Andrey Fedotov

I have problems with building docker image: configure: error: Missing libpcap(-dev) library required to compile the example application. Could you check the build?

@jrfastab, please, have a look. I think the PR is ready.

@tixxdz , please, have a look. I think PR is ready:).

Hi :wave: , @kkourt! If you have time, please, have a look. I'll be happy to have some discussion on implementation details.

LGTM! We still able to filter by file path, before collecting a hash in your approach, right? In other words I mean not to call ima bpf-helpers if filtering is...

> I think it should be possible to collect the hash _after_ the filtering, but it's more tricky. In that case, collecting the hash in the action makes more sense...

We already have https://github.com/cilium/tetragon/pull/2566 merged, so I can start implementing IMA FIM :rocket:! I came to the conclusion that Action for IMA Hash is better at the end and it...

> Another question is where to store an ima_hash? I think we can use a separate map BPF_MAP_TYPE_HASH for passing hashes to user space. The key can be u64 value...

> The usual way of passing arguments to userspace is to store them in `->args` of msg_generic_kprobe > > > I think we can use a separate map BPF_MAP_TYPE_HASH for...

> > I suppose it is possible to put hashes in `->args` at Action phase? Maybe it is better to use `->args`, as you suggest. > > That's a good...