When using multi-kprobes, using this policy leads to the following error:
level=fatal msg="Failed to start tetragon" error="failed to get sensors from parser policy: sensor generic_kprobe from collection auditd-policy failed to load: failed prog /home/kkourt/src/hubble-fgs/bpf/objs/bpf_multi_kprobe_v61.o kern_version 394509 loadInstance: attaching 'generic_kprobe_event' failed: couldn't find one or more symbols: file does not exist"
Disabling multi-kprobes, only part of the policy is applied (typically the one that is defined last).
The reason for this seems to be that when using the new bpffs hierarchy (https://github.com/cilium/tetragon/pull/2128), the two calls will end up in the same directory, using the same maps.
Note that in 1.2 this works as expected, because we use different maps for each different hook. e.g.,
Policies that use the same symbols do not currently work. Here's an example:
When using multi-kprobes, using this policy leads to the following error:
Disabling multi-kprobes, only part of the policy is applied (typically the one that is defined last). The reason for this seems to be that when using the new bpffs hierarchy (https://github.com/cilium/tetragon/pull/2128), the two calls will end up in the same directory, using the same maps.
Note that in
1.2
this works as expected, because we use different maps for each different hook. e.g.,