Skip to content

Commit 50f9bb2

Browse files
fix(ebpf): keep optional lsm programs non-fatal
1 parent 8983ca2 commit 50f9bb2

3 files changed

Lines changed: 35 additions & 1 deletion

File tree

agent/src/ebpf/test/test_ai_agent_source_contracts.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,5 +149,15 @@ def read_source(path: Path) -> str:
149149
"lsm_programs_handle" in tracer_c_text,
150150
"tracer.c must include LSM programs in the attach lifecycle",
151151
)
152+
require(
153+
"new_prog->type == BPF_PROG_TYPE_LSM" in load_text
154+
and "Skip optional BPF LSM program" in load_text,
155+
"load.c must keep unsupported BPF LSM programs non-fatal",
156+
)
157+
require(
158+
"p->prog->prog_fd < 0" in tracer_c_text
159+
and "skip unloaded lsm program" in tracer_c_text,
160+
"tracer.c must skip unloaded optional LSM programs during attach",
161+
)
152162

153163
print("[OK]")

agent/src/ebpf/user/load.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -988,6 +988,19 @@ static int load_obj__progs(struct ebpf_object *obj)
988988
new_prog->insns_cnt, BPF_MAXINSNS);
989989
}
990990

991+
/*
992+
* BPF LSM is an optional enforcement mechanism. Kernels
993+
* without CONFIG_BPF_LSM or an active bpf LSM can reject
994+
* the program before attach, so keep the rest of the
995+
* socket tracer available and let userspace fall back.
996+
*/
997+
if (new_prog->type == BPF_PROG_TYPE_LSM) {
998+
ebpf_warning
999+
("Skip optional BPF LSM program '%s'; enforcement disabled for this hook.\n",
1000+
new_prog->name);
1001+
continue;
1002+
}
1003+
9911004
if (memcmp(desc->name, "uprobe/", 7) &&
9921005
memcmp(desc->name, "uretprobe/", 10)) {
9931006
return ETR_INVAL;

agent/src/ebpf/user/tracer.c

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1143,8 +1143,19 @@ static int lsm_attach(struct lsm_prog *p)
11431143
return ETR_EXIST;
11441144
}
11451145

1146-
if (p->prog->prog_fd == 0)
1146+
if (p->prog->prog_fd < 0) {
1147+
ebpf_warning("skip unloaded lsm program, name:%s.\n", p->name);
1148+
return ETR_INVAL;
1149+
}
1150+
1151+
if (p->prog->prog_fd == 0) {
11471152
p->prog->prog_fd = load_ebpf_prog(p->prog);
1153+
if (p->prog->prog_fd < 0) {
1154+
ebpf_warning("load lsm program failed, name:%s.\n",
1155+
p->name);
1156+
return ETR_INVAL;
1157+
}
1158+
}
11481159

11491160
struct ebpf_link *bl = program__attach_lsm(p->prog);
11501161
p->link = bl;

0 commit comments

Comments
 (0)