tracing: CapabilitiesGained requires large progs

Set the CapabilitiesGained operator to only work when large progrs are
supported in the kernel, since loading the generic program fails in
4.19.

Signed-off-by: Kornilios Kourtis <[email protected]>

Author: kkourt

bpf/process/types/basic.h

@@ -1659,6 +1659,7 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 		case cap_prm_ty:
 		case cap_eff_ty:
 		case kernel_cap_ty:
+#ifdef __LARGE_BPF_PROG
 			if (filter->op == op_capabilities_gained) {
 				__u64 cap_old = *(__u64 *)args;
 				__u32 index2 = *((__u32 *)&filter->value);
@@ -1667,6 +1668,7 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 				break;
 			}
 			/* falltrough */
+#endif
 		case syscall64_type:
 		case s64_ty:
 		case u64_ty:

pkg/selectors/kernel.go

@@ -755,9 +755,13 @@ func writePostfixStrings(k *KernelSelectorState, values []string, ty uint32) err
 
 func checkOp(op uint32) error {
 	switch op {
-	case SelectorOpGT, SelectorOpLT:
+	case SelectorOpGT, SelectorOpLT, SelectorOpCapabilitiesGained:
 		if !config.EnableLargeProgs() {
-			return errors.New("GT/LT operators are only supported in kernels >= 5.3")
+			opName := selectorOpStringTable[op]
+			return fmt.Errorf(
+				"operator %d (%s) is only supported in kernels supporting large programs (normally versions >= 5.3)",
+				op, opName,
+			)
 		}
 	}
 	return nil

pkg/sensors/tracing/kprobe_test.go

@@ -6825,6 +6825,10 @@ func TestCapabilitiesGained(t *testing.T) {
 
 	testCapabilitiesGained := testutils.RepoRootPath("contrib/tester-progs/capabilities-gained")
 
+	if !config.EnableLargeProgs() {
+		t.Skip("CapabilitiesGained is not supported in kernels without large program support")
+	}
+
 	spec := &v1alpha1.TracingPolicySpec{
 		KProbes: []v1alpha1.KProbeSpec{{
 			// int security_capset(struct cred *new, const struct cred *old,