From 376480d55d83333e98365cb16b0095b5aee3e8e4 Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Fri, 23 Aug 2024 16:18:35 -0400 Subject: [PATCH] verify.sh: Handle when bpf_verride_return is unavailable While taking a look at tetragon, I tried running verify.sh and observed bpf_enforce and bpf_generic_kprobe* all fail because bpf_override_return is not available. I also observed that this seems be handled conditionally in tetragon via the pkg.bpf.HasOverrideHelper() function. This change updates verify.sh to check for bpf_override_return before trying to load these programs. If it's not present, it will be skipped cleanly since it's not expected to work. A cleaner solution is to reuse the same check from the Go code. Rewriting this script in Go is tracked in issue #229. Signed-off-by: Russell Bryant --- contrib/verify/verify.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/contrib/verify/verify.sh b/contrib/verify/verify.sh index 8f972b81ca1..b87be0556ee 100755 --- a/contrib/verify/verify.sh +++ b/contrib/verify/verify.sh @@ -8,6 +8,7 @@ shopt -s nullglob RED="\033[31m" BLUEUNDER="\033[34;4m" GREEN="\033[32m" +YELLOW="\033[33m" NOCOLOR="\033[0m" TETRAGONDIR=/var/lib/tetragon DEBUG=0 @@ -83,6 +84,14 @@ for obj in "$TETRAGONDIR"/*.o; do continue fi + # Check if bpf_override_return is available + if [[ "$B" == bpf_generic_kprobe* || "$B" == bpf_enforcer* ]]; then + if ! bpftool feature probe | grep -q "bpf_override_return"; then + echo -e "${YELLOW}bpf_override_return not available, skipping $B ...${NOCOLOR}\n" + continue + fi + fi + echo -e -n "Verifying $BLUEUNDER$obj$NOCOLOR... " OUT="/tmp/tetragon-verify-$B"