Skip to content

Commit

Permalink
improve the fentry check to support struct args (for auid)
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulcacheux
paulcacheux committed Nov 29, 2024
1 parent 9523c36 commit 46dc91c
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
15 changes: 12 additions & 3 deletions pkg/security/ebpf/kernel/kernel.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -332,16 +332,15 @@ func (k *Version) HaveLegacyPipeInodeInfoStruct() bool {
return k.Code != 0 && k.Code < Kernel5_5
}

// HaveFentrySupport returns whether the kernel supports fentry probes
func (k *Version) HaveFentrySupport() bool {
func (k *Version) commonFentryCheck(funcName string) bool {
if features.HaveProgramType(ebpf.Tracing) != nil {
return false
}

spec := &ebpf.ProgramSpec{
Type: ebpf.Tracing,
AttachType: ebpf.AttachTraceFEntry,
AttachTo: "vfs_open",
AttachTo: funcName,
Instructions: asm.Instructions{
asm.LoadImm(asm.R0, 0, asm.DWord),
asm.Return(),
Expand All @@ -366,6 +365,16 @@ func (k *Version) HaveFentrySupport() bool {
return true
}

// HaveFentrySupport returns whether the kernel supports fentry probes
func (k *Version) HaveFentrySupport() bool {
return k.commonFentryCheck("vfs_open")
}

// HaveFentrySupportWithStructArgs returns whether the kernel supports fentry probes with struct arguments
func (k *Version) HaveFentrySupportWithStructArgs() bool {
return k.commonFentryCheck("audit_set_loginuid")
}

// SupportBPFSendSignal returns true if the eBPF function bpf_send_signal is available
func (k *Version) SupportBPFSendSignal() bool {
return k.Code != 0 && k.Code >= Kernel5_3
Expand Down
12 changes: 11 additions & 1 deletion pkg/security/probe/probe_ebpf.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,9 +196,19 @@ func (p *EBPFProbe) selectFentryMode() {

supported := p.kernelVersion.HaveFentrySupport()
if !supported {
p.useFentry = false
seclog.Errorf("fentry enabled but not supported, falling back to kprobe mode")
return
}
p.useFentry = supported

structArgsSupported := p.kernelVersion.HaveFentrySupportWithStructArgs()
if !structArgsSupported {
p.useFentry = false
seclog.Warnf("fentry enabled but not supported with struct args, falling back to kprobe mode")
return
}

p.useFentry = true
}

func (p *EBPFProbe) isNetworkNotSupported() bool {
Expand Down

0 comments on commit 46dc91c

Please sign in to comment.