Preventing loading of the process module on Linux

danmichael — Fri, 25 Oct 2024 13:23:01 GMT

There are two workarounds that can be used on Linux to fully prevent the loading of the process module.

This can be useful for applications you don't want or need to instrument. For instance if the process module is causing crashes in some application.

LD_AUDIT environment variable

You can prevent the process module from being loaded by setting the LD_AUDIT environment variable to point to the oneagentaudit.so library provided with the agent installation. This is a special "auditing" library that will be called by the Linux loader on process startup and which can then block the loading of the process module into that process. In a default full stack agent installation the correct value would be the following:

LD_AUDIT=/opt/dynatrace/oneagent/agent/bin/current/linux-x86-64/liboneagentaudit.so

Newer OneAgent versions may have this library in the following locations:

/opt/dynatrace/oneagent/agent/lib/liboneagentaudit.so /opt/dynatrace/oneagent/agent/lib64/liboneagentaudit.so

If you're having trouble locating the liboneagentaudit you can run something like the below to find the location on Linux systems

find / -name "liboneagentaudit.so" 2>/dev/null

Important notes:

The auditing interface using the LD_AUDIT environment variable is only available on glibc based Linux systems (which covers almost all distributions except Alpine Linux)
The current implementation will cause the following error to be printed in the terminal: ERROR: ld.so: object '/$LIB/liboneagentproc.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. This is not a problem and is simply a sign that the audit library is working correctly.

Separate mount namespace

The second alternative is to run the problematic program in a separate mount namespace and mount an empty file on top of /etc/ld.so.preload within that namespace. This basically hides the existence of the process module from that program while having no impact on the rest of the system. This can be achieved using the unshare command (with root rights):

unshare -m -- sh -c 'mount --bind /dev/null /etc/ld.so.preload && <program to execute>

For a permanent effect, the customer might have to add this command to some kind of a startup script or a systemd service file. In case they don't want to start the program as root, one can extend the command to run the final program as some other user like this:

unshare -m -- sh -c 'mount --bind /dev/null /etc/ld.so.preload && su -c "<program to execute>" <user>'

The above command is, for example, necessary in case of a systemd service file where the user has been set to a non-root user. So a service file like this...:

ExecStart=/path/to/binary User=someuser

... needs to be modified into something like this:

ExecStart=/usr/bin/unshare -m -- /bin/sh -c 'mount --bind /dev/null /etc/ld.so.preload && su -c "/path/to/binary" someuser' User=root

Re: Preventing loading of the process module on Linux

ChadTurner — Fri, 26 May 2023 15:54:21 GMT

Thanks for sharing this work around @danmichael

article Preventing loading of the process module on Linux in Troubleshooting

Preventing loading of the process module on Linux

LD_AUDIT environment variable

Separate mount namespace

Re: Preventing loading of the process module on Linux