tetragon

1
apiVersion: cilium.io/v1alpha1
2
kind: TracingPolicy
3
metadata:
4
  name: "sys-read-follow-prefix"
5
spec:
6
  kprobes:
7
  - call: "fd_install"
8
    syscall: false
9
    return: false
10
    args:
11
    - index: 0
12
      type: int
13
    - index: 1
14
      type: "file"
15
    selectors:
16
    - matchPIDs:
17
      - operator: NotIn
18
        followForks: true
19
        isNamespacePID: true 
20
        values:
21
        - 1
22
      matchArgs:
23
      - index: 1
24
        operator: "Prefix"
25
        values:
26
        - "/etc/"
27
      matchActions:
28
      - action: FollowFD
29
        argFd: 0
30
        argName: 1
31
  - call: "sys_close"
32
    syscall: true
33
    args:
34
    - index: 0
35
      type: "int"
36
    selectors:
37
    - matchActions:
38
      - action: UnfollowFD
39
        argFd: 0
40
        argName: 0
41
  - call: "sys_read"
42
    syscall: true
43
    args:
44
    - index: 0
45
      type: "fd"
46
    - index: 1
47
      type: "char_buf"
48
      returnCopy: true
49
    - index: 2
50
      type: "size_t"
51
  - call: "sys_write"
52
    syscall: true
53
    args:
54
    - index: 0
55
      type: "fd"
56
    - index: 1
57
      type: "char_buf"
58
      sizeArgIndex: 3
59
    - index: 2
60
      type: "size_t"
61