cilium
Add resolvePath to matchBinaries
Is there an existing issue for this?
- [x] I have searched the existing issues
Is your feature request related to a problem?
When writing policies that match on binaries, we need to refer to the absolute path of the binary (that returned by realpath) rather than a handy symlink. This approach ensures there is no ambiguity regarding which binary the policy refers to. However, this requires users to run realpath on any binaries they would like to match on, and use those paths in the policy.
Describe the feature you would like
We could add a 'resolvePath: true' parameter to matchBinaries paths (probably once per matchBinaries section rather than once per path). This would indicate to Tetragon that the paths might be symlinked and it should resolve them at the point of loading the policy. The default action would still be to expect an absolute path, but this would allow a user to override that if they were confident that resolving the paths is sensible and beneficial.
Describe your proposed solution
Add 'resolvePath: true' or similar to the matchBinaries section. If set, call realpath on all values in the section.
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
If the monitored process is under the same rootfs as tetragon, then I can see how this would work. I'm not, however, clear on how this is expected to work for pods/containers, or other things executing under a different rootfs than tetragon.
If the monitored process is under the same rootfs as tetragon, then I can see how this would work. I'm not, however, how this is expected to work for pods/containers, or other things executing under a different rootfs than tetragon.
Is a good question. I suspect we could preprend paths with container/pod/ds/something, or provide a link to a filesystem as a root from where to resolve?
I feel that workloads in containers/pods have much more simple filesystems than host machines, so maybe this would only be useful at the host level?