Skip to content

Commit

Permalink
skip non supported platform
Browse files Browse the repository at this point in the history
  • Loading branch information
safchain committed Nov 22, 2024
1 parent 0449772 commit c1ca1a7
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 3 deletions.
11 changes: 10 additions & 1 deletion pkg/security/ebpf/probes/tc.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,15 +66,24 @@ func GetTCProbes(withNetworkIngress bool, withRawPacket bool) []*manager.Probe {
return out
}

// GetRawPacketTCProgramFunctions returns the raw packet functions
func GetRawPacketTCProgramFunctions() []string {
return []string{
"classifier_raw_packet",
"classifier_raw_packet_sender",
}
}

// GetAllTCProgramFunctions returns the list of TC classifier sections
func GetAllTCProgramFunctions() []string {
output := []string{
"classifier_dns_request_parser",
"classifier_dns_request",
"classifier_imds_request",
"classifier_raw_packet",
}

output = append(output, GetRawPacketTCProgramFunctions()...)

for _, tcProbe := range GetTCProbes(true, true) {
output = append(output, tcProbe.EBPFFuncName)
}
Expand Down
3 changes: 3 additions & 0 deletions pkg/security/probe/model_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ func NewEBPFModel(probe *EBPFProbe) *model.Model {
return fmt.Errorf("%s is not available on this kernel version", field)
}
case "packet.filter":
if probe.isNetworkNotSupported() {
return fmt.Errorf("%s is not available on this kernel version", field)
}
if _, err := rawpacket.BPFFilterToInsts(0, value.Value.(string), rawpacket.DefaultProgOpts); err != nil {
return err
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/security/probe/probe_ebpf.go
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,10 @@ func (p *EBPFProbe) selectFentryMode() {
p.useFentry = supported
}

func (p *EBPFProbe) isNetworkNotSupported() bool {
return p.kernelVersion.IsRH7Kernel() || (p.kernelVersion.IsAmazonLinuxKernel() && p.kernelVersion.Code < kernel.Kernel4_14)
}

func (p *EBPFProbe) sanityChecks() error {
// make sure debugfs is mounted
if _, err := tracefs.Root(); err != nil {
Expand All @@ -209,7 +213,7 @@ func (p *EBPFProbe) sanityChecks() error {
return errors.New("eBPF not supported in lockdown `confidentiality` mode")
}

if p.config.Probe.NetworkEnabled && p.kernelVersion.IsRH7Kernel() {
if p.config.Probe.NetworkEnabled && p.isNetworkNotSupported() {
seclog.Warnf("The network feature of CWS isn't supported on Centos7, setting event_monitoring_config.network.enabled to false")
p.config.Probe.NetworkEnabled = false
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/tests/network_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func TestRawPacket(t *testing.T) {
checkKernelCompatibility(t, "RHEL, SLES, SUSE and Oracle kernels", func(kv *kernel.Version) bool {
// TODO: Oracle because we are missing offsets
// OpenSUSE distributions are missing the dummy kernel module
return kv.IsRH7Kernel() || kv.IsOracleUEKKernel() || kv.IsSLESKernel() || kv.IsOpenSUSELeapKernel()
return kv.IsRH7Kernel() || kv.IsOracleUEKKernel() || kv.IsSLESKernel() || kv.IsOpenSUSELeapKernel() || (kv.IsAmazonLinuxKernel() && kv.Code < kernel.Kernel4_14)
})

if testEnvironment != DockerEnvironment && !env.IsContainerized() {
Expand Down

0 comments on commit c1ca1a7

Please sign in to comment.