tetragon
42 строки · 1.2 Кб
1# This 'process-creds-installed' Tracing Policy monitors calls to
2# commit_creds() when installing new credentials on the current task.
3#
4# The commit_creds() is a catch all:
5# * It is triggered on every execve even if semantically creds did not change
6# * When gaining new privileges or capabilities through suid exec or
7# system calls.
8# * During fork/clone and when changing the user namespace
9# * When changing other namespaces and the file system
10# * When controlling current process through prctl() system call
11# * When installing new process keyring
12# * When the kernel executes programs (umh)
13# * ...
14#
15# It works inside a pid namespace. If you want to monitor all
16# processes including host ones, remove the matchNamespaces selector.
17#
18# Note: it can generate lot of events.
19#
20
21apiVersion: cilium.io/v1alpha122kind: TracingPolicy23metadata:24name: "process-creds-changed"25#annotations:26#author: "Djalal Harouni"27spec:28kprobes:29- call: "commit_creds"30syscall: false31args:32- index: 0 # The new credentials to apply33type: "cred"34selectors:35- matchNamespaces:36- namespace: Pid37operator: NotIn38values:39- "host_ns"40matchActions:41- action: Post42rateLimit: "1m"43
44