Skip to content

Commit

Permalink
[CWS] add additional fentry check for weak duplicated symbols (#31632)
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulcacheux
paulcacheux authored Dec 2, 2024
1 parent d06ed83 commit 677d39b
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
14 changes: 14 additions & 0 deletions pkg/security/ebpf/kernel/kernel.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"fmt"
"os"
"path/filepath"
"runtime"
"strings"
"sync"

Expand Down Expand Up @@ -375,6 +376,19 @@ func (k *Version) HaveFentrySupportWithStructArgs() bool {
return k.commonFentryCheck("audit_set_loginuid")
}

// HaveFentryNoDuplicatedWeakSymbols returns whether the kernel supports fentry probes with struct arguments
func (k *Version) HaveFentryNoDuplicatedWeakSymbols() bool {
var symbol string
switch runtime.GOARCH {
case "amd64":
symbol = "__ia32_sys_setregid16"
default:
return true
}

return k.commonFentryCheck(symbol)
}

// SupportBPFSendSignal returns true if the eBPF function bpf_send_signal is available
func (k *Version) SupportBPFSendSignal() bool {
return k.Code != 0 && k.Code >= Kernel5_3
Expand Down
6 changes: 6 additions & 0 deletions pkg/security/probe/probe_ebpf.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,12 @@ func (p *EBPFProbe) selectFentryMode() {
return
}

if !p.kernelVersion.HaveFentryNoDuplicatedWeakSymbols() {
p.useFentry = false
seclog.Warnf("fentry enabled but not supported with duplicated weak symbols, falling back to kprobe mode")
return
}

p.useFentry = true
}

Expand Down

0 comments on commit 677d39b

Please sign in to comment.