprobe in question:
BCC's libbpf does the attach:

# Steps to reproduce
Build the bpf module & loader (generic binary targeting 4.16/x86_64 at
https://123-130035428-gh.circle-artifacts.com/0/ingraind ):
1. get a rust toolchain, musl-dev
2. git clone https://github.com/redsift/ingraind; cd ingraind;
KERNEL_SOURCE=<path to src> cargo +nightly build
--target=x86_64-unknown-linux-musl --release

## Run the BPF module without a sandbox
3. echo >config <<EOF
pipelines = ["console"]
type = "Files"
monitor_dirs = ["/"]not

backend = "Console"
4. sudo ./target/x86_64-unknown-linux-musl/release/ingraind config
5. You can see that all VFS operations from the host are listed.
6. Kill the process C-c

### Expectation
I get system-wide filesystem events through the VFS

### Reality
Meets the expectation

## Run BPF module from chroot
1. mkdir -p test/proc test/sys; cp
/target/x86_64-unknown-linux-musl/release/ingraind config test
2. sudo mount -t sysfs sys test/sys; sudo mount -t debugfs none
3. sudo chroot ./test /ingraind /config

### Expectation
I see system-wide events, just like without chroot.

### Reality
I don't see events firing at all.

If you compile the code at
statically and run it inside the chroot while ingraind is running
chrooted, the kprobe will fire both read and write events from within
the mount namespace.



Red Sift is the power behind OnDMARC

You can find us at 20 Air Street, 
4th Floor at Wayra, London, W1B 5AN

Red Sift is a limited company 
registered in England and Wales. Registered number: 09240956. Registered 
office: Kemp House, 152 City Road, London, EC1V 2NX.

Reply via email to