search

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.
https://pulsar.sh
Other
888 stars 51 forks source link

strncmp implementation for old kernels #260

Closed banditopazzo closed 6 months ago

banditopazzo commented 6 months ago

This PR should fix #259 providing an alternative implementation for kernel < 5.17

banditopazzo commented 6 months ago

@vadorovsky right now the check is made on kernel version, do you think we should use bpf_core_enum_value_exists on enum bpf_func_id looking for BPF_FUNC_strncmp? same thing for our LOOP macro

do you know if this method is reliable?

vadorovsky commented 6 months ago

@vadorovsky right now the check is made on kernel version, do you think we should use bpf_core_enum_value_exists on enum bpf_func_id looking for BPF_FUNC_strncmp? same thing for our LOOP macro

do you know if this method is reliable?

I like the idea!

Yes, I think it should be reliable. The bpf_core_* helpers mostly rely on compiler intrinsics and the enum-related ones are there since 2020 and kernel 5.10

https://github.com/torvalds/linux/commit/eacaaed784e2c9da69dea3030c81062c1fd66a3 https://lore.kernel.org/bpf/20200819194519.3375898-1-andriin@fb.com/

The patchset doesn't seem to touch kernel-space at all, it's just libbpf