tetragon

1
apiVersion: cilium.io/v1alpha1
2
kind: TracingPolicy
3
metadata:
4
  name: "syswritefollowfdpsswd"
5
spec:
6
  kprobes:
7
  - call: "fd_install"
8
    syscall: false
9
    args:
10
    - index: 0
11
      type: int
12
    - index: 1
13
      type: "file"
14
    selectors:
15
    - matchArgs:
16
      - index: 1
17
        operator: "Equal"
18
        values:
19
        - "/tmp/test"
20
      matchBinaries:
21
      - operator: "In"
22
        values:
23
        - "/usr/bin/vim"
24
      matchActions:
25
      - action: FollowFD
26
        argFd: 0
27
        argName: 1
28
  - call: "sys_close"
29
    syscall: true
30
    args:
31
    - index: 0
32
      type: "int"
33
    selectors:
34
    - matchActions:
35
      - action: UnfollowFD
36
        argFd: 0
37
        argName: 0
38
  - call: "sys_write"
39
    syscall: true
40
    args:
41
    - index: 0
42
      type: "fd"
43
    - index: 1
44
      type: "char_buf"
45
      sizeArgIndex: 3
46
    - index: 2
47
      type: "size_t"
48
    selectors:
49
    - matchArgs:
50
      - index: 0
51
        operator: "Equal"
52
        values:
53
        - "/tmp/test"
54
      matchBinaries:
55
      - operator: "In"
56
        values:
57
        - "/usr/bin/vim"
58
      matchActions:
59
      - action: Sigkill
60