Skip to content

Commit 391c5a8

Browse files
ScriptSathiScriptSathi
committed
Add documentation for extractParam feature
Signed-off-by: Tristan d'Audibert <[email protected]>
1 parent f817507 commit 391c5a8

File tree

1 file changed

+55
-0
lines changed
  • docs/content/en/docs/concepts/tracing-policy

1 file changed

+55
-0
lines changed

Diff for: docs/content/en/docs/concepts/tracing-policy/hooks.md

+55
Original file line numberDiff line numberDiff line change
@@ -400,6 +400,61 @@ The `maxData` flag does not work with `returnCopy` flag at the moment, so it's
400400
usable only for syscalls/functions that do not require return probe to read the
401401
data.
402402

403+
### Advanced usage
404+
405+
For specific use cases, you may want to extract a specific attribute from the argument.
406+
For instance you have `struct linux_binprm` as first argument and want to filter parent
407+
process name, you can do it as following.
408+
409+
```yaml
410+
apiVersion: cilium.io/v1alpha1
411+
kind: TracingPolicy
412+
metadata:
413+
name: "lsm"
414+
spec:
415+
lsmhooks:
416+
- hook: "bprm_check_security"
417+
args:
418+
- index: 0
419+
type: "linux_binprm"
420+
extractParam: "mm.owner.real_parent.comm"
421+
overwriteType: "string"
422+
selectors:
423+
- matchActions:
424+
- action: Post
425+
```
426+
427+
The above policy will display the parent process name every time the hook is called.
428+
The `extractParam` field is used to reach a specific data into the `struct
429+
linux_binprm`. It is important to set `overwriteType` as well to make sure the
430+
reached data is read correctly (as a string in this case).
431+
432+
{{< caution >}}
433+
- This feature requires you to know exactly what you are looking for in the attributes
434+
of the hook parameters. For instance, if you want to have a look on what is
435+
available inside `struct linux_binprm`, take a look at the
436+
[Bootlin website](https://elixir.bootlin.com/linux/v6.12.5/source/include/linux/binfmts.h#L18)
437+
438+
- Some structures are dynamic. This means that they may change at runtime. So you need to
439+
be aware of what you are looking for.
440+
{{< /caution >}}
441+
442+
Tetragon can also handle some structures such as `struct file` or `struct
443+
path` and few others. This means you can also extract the whole struct, if it is
444+
available in the attributes of the parameter, and set the type with the correct type
445+
like this :
446+
447+
```yaml
448+
- index: 0
449+
type: "linux_binprm"
450+
extractParam: "file"
451+
overwriteType: "file"
452+
# Or
453+
# extractParam: "file.f_path"
454+
# overwriteType: "path"
455+
```
456+
457+
403458
## Return values
404459

405460
A `TracingPolicy` spec can specify that the return value should be reported in

0 commit comments

Comments
 (0)