[CWS] fix net_ns_offset constant on 4.15 kernels

DataDog · Mar 28, 2022 · df3c12e · df3c12e
1 parent c76453a
commit df3c12e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/pkg/security/ebpf/kernel/kernel.go b/pkg/security/ebpf/kernel/kernel.go
@@ -140,9 +140,17 @@ func NewKernelVersion() (*Version, error) {
 	return nil, errors.New("failed to detect operating system version")
 }
 
-// IsUbuntu returns whether the kernel is an ubuntu kernel
-func (k *Version) IsUbuntu() bool {
-	return k.OsRelease["ID"] == "ubuntu"
+// UbuntuKernelVersion returns a parsed ubuntu kernel version or nil if not on ubuntu or if parsing failed
+func (k *Version) UbuntuKernelVersion() *kernel.UbuntuKernelVersion {
+	if k.OsRelease["ID"] != "ubuntu" {
+		return nil
+	}
+
+	ukv, err := kernel.NewUbuntuKernelVersion(k.UnameRelease)
+	if err != nil {
+		return nil
+	}
+	return ukv
 }
 
 // IsRH7Kernel returns whether the kernel is a rh7 kernel

diff --git a/pkg/security/probe/constantfetch/fallback.go b/pkg/security/probe/constantfetch/fallback.go
@@ -523,8 +523,35 @@ func getNetDeviceIfindexOffset(kv *kernel.Version) uint64 {
 }
 
 func getNetNSOffset(kv *kernel.Version) uint64 {
+
+	// see https://ubunlog.com/en/bionic-beavers-y-xenial-xeruses-volved-a-actualizar-vuestro-kernel-al-arreglarlo-canonical-introdujo-una-regresion/
+	patchAbiMinVersion := map[string]int{
+		"generic":      62,
+		"generic-lpae": 62,
+		"lowlatency":   62,
+		"oracle":       1023,
+		"gke":          1042,
+		"kvm":          1044,
+		"raspi2":       1045,
+		"aws":          1048,
+	}
+
+	ubuntu415check := func(kv *kernel.Version) bool {
+		ukv := kv.UbuntuKernelVersion()
+		if ukv == nil {
+			return false
+		}
+
+		minAbi, present := patchAbiMinVersion[ukv.Flavor]
+		if !present {
+			return false
+		}
+
+		return ukv.Abi >= minAbi
+	}
+
 	switch {
-	case kv.IsUbuntu() && kv.IsInRangeCloseOpen(kernel.Kernel4_15, kernel.Kernel4_16):
+	case kv.IsInRangeCloseOpen(kernel.Kernel4_15, kernel.Kernel4_16) && ubuntu415check(kv):
 		fallthrough
 	// Commit 355b98553789b646ed97ad801a619ff898471b92 introduces a hashmix field for security
 	// purposes. This commit was cherry-picked in stable releases 4.9.168, 4.14.111, 4.19.34 and 5.0.7