tetragon

1
apiVersion: cilium.io/v1alpha1
2
kind: TracingPolicy
3
metadata:
4
  name: "demo-memfd"
5
spec:
6
  kprobes:
7
# int close(int fd);
8
  - call: "sys_close"
9
    syscall: true
10
    args:
11
    - index: 0
12
      type: "int"
13
    selectors:
14
    - matchPIDs:
15
      - operator: NotIn
16
        followForks: true
17
        isNamespacePID: true
18
        values:
19
        - 0
20
        - 1
21
      matchActions:
22
      - action: UnfollowFD
23
        argFd: 0
24
        argName: 0
25
  # int memfd_create(const char *name, unsigned int flags);
26
  - call: "sys_memfd_create"
27
    syscall: true
28
    args:
29
    - index: 0
30
      type: "string"
31
    - index: 1
32
      type: "int"
33
    selectors:
34
    - matchPIDs:
35
      - operator: NotIn
36
        followForks: true
37
        isNamespacePID: true
38
        values:
39
        - 0
40
        - 1
41
# int execve(const char *pathname, char *const argv[],char *const envp[]);
42
  - call: "sys_execve"
43
    syscall: true
44
    args:
45
    - index: 0
46
      type: "string"
47
    selectors:
48
    - matchPIDs:
49
      - operator: NotIn
50
        followForks: false
51
        isNamespacePID: true
52
        values:
53
        - 0
54
        - 1
55
      matchArgs:
56
      - index: 0
57
        operator: "Prefix"
58
        values:
59
        - "/proc/self/fd/"
60
      matchActions:
61
      - action: Sigkill
62