tetragon
102 строки · 3.1 Кб
1# This comment describes a demo of matchNamespaceChanges. We need 2 terminals
2# here. The first one will run tetragon and the second will run the commands
3# that we want to capture. First step is to replace {{.Pid}} in this file with
4# the PID of the bash running on the second terminal.
5#
6# (1) The first scenario is to run a command in a less priviledged mount
7# namespace.
8#
9# Terminal 1:
10# $ rm -f events.json
11# $ ./tetragon --btf /sys/kernel/btf/vmlinux --bpf-lib ./bpf/objs/ --export-filename events.json --enable-process-ns --tracing-policy examples/tracingpolicy/match_namespace_changes.yaml
12# $ # <wait for events>
13# $ # kill tetragon
14# $ grep kprobe events.json | grep \"__x64_sys_write\" | grep strange | jq . # get the write kprobe events
15#
16# Terminal 2:
17# $ sudo unshare --mount python3 -c "with open('./strange.txt', 'w') as f: f.write('testdata')"
18#
19# We will see a single kprobe event running in the new mnt namespace. The
20# reason we see that is that we start from the mnt host namespace and we
21# run this command to another mnt namespace.
22#
23# (2) The second scenario is to run a command in a more priviledged mount
24# namespace (i.e. the host mnt namespace).
25#
26# Terminal 1:
27# $ rm -f events.json
28# $ ./tetragon --btf /sys/kernel/btf/vmlinux --bpf-lib ./bpf/objs/ --export-filename events.json --enable-process-ns --tracing-policy examples/tracingpolicy/match_namespace_changes.yaml
29# $ # <wait for events>
30# $ # kill tetragon
31# $ grep kprobe events.json | grep \"__x64_sys_write\" | grep strange | jq . # get the write kprobe events
32#
33# Terminal 2:
34# $ sudo unshare --mount # move out from host mnt namespace
35# $ nsenter --target 1 --mount python3 -c "with open('./strange.txt', 'w') as f: f.write('testdata')" # execute a write in the host mnt namespace
36#
37# We will see a single kprobe event running in the host mnt namespace (while
38# we are in a non-host namespace). The reason we see that is that we start
39# from a non-host mnt namespace.
40#
41apiVersion: cilium.io/v1alpha1
42kind: TracingPolicy
43metadata:
44name: "fd-install"
45spec:
46kprobes:
47- call: "fd_install"
48syscall: false
49return: false
50args:
51- index: 0
52type: int
53- index: 1
54type: "file"
55selectors:
56- matchPIDs:
57- operator: In
58followForks: true
59isNamespacePID: false
60values:
61- {{.Pid}}
62matchArgs:
63- index: 1
64operator: "Postfix"
65values:
66- "strange.txt"
67matchActions:
68- action: FollowFD
69argFd: 0
70argName: 1
71- call: "sys_write"
72syscall: true
73args:
74- index: 0
75type: "fd"
76- index: 1
77type: "char_buf"
78returnCopy: true
79- index: 2
80type: "size_t"
81selectors:
82- matchPIDs:
83- operator: In
84followForks: true
85isNamespacePID: false
86values:
87- {{.Pid}}
88matchNamespaces:
89- namespace: Mnt
90operator: In
91values:
92- "4026532288"
93- "4026531840"
94matchNamespaceChanges:
95- operator: In
96values:
97- "Mnt"
98matchArgs:
99- index: 0
100operator: "Postfix"
101values:
102- "strange.txt"
103