tetragon
tetragon copied to clipboard
Published
20 hours ago •
cilium
cilium
LSM sensor
LSM sensor support allows to use LSM BPF programs the way we use BPF programs for kprobes/tracepoints/uprobes.
TracingPolicy example:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "lsm"
spec:
lsmhooks:
- hook: "file_open"
args:
- index: 0
type: "file"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/cat"
Event example (It still has problems with args printing. I need to solve it):
{
"process_lsm": {
"process": {
"exec_id": "dXNlci1uaXg6MTk5MzE1NDk0NTk3MzM6MzIwMTA4",
"pid": 320108,
"uid": 1000,
"cwd": "/home/user/go/src/github.com/cilium/tetragon",
"binary": "/usr/bin/cat",
"arguments": "/etc/passwd",
"flags": "execve clone",
"start_time": "2024-06-15T18:03:29.742161520Z",
"auid": 1000,
"parent_exec_id": "dXNlci1uaXg6ODg1NjMwMDAwMDAwMDoxNDc4MTI=",
"refcnt": 1,
"tid": 320108,
"user": {
"name": "user"
}
},
"parent": {
"exec_id": "dXNlci1uaXg6ODg1NjMwMDAwMDAwMDoxNDc4MTI=",
"pid": 147812,
"uid": 1000,
"cwd": "/home/user/go/src/github.com/cilium/tetragon",
"binary": "/usr/bin/zsh",
"flags": "procFS auid",
"start_time": "2024-06-15T14:37:33.597296165Z",
"auid": 1000,
"parent_exec_id": "dXNlci1uaXg6MTM1ODA0MDAwMDAwMDozMTQ2",
"tid": 147812
},
"function_name": "file_open",
"policy_name": "lsm",
"args": [
{
"file_arg": {
"path":"/etc/passwd",
"permission":"-rw-r--r--"
}
}
],
"action": "KPROBE_ACTION_POST"
},
"node_name": "user-nix",
"time": "2024-06-15T18:03:29.743030933Z"
}
This is also necessary for #2409.
