[Bug Report] Inconsistent behavior for symlinked binaries between different ProcMonitorMethod (original) (raw)
Different definitions for ProcMonitorMethod treat symlinked binaries differently, causing non-obvious silent test failures on v1.7.0.0 update. eBPF backend treats binaries by their symlink path, while all other monitor methods treat binaries by their real absolute location.
Describe the bug:
Include the following information:
- OpenSnitch version: v1.7.0.0
- OS: NixOS
- OS version: 25.05, unstable (2025-06-03), repo hash:
308837b8e6393f121d0889a7e417d13072c33461 - Window Manager: None, headless VM test
- Kernel version:
6.12.30
To Reproduce:
Steps to reproduce the behavior:
- Create a rule for an absolute binary path
- Create a symlink to that binary
- Load opensnitch and execute the symlinked binary from its symlink path
- On eBPF ProcMonitorMethod: Rule does not attach. On all other ProcMonitorMethods: Rule applies.
This can also be reproduced in the VM test that is part of our NixOS CI.
The rule here is being created by absolute path in /nix/store/<curl-package>/bin/curl:
https://github.com/NixOS/nixpkgs/blob/7668dddecbe7732a86cacae2510b6d2ef6c710fa/nixos/tests/opensnitch.nix#L59
But the test executes curl by $PATH, which is a symlink in /run/current-system/sw/bin/curl:
https://github.com/NixOS/nixpkgs/blob/7668dddecbe7732a86cacae2510b6d2ef6c710fa/nixos/tests/opensnitch.nix#L80
Post error logs:
Not an error, but can provide debug logs if they are actually any useful.
Expected behavior (optional):
Rules should have consistent behavior between different monitoring methods. While arguably the new behavior can be useful for more granular control, it is an undocumented departure from 1.6.x behavior and inconsistent with the other monitor methods.
Ideally, old behavior could be restored.
Additional context:
Discovered during the v1.7.0.0 update in nixpkgs: NixOS/nixpkgs#412616
I had opened a discussion (#1356) before finally finally finding the issue. Probably a side effect of the cilium switch.