fix: check CAP_BPF by capget syscall #707
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
test ok for memory lock low env, but the warning tip for non-root operation is inaccurate. I understand that the permissions should be determined before RemoveMemlocks. non root user exec ecapture tip info is confuse |
Asphaltt
force-pushed
the
fix/cap_bpf
branch
2 times, most recently
from
d2dc358 to
c3d7873
Compare
The error message updates as "the current user does not have CAP_SYS_RESOURCE to remove rlimit memlock. Please run as root or use sudo or add the --privileged=true flag for Docker". |
cfc4n
requested changes
Dec 27, 2024
Asphaltt
force-pushed
the
fix/cap_bpf
branch
from
c3d7873 to
88c68a3
Compare
Asphaltt
changed the title
Asphaltt
force-pushed
the
fix/cap_bpf
branch
2 times, most recently
from
7e575f0 to
32f201c
Compare
It's more simple to check CAP_BPF by capget syscall than creating a bpf prog, as creating bpf prog requires removing rlimit memlock. Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
Asphaltt
force-pushed
the
fix/cap_bpf
branch
from
32f201c to
4bc96fc
Compare
|
Test passed 127|emu64a:/data/local/tmp $ uname -a
Linux localhost 5.15.41-android13-8-00055-g4f5025129fe8-ab8949913 #1 SMP PREEMPT Mon Aug 15 18:33:14 UTC 2022 aarch64 Toybox
emu64a:/data/local/tmp $ whoami
shell
emu64a:/data/local/tmp $ ./ecapture tls
Error: the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.
1|emu64a:/data/local/tmp $ su
emu64a:/data/local/tmp # ./ecapture tls
2024-12-28T14:23:08Z INF AppName="eCapture(旁观者)"
2024-12-28T14:23:08Z INF HomePage=https://ecapture.cc
2024-12-28T14:23:08Z INF Repository=https://github.com/gojue/ecapture
2024-12-28T14:23:08Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-12-28T14:23:08Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-28T14:23:08Z INF Version=androidgki_arm64:v0.9.1-20241228-32f201c:5.15.0-127-generic
2024-12-28T14:23:08Z INF Listen=localhost:28256
2024-12-28T14:23:08Z INF eCapture running logs logger=
2024-12-28T14:23:08Z INF the file handler that receives the captured event eventCollector=
2024-12-28T14:23:08Z INF Kernel Info=5.15.41 Pid=5680
2024-12-28T14:23:08Z INF listen=localhost:28256
2024-12-28T14:23:08Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-28T14:23:08Z WRN Your environment is like a container. We won't be able to detect the BTF configuration.
If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode.
2024-12-28T14:23:08Z INF BTF bytecode mode: CORE. btfMode=0
2024-12-28T14:23:08Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-12-28T14:23:08Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-28T14:23:08Z INF Module.Run()
2024-12-28T14:23:08Z ERR OpenSSL/BoringSSL version not found, used default version.If you want to use the specific version, please set the sslVersion parameter with "--ssl_version='boringssl_a_13'" , "--ssl_version='boringssl_a_14'", or use "ecapture tls --help" for more help.
2024-12-28T14:23:08Z ERR bpfFile=boringssl_a_13_kern.o sslVersion=android_default
2024-12-28T14:23:08Z INF Hook masterKey function ElfType=2 Functions=["SSL_in_init"] binrayPath=/apex/com.android.conscrypt/lib64/libssl.so
2024-12-28T14:23:08Z INF target all process.
2024-12-28T14:23:08Z INF target all users.
2024-12-28T14:23:08Z INF setupManagers eBPFProgramType=Text
2024-12-28T14:23:08Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_a_13_kern_core.o
2024-12-28T14:23:09Z INF perfEventReader created mapSize(MB)=4
2024-12-28T14:23:09Z INF perfEventReader created mapSize(MB)=4
2024-12-28T14:23:09Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
^C2024-12-28T14:23:10Z INF Module closed,message recived from Context
2024-12-28T14:23:10Z INF module close.
2024-12-28T14:23:11Z INF iModule module close
2024-12-28T14:23:11Z INF bye bye. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #706
It's more simple to check CAP_BPF by capget syscall than creating a bpf prog, as creating bpf prog requires removing rlimit memlock.