libs
libs copied to clipboard
falcosecurity
update(modern_bpf_engine): add a check on the minimum kernel version
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area libscap-engine-modern-bpf
/area libscap
Does this PR require a change in the driver versions?
No
What this PR does / why we need it:
This PR adds:
- a new API in scap to compute the
semvercheck - a new check in the modern probe engine to ensure that we are on a supported kernel
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
update(modern_bpf_engine): add a check on the minimum kernel version
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: Andreagit97, FedeDP, Molter73
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [Andreagit97,FedeDP,Molter73]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
If bpf helpers are correctly backported on the previous kernel we could also support older versions than 5.8.0, so maybe these changes are not so needed :thinking:
/hold
If bpf helpers are correctly backported on the previous kernel we could also support older versions than
5.8.0, so maybe these changes are not so needed 🤔 /hold
Is there a way to discover that all the helpers we need are available in the current kernel, perhaps with bpftool? If there was such a thing, we would need to check if the required helpers are available instead of enforcing a minimum kernel version.
Hi @jasondellaluce , @Andreagit97
If bpf helpers are correctly backported on the previous kernel we could also support older versions than
5.8.0, so maybe these changes are not so needed thinking /holdIs there a way to discover that all the helpers we need are available in the current kernel, perhaps with bpftool? If there was such a thing, we would need to check if the required helpers are available instead of enforcing a minimum kernel version.
Thanks to @iii for some insights: The libbpf itself does a couple of "feature" probes, e.g.,
-
kernel_supports - (my favorite one :grin: )
probe_kern_probe_read_kerneldirectly - or via the
kernel_supportshere
So there are ways to dynamically check for helpers...
Hi @jasondellaluce , @Andreagit97
If bpf helpers are correctly backported on the previous kernel we could also support older versions than
5.8.0, so maybe these changes are not so needed thinking /holdIs there a way to discover that all the helpers we need are available in the current kernel, perhaps with bpftool? If there was such a thing, we would need to check if the required helpers are available instead of enforcing a minimum kernel version.
Thanks to @iii for some insights: The libbpf itself does a couple of "feature" probes, e.g.,
* [`kernel_supports`](https://github.com/libbpf/libbpf/blob/68e6f83f223ebf3fbf0d94c0f4592e5e6773f0c1/src/libbpf.c#L4839) * (my favorite one grin ) [`probe_kern_probe_read_kernel`](https://github.com/libbpf/libbpf/blob/68e6f83f223ebf3fbf0d94c0f4592e5e6773f0c1/src/libbpf.c#L4638) directly * or via the `kernel_supports` [here](https://github.com/libbpf/libbpf/blob/68e6f83f223ebf3fbf0d94c0f4592e5e6773f0c1/src/libbpf.c#L6643)So there are ways to dynamically check for helpers...
yeah that's true but IIRC these are all internal APIs that libbpf doesn't expose to userspace :thinking:
Right now I will keep this check on the minimum required kernel version, in the next step we can try to probe some kernel features with libbpf, the only pain point is that some API that libbpf uses to probe specific features are not exposed to the user so we have to find some workaround :)
/unhold