Parca Agent requires to be run as
root user (or
CAP_SYS_ADMIN). Various security precautions have been taken to protect users running Parca Agent.
Parca Agent binaries and container image build processes have been specifically designed to be byte-by-byte reproducible.
- Go dependencies are pinned via
go.sum, ensuring Go dependencies to be byte-by-byte reproducible.
- Build tool and shared library versions are pinned in the
Dockerfileusing Debian snapshots.
- libbpf is included and versioned in this repository via a git submodule.
Parca Agent uses BPF CO-RE (Compile Once – Run Everywhere) using libbpf, and pre-compiles all BPF programs, and statically embeds them in the target binary, from where it is loaded via libbpf when used. This means that Parca Agent does not need to compile the BPF program at startup or runtime like when using bcc-tools, meaning no Clang & LLVM, nor kernel headers need to be installed on the host. The only requirement is a BTF capable Kernel (Linux Kernel 4.18+).
The result is a Go binary that is that only requires dynamic linking with:
libbpf is statically compiled and included in the resulting Go binary. Fewer things required equals a smaller attack surface.
Read more on CO-RE and libbpf:
- BPF binaries: BTF, CO-RE, and the future of BPF perf tools - Brendan Gregg
- BPF Portability and CO-RE - Andrii Nakryiko
Automated code scanning
Parca Agent uses automated code scanning to analyze the code in Parca Agent repository to find security vulnerabilities and coding errors. Any problems identified by the analysis are shown in review process, thanks to CodeQL.
Automated dependency updates
Parca Agent supply chain uses Dependabot to constantly keep the dependencies up-to-date against any security vulnerabilities.
Report Security Vulnerabilities
As with any complex system, it is near certain that bugs will be found, some of them security-relevant. If you find a security bug, please report it privately to the firstname.lastname@example.org mailing list. We will fix the issue as soon as possible and coordinate a release date with you. You will be able to choose if you want public acknowledgement of your effort and if you want to be mentioned by name.
Parca is maintained by volunteers, not by a company. Therefore, fixing security issues is done on a best-effort basis. We strive to release security fixes within 7 days.