tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

How tetragon syscall blocking works?

Open systracing2 opened this issue 3 years ago • 1 comments

For syscall blocking, I found that tetragon will issue a sigkill signall to kill the process: https://github.com/cilium/tetragon/blob/dffe621004290a9530886e43592fd45a8214352b/bpf/process/types/basic.h#L1034 I wonder if tetragon also support other ways to block the syscall instead of "killing the process". Can tetragon return a "-1" for malicious syscall?

systracing2 avatar Sep 17 '22 06:09 systracing2

Yes. see: https://github.com/cilium/tetragon/blob/main/crds/examples/hardlink-override.yaml.

Note also that there was a PR merged right now which allows to use the above from a CRD (https://github.com/cilium/tetragon/pull/424).

kkourt avatar Sep 21 '22 06:09 kkourt