cilium / ebpf

Describe the bug

Automatic detection of Kernel Version is not supported without vDSO.

How to reproduce

Disable vDSO on a machine.
Reboot the machine.

root@docker-vdso-test:~/ebpf-main# go test -v ./internal -run TestCurrentKernelVersion
=== RUN   TestCurrentKernelVersion
    version_test.go:53: finding vDSO memory address: no vdso address found in auxv
--- FAIL: TestCurrentKernelVersion (0.00s)
FAIL
FAIL	github.com/cilium/ebpf/internal	0.004s
FAIL

Version information

main

For why support without vDSO is required, see: #1399

Can you explain how you disable vDSO please?

I referred to this: https://stackoverflow.com/q/8280014

…

On Tue, 2 Apr 2024, 2:38 pm Lorenz Bauer, ***@***.***> wrote: Can you explain how you disable vDSO please? — Reply to this email directly, view it on GitHub <#1408 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARTVXPKBUGZQJV7MIWMVTUDY3JYSFAVCNFSM6AAAAABFPSE43CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZRGQ3DOMBVGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

There are three different ways of "disabling" vDSO in that post. One of them strips the auxv, which is what we use. I need to know which one you're using / expect to work.

In Ubuntu 16.04 vDSO can be disabled system-wide by adding the kernel

parameter vdso=0 in /etc/default/grub under the parameter: GRUB_CMDLINE_LINUX_DEFAULT I used this method.

…

On Tue, 2 Apr 2024, 2:51 pm Lorenz Bauer, ***@***.***> wrote: There are three different ways of "disabling" vDSO in that post. One of them strips the auxv, which is what we use. I need to know which one you're using / expect to work. — Reply to this email directly, view it on GitHub <#1408 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARTVXPNSJAMIKTQXEHJ47C3Y3J2DBAVCNFSM6AAAAABFPSE43CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZRGQ4TKOJUGQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

Seems like vdso=0 causes the kernel to omit AT_SYSINFO_EHDR on am64. On arm64 the header is emitted unconditionally (maybe because arm64 doesn't allow turning of the vdso?)

My conclusion is that turning off the vdso is still kind of esoteric, and not something I want to spend a lot of effort supporting. I definitely don't want to bring back uname parsing. It also seems like it's possible to intercept gettimeofday using ltrace, so there is at least one possible work around.

If you really want this to work with vDSO off I can only offer you a partial work around. You can adjust

ebpf/prog.go

Line 253 in a330a78

if spec.Type == Kprobe && (kv == 0 || kv == internal.MagicKernelVersion) {

to only call internal.KernelVersion on old kernels (< 5.0) by writing a feature test (see haveProgRun in prog.go for inspiration) which checks whether the kernel requires KernelVersion to be present for Kprobes.

Kernel version detection does not work with vDSO disabled

Describe the bug

How to reproduce

Version information