improve the fentry check to support struct args (for auid)

DataDog · Nov 29, 2024 · 0b244cf · 0b244cf
1 parent 8fee074
commit 0b244cf
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/pkg/security/ebpf/kernel/kernel.go b/pkg/security/ebpf/kernel/kernel.go
@@ -332,8 +332,7 @@ func (k *Version) HaveLegacyPipeInodeInfoStruct() bool {
 	return k.Code != 0 && k.Code < Kernel5_5
 }
 
-// HaveFentrySupport returns whether the kernel supports fentry probes
-func (k *Version) HaveFentrySupport() bool {
+func (k *Version) commonFentryCheck(funcName string) bool {
 	if features.HaveProgramType(ebpf.Tracing) != nil {
 		return false
 	}
@@ -366,6 +365,16 @@ func (k *Version) HaveFentrySupport() bool {
 	return true
 }
 
+// HaveFentrySupport returns whether the kernel supports fentry probes
+func (k *Version) HaveFentrySupport() bool {
+	return k.commonFentryCheck("vfs_open")
+}
+
+// HaveFentrySupportWithStructArgs returns whether the kernel supports fentry probes with struct arguments
+func (k *Version) HaveFentrySupportWithStructArgs() bool {
+	return k.commonFentryCheck("audit_set_loginuid")
+}
+
 // SupportBPFSendSignal returns true if the eBPF function bpf_send_signal is available
 func (k *Version) SupportBPFSendSignal() bool {
 	return k.Code != 0 && k.Code >= Kernel5_3

diff --git a/pkg/security/probe/probe_ebpf.go b/pkg/security/probe/probe_ebpf.go
@@ -196,9 +196,19 @@ func (p *EBPFProbe) selectFentryMode() {
 
 	supported := p.kernelVersion.HaveFentrySupport()
 	if !supported {
+		p.useFentry = false
 		seclog.Errorf("fentry enabled but not supported, falling back to kprobe mode")
+		return
 	}
-	p.useFentry = supported
+
+	structArgsSupported := p.kernelVersion.HaveFentrySupportWithStructArgs()
+	if !structArgsSupported {
+		p.useFentry = false
+		seclog.Warnf("fentry enabled but not supported with struct args, falling back to kprobe mode")
+		return
+	}
+
+	p.useFentry = true
 }
 
 func (p *EBPFProbe) isNetworkNotSupported() bool {