tetragon

1
# This 'process-creds-installed' Tracing Policy monitors calls to
2
# commit_creds() when installing new credentials on the current task.
3
#
4
# The commit_creds() is a catch all:
5
#  * It is triggered on every execve even if semantically creds did not change
6
#  * When gaining new privileges or capabilities through suid exec or
7
#    system calls.
8
#  * During fork/clone and when changing the user namespace
9
#  * When changing other namespaces and the file system
10
#  * When controlling current process through prctl() system call
11
#  * When installing new process keyring
12
#  * When the kernel executes programs (umh)
13
#  * ...
14
#
15
# It works inside a pid namespace. If you want to monitor all
16
# processes including host ones, remove the matchNamespaces selector.
17
#
18
# Note: it can generate lot of events.
19
#
20

21
apiVersion: cilium.io/v1alpha1
22
kind: TracingPolicy
23
metadata:
24
  name: "process-creds-changed"
25
  #annotations:
26
    #author: "Djalal Harouni"
27
spec:
28
  kprobes:
29
  - call: "commit_creds"
30
    syscall: false
31
    args:
32
    - index: 0  # The new credentials to apply
33
      type: "cred"
34
    selectors:
35
      - matchNamespaces:
36
        - namespace: Pid
37
          operator: NotIn
38
          values:
39
          - "host_ns"
40
        matchActions:
41
        - action: Post
42
          rateLimit: "1m"
43

44