What were you trying to do that didn't work?

When setting up a user probe using ebpf or systemtap on a file, fapolicyd computes a different checksum, causing (usually) denial to occur.
The investigation was initially performed in RHEL-142628, I've closed the latter and created this one to avoid confusion.

eBPF is used by Microsoft's MDATP, in particular for monitoring /usr/lib64/libpam.so.0 function calls. Through setting a user probe, mdatp and fapolicyd cannot be used concurrently.

The reason for computing a different checksum is using mmap(MAP_PRIVATE) which makes the hooks set by ebpf and systemtap be visible:

1140 char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
1141 {
 :
1165         mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
1166         if (mapped != MAP_FAILED) {
 :

This can be demonstrated with the program compute_sha256_v2 attached, which uses the same code as get_hash_from_fd2() function.

A solution consists in using MAP_SHARED instead of MAP_PRIVATE, this can be demonstrated with the program compute_sha256_v3 attached.

What is the impact of this issue to you?

Can't use fapolicyd when mdatp is enabled.

Please provide the package NVR for which the bug is seen:

All fapolicyd releases including Upstream.

How reproducible is this bug?

Always

Steps to reproduce

1. Compile compute_sha256_v2 and compute_sha256_v3

   # gcc -o compute_sha256_v2 compute_sha256_v2.c -lcrypto
   # gcc -o compute_sha256_v3 compute_sha256_v3.c -lcrypto

2. Setup a eBPF probe on /bin/bash

   # echo 'r:bashReadline /bin/bash:0xd1720 cmd=+0($retval):string' >> /sys/kernel/tracing/uprobe_events
   echo 1 > /sys/kernel/tracing/events/uprobes/bashReadline/enable

3. Compute the checksum with compute_sha256_v2 and compare with sha256sum one

   # sha256sum /bin/bash
   97995faa249e5706dd0b0373c9da547709bf7349755d5fc8e52f97a4bd04feaf  /bin/bash
   # ./compute_sha256_v2 /bin/bash /tmp/bash.v2.out
   SHA256 = c352c281a02ad29548e6f59363551ff954c06e30cee485dc627e10f44752eae0
   # ./compute_sha256_v3 /bin/bash /tmp/bash.v3.out
   SHA256 = 97995faa249e5706dd0b0373c9da547709bf7349755d5fc8e52f97a4bd04feaf
   

Here above compute_sha256_v2 computation is "wrong", due to using mmap(MAP_PRIVATE).
/tmp/bash.v2.out (the memory the checksum was computed on) shows the eBPF hooks:

# objdump -dT /tmp/bash.v2.out > /tmp/bash.v2.out.objdump
# objdump -dT /bin/bash > /tmp/bash.objdump
# diff -u /tmp/bash.objdump /tmp/bash.v2.out.objdump
[...]
 00000000000d1720 <readline@@Base>:
-   d1720:	f3 0f 1e fa          	endbr64 
+   d1720:	cc                   	int3   
+   d1721:	0f 1e fa             	nop    %edx
    d1724:	83 3d 4d 51 08 00 ff 	cmpl   $0xffffffff,0x8514d(%rip)        # 156878 <rl_pending_input@@Base>
    d172b:	41 54                	push   %r12
    d172d:	0f 84 8d 00 00 00    	je     d17c0 <readline@@Base+0xa0>

compute_sha256_v3 computation is "correct" because of the use of mmap(MAP_SHARED), which "hides" the hook.

Remaining question is: should MAP_SHARED always be used or do we want to make this tunable?