[Need help] run bpf programs as non root user with bpftime

[nalreddy]

In our current product, we execute BPF programs without needing sudo by using setcap to grant the necessary capabilities to the executable (specifically, we set bpf_cap before running the BPF program).

setcap CAP_BPF,CAP_SYS_RESOURCE,CAP_PERFMON=+eip tracer

How can we achieve the same functionality with bpftime?

Are there instances where we must run bpftime with sudo?

Modes of Running bpftime

1. Attach mode

./example/malloc/victim & echo $!  # This outputs the PID, e.g., 101771

To attach to it:

$ sudo bpftime attach 101771  # Note: You may need to run `make install` as root
Inject: "/root/.bpftime/libbpftime-agent.so"
Successfully injected. ID: 1

2. you can load the BPF program and start it:

bpftime load ./example/malloc/malloc
bpftime start ./example/malloc/victim

3. You can also run with LD_PRELOAD directly.

Questions:

1. Why is sudo necessary in the first method? Is it required?
2. System call tracing examples also run with sudo—is this mandatory?

Could you clarify in which cases we need to use sudo and which cases do not require it?

We would prefer to avoid using sudo with BPF programs and run them as non-root. Is it possible to use the attach method without sudo?

---

[Officeyutong]

1. The first requires root privileged because it uses ptrace to inject a dynamic library into your desired process. Using ptrace to do such thing requires root
2. Syscall trace needs root since it needs to call mprotect to switch access flags of code pages (so we can modify them and implement userspace syscall trace)

Root is not necessary for uprobe/uretprobe/usdt

[yunwei37]

You nay try grant the CAP_SYS_PTRACE for the first method, since it's using ptrace here.

Actually both of them can run in unprivileged containers, e.g. you can try github codespace.

[yunwei37]

Thanks for pointing out the problem! We will provide a document for all the permission related questions.