The current user does not have CAP_BPF to load bpf programs

[Shapa7276]

Describe the bug
I am getting below error while trying the capture the TLS

1|panther:/data/local/tmp # uname -a                                                                                                                                            
Linux localhost 5.10.198-android13-4-00050-g12f3388846c3-ab11920634 #1 SMP PREEMPT Mon Jun 3 20:51:42 UTC 2024 aarch64 Toybox
panther:/data/local/tmp # whoami                                                                                                                                                
root
panther:/data/local/tmp # ./ecapture --version                                                                                                                                  
eCapture version:	androidgki_arm64:v0.9.1:6.5.0-1025-azure
panther:/data/local/tmp # ./ecapture tls                                                                                                                                        
Error: the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.
NAME:
	tls - Used to capture TLS/SSL text content without the need for a CA certificate. (Supports OpenSSL 1.0.x/1.1.x/3.x or newer).

**Android **

• Device: [Pixel 7]
• Env: [run ecapture -v to get the eCapture version, or run the make env command for complete information]
• OS: Android13
• Arch: Linux localhost 5.10.198-android13-4-00050-g12f3388846c3-ab11920634 5.10.101 not support #1 SMP PREEMPT Mon Jun 3 20:51:42 UTC 2024 aarch64 Toybox
• Kernel Version: 5.10.198

[Asphaltt]

Could you check CONFIG_BPF by grep BPF /boot/config-$(uname -r)?

[KardRi]

is there /boot for android?

I got the same issue, too. Here's for my /proc/config.gz (android 12)

/data/local/tmp # zcat /proc/config.gz | grep BPF
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
# CONFIG_BPF_LSM is not set
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
# CONFIG_BPF_PRELOAD is not set
CONFIG_NETFILTER_XT_MATCH_BPF=y
# CONFIG_BPFILTER is not set
CONFIG_NET_CLS_BPF=y
CONFIG_NET_ACT_BPF=y
CONFIG_BPF_JIT=y
# CONFIG_BPF_STREAM_PARSER is not set
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_LIRC_MODE2=y
CONFIG_BPF_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set

[Asphaltt]

The message is provided by detectBpfCap().

ecapture/cli/cmd/env_detection.go

Lines 49 to 70 in b01cb60

	func detectBpfCap() error {
	// BPF 权限检测
	prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{
	Name: "uprobe_dummy",
	Type: ebpf.Kprobe,
	Instructions: asm.Instructions{
	asm.Mov.Imm(asm.R0, 0),
	asm.Return(),
	},
	License: "GPL",
	})
	if err != nil {
	if errors.Is(err, unix.EPERM) {
	return fmt.Errorf("the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.")
	}
	return fmt.Errorf("failed to create bpf program: %v", err)
	}
	defer prog.Close()
	return nil
	}

Can you figure out the reason why BPF syscall returns -EPERM?

A possible approach is to use retsnoop by retsnoop -e '*sys_bpf' -a 'bpf_prog_*' -a 'bpf_check*' -T.

[cfc4n]

tag v0.8.10 does not have this BPF permission detection function. @Shapa7276 Can you test it with this version?

[Shapa7276]

@cfc4n it worked :)

[KardRi]

The message is provided by detectBpfCap().

ecapture/cli/cmd/env_detection.go

Lines 49 to 70 in b01cb60

	func detectBpfCap() error {
	// BPF 权限检测
	prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{
	Name: "uprobe_dummy",
	Type: ebpf.Kprobe,
	Instructions: asm.Instructions{
	asm.Mov.Imm(asm.R0, 0),
	asm.Return(),
	},
	License: "GPL",
	})
	if err != nil {
	if errors.Is(err, unix.EPERM) {
	return fmt.Errorf("the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.")
	}
	return fmt.Errorf("failed to create bpf program: %v", err)
	}
	defer prog.Close()
	return nil
	}

Can you figure out the reason why BPF syscall returns -EPERM?

A possible approach is to use retsnoop by retsnoop -e '*sys_bpf' -a 'bpf_prog_*' -a 'bpf_check*' -T.

I don't think there will be CONFIG_DEBUG_INFO_BTF enabled android kernels... , any other way to check?

[chilli13]

check memlock with cmd ulimit -l, exec ulimit -l unlimited and retry

I also encountered the same problem. After modifying the code, I got the specific error information and modify memlock to solve it. By the way, older ecapture versions seem to be less prone to this problem, if the recent modification increased ecapture memory costs?

run ecapture

# ./bin/ecapture tls
Error: CAP_BPF：failed to create bpf program: load program: operation not permitted (MEMLOCK may be too low, consider rlimit.RemoveMemlock)
NAME:
	tls - Used to capture TLS/SSL text content without the need for a CA certificate. (Supports OpenSSL 1.0.x/1.1.x/3.x or newer).

USAGE:

code

func detectBpfCap() error {
	// BPF 权限检测
        ... ...
	if err != nil {
		if errors.Is(err, unix.EPERM) {
			return fmt.Errorf("CAP_BPF：failed to create bpf program: %v", err)
			//return fmt.Errorf("the current user does not have CAP_BPF to load bpf programs. Please run as root or use sudo or add the --privileged=true flag for Docker.")
		}

		return fmt.Errorf("failed to create bpf program: %v", err)
	}

[Asphaltt]

@chilli13 Thank you, bro.

Could you test the PR #707 to check whether it's OK to detect CAP_BPF?

---

the recent modification increased ecapture memory costs?

Nope. It's to check CAP_BPF early in order to tell user the permission limit asap.

[cfc4n]

Error: CAP_BPF：failed to create bpf program: load program: operation not permitted (MEMLOCK may be too low, consider rlimit.RemoveMemlock)
@Asphaltt We need to detect whether the user is root before calling the detectBpfCap function. Of course, it is best to exclude the help version flags.