could not check enabled kconfig features - Ubuntu 24.04

[rohitcoder]

Description

I was trying to capture egress traffic and thought of using Tracee to help with it. However, while testing, I ran into an error. Do you have any idea how to fix it?

Output of tracee version:

Tracee version: v0.23.0

Output of uname -a:

Linux ip-172-31-0-71 6.8.0-1025-aws #27-Ubuntu SMP Wed Feb 19 19:10:47 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Additional details

root@ip-172-31-0-71:/tmp# arch
x86_64
root@ip-172-31-0-71:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 24.04 LTS
Release:        24.04
Codename:       noble
root@ip-172-31-0-71:/tmp# docker run --name tracee -it --rm \
  --pid=host --cgroupns=host --privileged \
  -v /etc/os-release:/etc/os-release-host:ro \
  -v /var/run:/var/run:ro \
  aquasec/tracee:latest
{"level":"warn","ts":1743437597.235206,"msg":"KConfig: could not check enabled kconfig features","error":"could not read /boot/config-6.8.0-1025-aws: stat /boot/config-6.8.0-1025-aws: no such file or directory"}
{"level":"warn","ts":1743437597.2353456,"msg":"KConfig: assuming kconfig values, might have unexpected behavior"}
{"level":"fatal","ts":1743437605.959398,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: ebpf.(*Tracee).populateBPFMaps: ebpf.(*Tracee).populateFilterMaps: policy.(*policies).updateBPF: policy.(*policies).createNewEventsMapVersion: policy.createNewInnerMap: could not find BTF id 371: operation not permitted"}
root@ip-172-31-0-71:/tmp# 

[geyslan]

Hello @rohitcoder. Thanks for this report.

About the main question (not a real issue), you can just set a volume to docker to have access to your /boot: -v /boot:/boot.

Regarding the "fatal" log, would you mind bringing the output of:

• docker run --rm -it --privileged --pid=host --entrypoint sh aquasec/tracee:latest -c "grep Cap /proc/self/status"
• grep Cap /proc/self/status

Have you tested to build and run Tracee directly on your host? What's the output?

[rohitcoder]

Hi @geyslan

This is output for docker command

root@ip-172-31-0-71:/home/ubuntu# docker run --rm -it --privileged --pid=host --entrypoint sh aquasec/tracee:latest -c "grep Cap /proc/self/status"
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

root@ip-172-31-0-71:/home/ubuntu# grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
root@ip-172-31-0-71:/home/ubuntu# 

I also tried to make it more source using make all and i tried to run the tracee binary from dist folder

I got this output, build was successful, but binary is still giving error

2164: (25) if r1 > 0x6cfc goto pc+29          ; R1_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=27900,var_off=(0x0; 0x7fff))
; int sz = bpf_probe_read_str(&(buf->args[buf->offset + sizeof(int)]), MAX_STRING_SIZE, ellipsis);
2165: (07) r2 += 4                    ; R2_w=scalar(smin=umin=8,smax=umax=0x100010006,var_off=(0x0; 0x1ffffffff))
2166: (57) r2 &= 65535                ; R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
; int sz = bpf_probe_read_str(&(buf->args[buf->offset + sizeof(int)]), MAX_STRING_SIZE, ellipsis);
2167: (79) r1 = *(u64 *)(r10 -88)     ; R1_w=map_value(map=event_data_map,ks=4,vs=32528) R10=fp0 fp-88=map_value(map=event_data_map,ks=4,vs=32528)
2168: (0f) r1 += r2                   ; R1_w=map_value(map=event_data_map,ks=4,vs=32528,smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff)) R2_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
2169: (07) r1 += 145                  ; R1_w=map_value(map=event_data_map,ks=4,vs=32528,off=145,smin=smin32=0,smax=umax=smax32=umax32=0xffff,var_off=(0x0; 0xffff))
2170: (bf) r3 = r10                   ; R3_w=fp0 R10=fp0
; int sz = bpf_probe_read_str(&(buf->args[buf->offset + sizeof(int)]), MAX_STRING_SIZE, ellipsis);
2171: (07) r3 += -76                  ; R3_w=fp-76
; int sz = bpf_probe_read_str(&(buf->args[buf->offset + sizeof(int)]), MAX_STRING_SIZE, ellipsis);
2172: (b7) r2 = 4096                  ; R2_w=4096
2173: (85) call bpf_probe_read_str#45
invalid access to map value, value_size=32528 off=65680 size=4096
R1 max value is outside of the allowed memory range
processed 2161 insns (limit 1000000) max_states_per_insn 0 total_states 154 peak_states 154 mark_read 35
-- END PROG LOAD LOG --
{"level":"warn","ts":1743487092.5480103,"msg":"libbpf: prog 'syscall__execve_enter': failed to load: -13"}
{"level":"warn","ts":1743487092.5489264,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1743487092.5609875,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: permission denied"}
root@ip-172-31-0-71:/home/ubuntu/tracee/dist# 

[geyslan]

Your capabilities seem fine.

The verifier is clearly complaining about an "invalid access to map value - R1 max value is outside the allowed memory range". --- EDIT: Please provide the full log.

To pinpoint the issue, we need to gather more information from your environment. Below, you'll find outputs from a functional VM using Tracee's Vagrantfile. I recommend checking that VM for comparisons as well, as it provides a reliable reference environment.

# grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

# grep Seccomp /proc/self/status
Seccomp:        0
Seccomp_filters:        0

# grep 'CONFIG_BPF' /boot/config-$(uname -r)
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_BPF_LSM=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y

# sysctl -a | grep -E "bpf|seccomp|cgroup|cap|perf"
kernel.bpf_stats_enabled = 0
kernel.cap_last_cap = 40
kernel.perf_cpu_time_max_percent = 25
kernel.perf_event_max_contexts_per_stack = 8
kernel.perf_event_max_sample_rate = 100000
kernel.perf_event_max_stack = 127
kernel.perf_event_mlock_kb = 516
kernel.perf_event_paranoid = 4
kernel.seccomp.actions_avail = kill_process kill_thread trap errno user_notif trace log allow
kernel.seccomp.actions_logged = kill_process kill_thread trap errno user_notif trace log
kernel.unprivileged_bpf_disabled = 2
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304
user.max_cgroup_namespaces = 63814

# ls /sys/kernel/btf/vmlinux
/sys/kernel/btf/vmlinux

Check for apparmor and/or selinux:

# aa-status
apparmor module is loaded.
24 profiles are loaded.
24 profiles are in enforce mode.
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /{,usr/}sbin/dhclient
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

[rohitcoder]

Hi @geyslan

This is the full log, i am still not able to understand what's wrong here

*** System restart required ***
Last login: Tue Apr  1 13:03:54 2025 from 18.206.107.29
ubuntu@ip-172-31-0-71:~$ sudo su
root@ip-172-31-0-71:/home/ubuntu# grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
root@ip-172-31-0-71:/home/ubuntu# grep Seccomp /proc/self/status
Seccomp:        0
Seccomp_filters:        0
root@ip-172-31-0-71:/home/ubuntu# grep 'CONFIG_BPF' /boot/config-$(uname -r)
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
CONFIG_BPF_LSM=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
root@ip-172-31-0-71:/home/ubuntu# sysctl -a | grep -E "bpf|seccomp|cgroup|cap|perf"
kernel.bpf_stats_enabled = 0
kernel.cap_last_cap = 40
kernel.perf_cpu_time_max_percent = 25
kernel.perf_event_max_contexts_per_stack = 8
kernel.perf_event_max_sample_rate = 100000
kernel.perf_event_max_stack = 127
kernel.perf_event_mlock_kb = 516
kernel.perf_event_paranoid = 1
kernel.seccomp.actions_avail = kill_process kill_thread trap errno user_notif trace log allow
kernel.seccomp.actions_logged = kill_process kill_thread trap errno user_notif trace log
kernel.unprivileged_bpf_disabled = 2
net.core.bpf_jit_enable = 1
net.core.bpf_jit_harden = 0
net.core.bpf_jit_kallsyms = 1
net.core.bpf_jit_limit = 528482304
user.max_cgroup_namespaces = 31217
root@ip-172-31-0-71:/home/ubuntu# ls /sys/kernel/btf/vmlinux
/sys/kernel/btf/vmlinux
root@ip-172-31-0-71:/home/ubuntu#  aa-status
apparmor module is loaded.
121 profiles are loaded.
31 profiles are in enforce mode.
   /snap/snapd/23545/usr/lib/snapd/snap-confine
   /snap/snapd/23545/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /snap/snapd/23771/usr/lib/snapd/snap-confine
   /snap/snapd/23771/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/man
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/chronyd
   docker-default
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   plasmashell
   plasmashell//QtWebEngineProcess
   rsyslogd
   snap-update-ns.amazon-ssm-agent
   tcpdump
   ubuntu_pro_apt_news
   ubuntu_pro_esm_cache
   ubuntu_pro_esm_cache//apt_methods
   ubuntu_pro_esm_cache//apt_methods_gpgv
   ubuntu_pro_esm_cache//cloud_id
   ubuntu_pro_esm_cache//dpkg
   ubuntu_pro_esm_cache//ps
   ubuntu_pro_esm_cache//ubuntu_distro_info
   ubuntu_pro_esm_cache_systemctl
   ubuntu_pro_esm_cache_systemd_detect_virt
   unix-chkpwd
   unprivileged_userns
2 profiles are in complain mode.
   snap.amazon-ssm-agent.amazon-ssm-agent
   snap.amazon-ssm-agent.ssm-cli
0 profiles are in prompt mode.
0 profiles are in kill mode.
88 profiles are in unconfined mode.
   1password
   Discord
   MongoDB Compass
   QtWebEngineProcess
   brave
   buildah
   busybox
   cam
   ch-checkns
   ch-run
   chrome
   crun
   devhelp
   element-desktop
   epiphany
   evolution
   firefox
   flatpak
   geary
   github-desktop
   goldendict
   ipa_verify
   kchmviewer
   keybase
   lc-compliance
   libcamerify
   linux-sandbox
   loupe
   lxc-attach
   lxc-create
   lxc-destroy
   lxc-execute
   lxc-stop
   lxc-unshare
   lxc-usernsexec
   mmdebstrap
   msedge
   nautilus
   notepadqq
   obsidian
   opam
   opera
   pageedit
   podman
   polypane
   privacybrowser
   qcam
   qmapshack
   qutebrowser
   rootlesskit
   rpm
   rssguard
   runc
   sbuild
   sbuild-abort
   sbuild-adduser
   sbuild-apt
   sbuild-checkpackages
   sbuild-clean
   sbuild-createchroot
   sbuild-destroychroot
   sbuild-distupgrade
   sbuild-hold
   sbuild-shell
   sbuild-unhold
   sbuild-update
   sbuild-upgrade
   scide
   signal-desktop
   slack
   slirp4netns
   steam
   stress-ng
   surfshark
   systemd-coredump
   thunderbird
   toybox
   trinity
   tup
   tuxedo-control-center
   userbindmount
   uwsgi-core
   vdens
   virtiofsd
   vivaldi-bin
   vpnns
   vscode
   wpcom
7 processes have profiles defined.
6 processes are in enforce mode.
   /usr/sbin/chronyd (684) 
   /usr/sbin/chronyd (696) 
   /usr/bin/mongod (2046) docker-default
   /usr/local/bin/redis-server (2048) docker-default
   /usr/local/bin/node (3057) docker-default
   /usr/sbin/rsyslogd (845) rsyslogd
1 processes are in complain mode.
   /snap/amazon-ssm-agent/9881/amazon-ssm-agent (560) snap.amazon-ssm-agent.amazon-ssm-agent
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
root@ip-172-31-0-71:/home/ubuntu# 

[geyslan]

Try disabling apparmor.

Regarding the full log output I mentioned, I was referring to the primary log from the verifier. Please run Tracee again and share the complete verifier error log with us. Ah and let us know the output of bpf tooling like:

# bpftool feature
# bpftool prog list
# bpftool map list
# bpftool prog list | grep jited

This should let us know if the env has bpf working (kprobe specifically):

# sudo bpftrace -e 'kprobe:do_filp_open { printf("BPF is working!\n"); }'

[rohitcoder]

Hi @geyslan

I don't think this is BPF issue, i was able to run https://github.com/iovisor/bcc/blob/master/tools/sslsniff.py

and i got positive results for all above mentioned commands. Attaching few logs.

root@ip-172-31-0-71:~/sniffer# sudo bpftrace -e 'kprobe:do_filp_open { printf("BPF is working!\n"); }'
Attaching 1 probe...
BPF is working!
BPF is working!
BPF is working!

root@ip-172-31-0-71:~/sniffer# bpftool prog list | grep jited
        xlated 56B  jited 135B  memlock 4096B  map_ids 2
        xlated 552B  jited 358B  memlock 4096B
        xlated 552B  jited 358B  memlock 4096B
        xlated 3768B  jited 2121B  memlock 4096B  map_ids 22,36,6,44,42,37,57,27,28,24
        xlated 9840B  jited 6172B  memlock 12288B  map_ids 22,84,24,6,77,95,109,96,27,28
        xlated 6080B  jited 3691B  memlock 8192B  map_ids 147,136,22,29,27,28
        xlated 16848B  jited 10258B  memlock 20480B  map_ids 147,22,23,25,112,136,6,145,26,137,28,27
        xlated 1688B  jited 1028B  memlock 4096B  map_ids 147,115,153,146,27,28,26
        xlated 2352B  jited 1284B  memlock 4096B  map_ids 22,161,23,25
        xlated 552B  jited 358B  memlock 4096B
        xlated 280B  jited 160B  memlock 4096B  map_ids 3536,3533
        xlated 696B  jited 397B  memlock 4096B  map_ids 3536,3538,3537
        xlated 128B  jited 81B  memlock 4096B  map_ids 3536
        xlated 696B  jited 397B  memlock 4096B  map_ids 3536,3538,3537
        xlated 128B  jited 81B  memlock 4096B  map_ids 3535
        xlated 840B  jited 475B  memlock 4096B  map_ids 3535,3538,3537
        xlated 128B  jited 81B  memlock 4096B  map_ids 3535
        xlated 952B  jited 535B  memlock 4096B  map_ids 3535,3538,3537
        xlated 64B  jited 42B  memlock 4096B

root@ip-172-31-0-71:~/sniffer# bpftool map list
2: prog_array  name hid_jmp_table  flags 0x0
        key 4B  value 4B  max_entries 1024  memlock 8576B
        owner_prog_type tracing  owner jited
6: hash  name tg_conf_map  flags 0x0
        key 4B  value 40B  max_entries 1  memlock 1344B
        btf_id 45
22: hash  name execve_map  flags 0x0
        key 4B  value 888B  max_entries 32768  memlock 31460208B
        btf_id 67
23: lru_hash  name tg_execve_joine  flags 0x0
        key 8B  value 16B  max_entries 8192  memlock 721920B
        btf_id 68
24: percpu_array  name execve_map_stat  flags 0x0
        key 4B  value 8B  max_entries 2  memlock 432B
        btf_id 69
25: percpu_array  name tg_execve_joine  flags 0x0
        key 4B  value 8B  max_entries 2  memlock 432B
        btf_id 70
26: prog_array  name execve_calls  flags 0x0
        key 4B  value 4B  max_entries 2  memlock 400B
        owner_prog_type tracepoint  owner jited
27: perf_event_array  name tcpmon_map  flags 0x0
        key 4B  value 4B  max_entries 2  memlock 400B
28: percpu_array  name tg_stats_map  flags 0x0
        key 4B  value 12288B  max_entries 1  memlock 24968B
        btf_id 73

root@ip-172-31-0-71:~/sniffer# bpftool prog list
2: tracing  name hid_tail_call  tag 7cc47bbf07148bfe  gpl
        loaded_at 2025-04-05T08:00:44+0000  uid 0
        xlated 56B  jited 135B  memlock 4096B  map_ids 2
        btf_id 2
88: cgroup_device  tag ab4bc4523b7fe6b4
        loaded_at 2025-04-05T08:01:04+0000  uid 0
        xlated 552B  jited 358B  memlock 4096B
92: cgroup_device  tag ab4bc4523b7fe6b4
        loaded_at 2025-04-05T08:01:04+0000  uid 0
        xlated 552B  jited 358B  memlock 4096B
101: kprobe  name event_exit_acct_process  tag 1bb06064fb88c42b  gpl
        loaded_at 2025-04-05T08:01:04+0000  uid 0
        xlated 3768B  jited 2121B  memlock 4096B  map_ids 22,36,6,44,42,37,57,27,28,24
        btf_id 103
103: kprobe  name event_wake_up_new_task  tag 2fa9cded463d0e6c  gpl
        loaded_at 2025-04-05T08:01:05+0000  uid 0
        xlated 9840B  jited 6172B  memlock 12288B  map_ids 22,84,24,6,77,95,109,96,27,28
        btf_id 128
104: tracepoint  name execve_send  tag 21760705a398c715  gpl
        loaded_at 2025-04-05T08:01:05+0000  uid 0
        xlated 6080B  jited 3691B  memlock 8192B  map_ids 147,136,22,29,27,28
        btf_id 157
105: tracepoint  name event_execve  tag f6f987f8592bb1ea  gpl
        loaded_at 2025-04-05T08:01:05+0000  uid 0
        xlated 16848B  jited 10258B  memlock 20480B  map_ids 147,22,23,25,112,136,6,145,26,137,28,27
        btf_id 158
106: tracepoint  name execve_rate  tag 24bb711486c9ad18  gpl
        loaded_at 2025-04-05T08:01:05+0000  uid 0
        xlated 1688B  jited 1028B  memlock 4096B  map_ids 147,115,153,146,27,28,26
        btf_id 159
107: kprobe  name tg_kp_bprm_committing_creds  tag 39ed34ca4d94fd62  gpl
        loaded_at 2025-04-05T08:01:07+0000  uid 0
        xlated 2352B  jited 1284B  memlock 4096B  map_ids 22,161,23,25
        btf_id 176

I also tried to run this in AWS Ubuntu 22.04 and this is output

root@ip-172-31-91-219:/home/ubuntu# docker run --name tracee -it --rm   --pid=host --cgroupns=host --privileged   -v /etc/os-release:/etc/os-release-host:ro   -v /var/run:/var/run:ro   aquasec/tracee:latest
Unable to find image 'aquasec/tracee:latest' locally
latest: Pulling from aquasec/tracee
83abf496f1b8: Pull complete 
a229eaf75ea2: Pull complete 
f03969f168fe: Pull complete 
75faae2dcb43: Pull complete 
77c58f3a969a: Pull complete 
6b983baadb96: Pull complete 
06aa1de25178: Pull complete 
54598aa7999d: Pull complete 
df81ddfa2b8a: Pull complete 
97871372f309: Pull complete 
b1c98c2987f0: Pull complete 
6a04256271d0: Pull complete 
Digest: sha256:55940ad823efba72593929eee752cc92127bd90beb504bebe169b49d7fe7f470
Status: Downloaded newer image for aquasec/tracee:latest
{"level":"warn","ts":1744101684.0365891,"msg":"KConfig: could not check enabled kconfig features","error":"could not read /boot/config-6.8.0-1024-aws: stat /boot/config-6.8.0-1024-aws: no such file or directory"}
{"level":"warn","ts":1744101684.0384455,"msg":"KConfig: assuming kconfig values, might have unexpected behavior"}

[geyslan]

Ok. Have you posted the verifier full log? I didn't see it above. It would be nice to try to detect which bpf program (LOC) is causing that loading failure.