tetragon

1
# This comment describes a demo of matchNamespaceChanges. We need 2 terminals
2
# here. The first one will run tetragon and the second will run the commands
3
# that we want to capture. First step is to replace {{.Pid}} in this file with
4
# the PID of the bash running on the second terminal.
5
#
6
# (1) The first scenario is to run a command in a less priviledged mount
7
#     namespace.
8
#
9
# Terminal 1:
10
# $ rm -f events.json
11
# $ ./tetragon --btf /sys/kernel/btf/vmlinux  --bpf-lib ./bpf/objs/ --export-filename events.json --enable-process-ns --tracing-policy examples/tracingpolicy/match_namespace_changes.yaml
12
# $ # <wait for events>
13
# $ # kill tetragon
14
# $ grep kprobe events.json | grep \"__x64_sys_write\" | grep strange | jq . # get the write kprobe events
15
#
16
# Terminal 2:
17
# $ sudo unshare --mount python3 -c "with open('./strange.txt', 'w') as f: f.write('testdata')"
18
#
19
# We will see a single kprobe event running in the new mnt namespace. The
20
# reason we see that is that we start from the mnt host namespace and we
21
# run this command to another mnt namespace.
22
#
23
# (2) The second scenario is to run a command in a more priviledged mount
24
#     namespace (i.e. the host mnt namespace).
25
#
26
# Terminal 1:
27
# $ rm -f events.json
28
# $ ./tetragon --btf /sys/kernel/btf/vmlinux  --bpf-lib ./bpf/objs/ --export-filename events.json --enable-process-ns --tracing-policy examples/tracingpolicy/match_namespace_changes.yaml
29
# $ # <wait for events>
30
# $ # kill tetragon
31
# $ grep kprobe events.json | grep \"__x64_sys_write\" | grep strange | jq . # get the write kprobe events
32
#
33
# Terminal 2:
34
# $ sudo unshare --mount # move out from host mnt namespace
35
# $ nsenter --target 1 --mount python3 -c "with open('./strange.txt', 'w') as f: f.write('testdata')" # execute a write in the host mnt namespace
36
#
37
# We will see a single kprobe event running in the host mnt namespace (while
38
# we are in a non-host namespace). The reason we see that is that we  start
39
# from a non-host mnt namespace.
40
#
41
apiVersion: cilium.io/v1alpha1
42
kind: TracingPolicy
43
metadata:
44
  name: "fd-install"
45
spec:
46
  kprobes:
47
  - call: "fd_install"
48
    syscall: false
49
    return: false
50
    args:
51
    - index: 0
52
      type: int
53
    - index: 1
54
      type: "file"
55
    selectors:
56
    - matchPIDs:
57
      - operator: In
58
        followForks: true
59
        isNamespacePID: false
60
        values:
61
        - {{.Pid}}
62
      matchArgs:
63
      - index: 1
64
        operator: "Postfix"
65
        values:
66
        - "strange.txt"
67
      matchActions:
68
      - action: FollowFD
69
        argFd: 0
70
        argName: 1
71
  - call: "sys_write"
72
    syscall: true
73
    args:
74
    - index: 0
75
      type: "fd"
76
    - index: 1
77
      type: "char_buf"
78
      returnCopy: true
79
    - index: 2
80
      type: "size_t"
81
    selectors:
82
    - matchPIDs:
83
      - operator: In
84
        followForks: true
85
        isNamespacePID: false
86
        values:
87
        - {{.Pid}}
88
      matchNamespaces:
89
      - namespace: Mnt
90
        operator: In
91
        values:
92
        - "4026532288"
93
        - "4026531840"
94
      matchNamespaceChanges:
95
      - operator: In
96
        values:
97
        - "Mnt"
98
      matchArgs:
99
      - index: 0
100
        operator: "Postfix"
101
        values:
102
        - "strange.txt"
103