Error building Tracee on Ubuntu 20.04.2 LTS kernel 5.4.0-73-generic

[idanr1986]

while executing make docker I get make: mkdir: Operation not permitted

fatal: not a git repository (or any of the parent directories): .git
fatal: not a git repository (or any of the parent directories): .git
docker build --build-arg VERSION=0 --build-arg BUILD_DATE=2021-07-19T19:12:26Z --build-arg VCS_BRANCH="" --build-arg VCS_REF="" -t tracee:latest .
Sending build context to Docker daemon 1.042MB
Step 1/23 : ARG BASE=fat
Step 2/23 : FROM golang:1.16-alpine as builder
---> 7762f5dece68
Step 3/23 : RUN apk --no-cache update && apk --no-cache add git clang llvm make gcc libc6-compat coreutils linux-headers musl-dev elfutils-dev libelf-static zlib-static
---> Using cache
---> 43f7119b67f1
Step 4/23 : WORKDIR /tracee
---> Using cache
---> 3a08e75d98b8
Step 5/23 : FROM builder as build
---> 3a08e75d98b8
Step 6/23 : ARG VERSION
---> Using cache
---> 2cf6c5026aee
Step 7/23 : COPY . /tracee
---> Using cache
---> aef8a7671824
Step 8/23 : RUN make
---> Running in feaec81d439f
make: mkdir: Operation not permitted
make: *** [Makefile:32: dist] Error 127
mkdir -p dist
The command '/bin/sh -c make' returned a non-zero code: 2
make: *** [Makefile:59: docker] Error 2

[idanr1986]

I found a fix to this issue by editing the Dockerfile and changing the builder image from golang:1.16-alpine to golang:1.16-alpine3.13 from what I concluded the issue happens from alpine 3.14.
here are some references to the issue:
https://forums.docker.com/t/multiple-projects-stopped-building-on-docker-hub-operation-not-permitted/92570/4
https://gitlab.alpinelinux.org/alpine/aports/-/issues/12396

[itaysk]

@rafaeldtinoco thank for the analysis. I'm not sure I understood the solution (workaround you mentioned), is there a fix required on our side?

[rafaeldtinoco]

@rafaeldtinoco thank for the analysis. I'm not sure I understood the solution (workaround you mentioned), is there a fix required on our side?

I'm not sure why @idanr1986 's environment is failing. I'm currently using a similar kernel and docker.io packages from Ubuntu Focal (but updated to the latest) and cannot reproduce. My bet is that his environment is enforcing some kind of changed profile by default, which is causing the change of errors for syscalls wrapped by seccomp.

With that said, we can create a profile:

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
        {
            "names": [
                "faccessat2"
            ],
            "action": "SCMP_ACT_ERRNO",
   "args": [],
   "comment": "",
   "includes": {},
   "excludes": {}
        }
    ]
}

and execute docker with that profile:

docker run -it --security-opt seccomp=./profile.json alpine:edge /bin/sh

and we could mitigate this issue as long as we discover what syscall is being wrapped by seccomp and failing.

[rafaeldtinoco]

@itaysk Should we do something here ? To have the build workaround (this or a polished version of this) in tracee's Makefile ?

I don't see upstream fixing this issue right now, as the issue is closed, and even if they do.. the distributions would have to pick the bug and that could lead to long time with broken builds in older kernels.

[yanivagman]

For now, maybe we can change the dockerfile to point to a previous tag of alpine instead of latest to workaround this?

[rafaeldtinoco]

Nevermind, I have just reproduced the issue:

Step 8/23 : RUN make
 ---> Running in 094510e348aa
make: /bin/sh: Operation not permitted
make: *** [Makefile:40: dist/tracee-ebpf] Error 127

In a recent installed without ANY updates environment. I'll isolate kernel and OS upgrades to see what mitigates the issue. Then we will have to decide whether we want the workaround in the Makefile (to cover building in outdated environments) or just document here that one using Ubuntu should apply all updates to it before building tracee.

[rafaeldtinoco]

@idanr1986 and @yanivagman

The FIX is to update your environment (Ubuntu Focal)

deb https://archive.ubuntu.com/ubuntu focal main restricted universe multiverse
deb https://archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse

BUT, if you cannot do that, then AT LEAST upgrade

runc package from 1.0.0~rc10-0ubuntu1 TO 1.0.0~rc95-0ubuntu1~20.04.1

It contains the mitigation for this issue. I'll bisect runc changes and see what is the specific fix.

[rafaeldtinoco]

And the runc commit in between these 2 versions that fixed the issue is this one:

seccomp: prepend -ENOSYS stub to all filters
opencontainers/runc@7a8d716

Which is exactly related to the initial analysis, but with a fix made in runc. I think just having this issue as closed with these comments will document enough information for one (to update runc for building tracee) and that no changes in our side are needed.

[yanivagman]

@rafaeldtinoco thanks for the analysis.
From the above I understand that there is no issue here for tracee, and we can close this, right?

[rafaeldtinoco]

Correct IMO, it is well documented for whoever needs it. Closing this then. Thank you.