tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard

Published 20 hours ago verified publisher icon cilium

Multiple selectors doesn't works

Open Razikus opened this issue 1 year ago • 1 comments

Hello Like in the title

Multiple selectors doesn't works for __x64_sys_write call

example:

  - call: "__x64_sys_write"
    syscall: true
    args:
    - index: 0
      type: "fd"
    - index: 1
      type: "char_buf"
      sizeArgIndex: 3
    - index: 2
      type: "size_t"
    selectors:
      - matchArgs:
        - index: 0
          operator: "Prefix"
          values:
          - "/etc/"
        matchActions:
        - action: Post
      - matchArgs:
        - index: 0
          operator: "Prefix"
          values:
          - "/var/"
        matchActions:
        - action: Sigkill

As i understood - it should kill all writes to /var and post all writes to /etc

Razikus avatar Sep 20 '22 15:09 Razikus

I have reproduced this and it is indeed an issue. Only the first matchArgs seems to work.

tpapagian avatar Sep 23 '22 14:09 tpapagian