Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem?

With #1609 , we're able to override security_ LSM functions using BPF_MODIFY_RETURN. However, the preValidateKprobes() still blocks a policy that hooks on LSM functions with override, if kernel CONFIG_BPF_KPROBE_OVERRIDE compile option is not enabled in the Linux kernel. The error message and the tracing policy is as below.

level=warn msg="adding tracing policy failed" error="policy handler 'tracing' failed loading policy 'deploy-ubuntu-deployment': validation failed: error in spec.kprobes[0]: error override action not supported, bpf_override_return helper not available"

apiVersion: cilium.io/v1alpha1
kind: TracingPolicyNamespaced
metadata:
  name: deploy-ubuntu-deployment
spec:
  kprobes:
  - args:
    - index: 0
      type: linux_binprm
    call: security_bprm_creds_for_exec
    selectors:
    - matchActions:
      - action: Override
        argError: -1
    syscall: false
  options:
  - name: disable-kprobe-multi
    value: "1"
  podSelector:
    matchLabels:
      app: ubuntu

Describe the feature you would like

The policy should be able to be supported because it relies on fmod_ret instead of CONFIG_BPF_KPROBE_OVERRIDE.

Describe your proposed solution

preValidateKprobes() might be able to be changed, so this kind of policy will be allowed if kprobe override is not available.

Code of Conduct

• I agree to follow this project's Code of Conduct