[2.0] Backport #1660 and #1664

bpf/tc_sock.h

@@ -260,11 +260,10 @@ int beyla_packet_extender(struct sk_msg_md *msg) {
 
     // TODO: execute the protocol handlers here with tail calls, don't
     // rely on tcp_sendmsg to do it and record these message buffers.
-    if (!tracked) {
-        // If we didn't have metadata (sock_msg runs before the kprobe),
-        // we ensure to mark it for any packet we want to extend.
-        tracked = protocol_detector(msg, id, &conn);
-    }
+
+    // We must run the protocol detector always, the outgoing trace map
+    // might be setup for TCP traffic for L4 propagation.
+    tracked = protocol_detector(msg, id, &conn);
 
     u64 len = (u64)msg->data_end - (u64)msg->data;
     if (tracked && len > MIN_HTTP_SIZE) {

pkg/internal/ebpf/common/common_darwin.go

@@ -7,3 +7,11 @@ func KernelVersion() (major, minor int) {
 func hasCapSysAdmin() bool {
 	return false
 }
+
+func HasHostPidAccess() bool {
+	return false
+}
+
+func HasHostNetworkAccess() (bool, error) {
+	return false, nil
+}

pkg/internal/ebpf/common/common_linux.go

@@ -1,6 +1,8 @@
 package ebpfcommon
 
 import (
+	"fmt"
+	"os"
 	"syscall"
 
 	"github.com/cilium/ebpf/link"
@@ -58,3 +60,44 @@ func hasCapSysAdmin() bool {
 	caps, err := helpers.GetCurrentProcCapabilities()
 	return err == nil && caps.Has(unix.CAP_SYS_ADMIN)
 }
+
+func findNetworkNamespace(pid int32) (string, error) {
+	netPath := fmt.Sprintf("/proc/%d/ns/net", pid)
+	f, err := os.Open(netPath)
+
+	if err != nil {
+		return "", fmt.Errorf("failed to open(/proc/%d/ns/net): %w", pid, err)
+	}
+
+	defer f.Close()
+
+	// read the value of the symbolic link
+	buf := make([]byte, syscall.PathMax)
+	n, err := syscall.Readlink(netPath, buf)
+	if err != nil {
+		return "", fmt.Errorf("failed to read symlink(/proc/%d/ns/net): %w", pid, err)
+	}
+
+	return string(buf[:n]), nil
+}
+
+func HasHostPidAccess() bool {
+	return os.Getpid() != 1
+}
+
+func HasHostNetworkAccess() (bool, error) {
+	// Get the network namespace of the current process
+	containerNS, err := findNetworkNamespace(int32(os.Getpid()))
+	if err != nil {
+		return false, err
+	}
+
+	// Get the network namespace of the host process (PID 1)
+	hostNS, err := findNetworkNamespace(1)
+	if err != nil {
+		return false, err
+	}
+
+	// Compare the network namespaces
+	return containerNS == hostNS, nil
+}

pkg/internal/ebpf/tctracer/tctracer.go

@@ -4,6 +4,7 @@ package tctracer
 
 import (
 	"context"
+	"fmt"
 	"io"
 	"log/slog"
 	"unsafe"
@@ -45,6 +46,20 @@ func (p *Tracer) AllowPID(uint32, uint32, *svc.Attrs) {}
 func (p *Tracer) BlockPID(uint32, uint32) {}
 
 func (p *Tracer) Load() (*ebpf.CollectionSpec, error) {
+
+	if !ebpfcommon.HasHostPidAccess() {
+		return nil, fmt.Errorf("L4/L7 context-propagation requires host process ID access, e.g. hostPid:true")
+	}
+
+	hostNet, err := ebpfcommon.HasHostNetworkAccess()
+	if err != nil {
+		return nil, fmt.Errorf("failed to check for host network access while enabling L4/L7 context-propagation, error: %w", err)
+	}
+
+	if !hostNet {
+		return nil, fmt.Errorf("L4/L7 context-propagation requires host network access, e.g. hostNetwork:true")
+	}
+
 	if p.cfg.EBPF.BpfDebug {
 		return loadBpf_debug()
 	}