pkg/ebpf: change authentication symbol for kallsyms (#2035)

When reading /proc/kallsyms file, a symbol address is checked to
identify if the file was read correctly.
The "current_task" symbol is not available on ARM, so it had to be
changed to a symbol supported on all architectures.

Author: AlonZivony

pkg/ebpf/initialization/ksymbols.go

@@ -35,9 +35,9 @@ func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helper
 
 // ValidateKsymbolsTable check if the addresses in the table are valid by checking a specific symbol address.
 // The reason for the addresses to be invalid is if the capabilities required to read the kallsyms file are not given.
-// The chosen symbol used here is "current_task" because it is used by all supported kernel versions and shouldn't be 0.
+// The chosen symbol used here is "security_file_open" because it is a must-have symbol for tracee to run.
 func ValidateKsymbolsTable(ksyms *helpers.KernelSymbolTable) bool {
-	if sym, err := ksyms.GetSymbolByName(globalSymbolOwner, "current_task"); err != nil || sym.Address == 0 {
+	if sym, err := ksyms.GetSymbolByName(globalSymbolOwner, "security_file_open"); err != nil || sym.Address == 0 {
 		return false
 	}
 	return true