Project

General

Profile

Actions

Bug #8719

open
AB OD

eBPF/XDP load fails on kernel ≥ 5.11 when CAP_SYS_RESOURCE is not available but it should not be necessary

Bug #8719: eBPF/XDP load fails on kernel ≥ 5.11 when CAP_SYS_RESOURCE is not available but it should not be necessary

Added by Amir Boussejra 1 day ago. Updated about 23 hours ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
Label:

Description

`EBPFLoadFile()` unconditionally calls `setrlimit(RLIMIT_MEMLOCK, RLIM_INFINITY)` and treats any failure as fatal (SCLogError + return -1), aborting the eBPF/XDP load.

Since Linux kernel 5.11, BPF map memory is memcg-accounted and is no longer charged against RLIMIT_MEMLOCK (see https://lwn.net/Articles/829307/), so raising the limit is unnecessary on those kernels. The setrlimit call still requires CAP_SYS_RESOURCE. When Suricata runs with dropped/restricted capabilities (i.e. without CAP_SYS_RESOURCE, case of), the call fails with EPERM and eBPF/XDP loading is aborted entirely — even though on a ≥ 5.11 kernel the memlock limit is irrelevant.

Actions

Also available in: PDF Atom