Parca Agent requires to be run as root
user (or CAP_SYS_ADMIN
). Various security precautions have been taken to protect users running Parca Agent.
Parca Agent binaries and container image build processes have been specifically designed to be byte-by-byte reproducible.
- Go dependencies are pinned via
go.mod
andgo.sum
, ensuring Go dependencies to be byte-by-byte reproducible. - Build tool and shared library versions are pinned in the
Dockerfile
using Debian snapshots. - libbpf is included and versioned in this repository via a git submodule.
Parca Agent uses BPF CO-RE (Compile Once – Run Everywhere) using libbpf, and pre-compiles all BPF programs, and statically embeds them in the target binary, from where it is loaded via libbpf when used. This means that Parca Agent does not need to compile the BPF program at startup or runtime like when using bcc-tools, meaning no Clang & LLVM, nor kernel headers need to be installed on the host. The only requirement is a BTF capable Kernel (Linux Kernel 4.18+).
The result is a Go binary that is that only requires dynamic linking with:
- libpthread
- libelf
- libz
- libc
libbpf is statically compiled and included in the resulting Go binary. Fewer things required equals a smaller attack surface.
Read more on CO-RE and libbpf:
- BPF binaries: BTF, CO-RE, and the future of BPF perf tools - Brendan Gregg
- BPF Portability and CO-RE - Andrii Nakryiko
We intend to soon provide signatures of release artifacts via sigstore. See parca-dev/parca-agent#16 for more details and progress.
Parca Agent uses automated code scanning to analyze the code in Parca Agent repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in review process, thanks to CodeQL.
Parca Agent supply chain uses Dependabot to constantly keep the dependencies up-to-date against any security vulnerabilities.
As with any complex system, it is near certain that bugs will be found, some of them security-relevant. If you find a security bug, please report it privately to the parca-security@googlegroups.com mailing list. We will fix the issue as soon as possible and coordinate a release date with you. You will be able to choose if you want public acknowledgement of your effort and if you want to be mentioned by name.
Parca is maintained by volunteers, not by a company. Therefore, fixing security issues is done on a best-effort basis. We strive to release security fixes within 7 days.