diff --git a/api/v1/README.md b/api/v1/README.md index 6ad02334a22..c74d222a1f3 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -1135,6 +1135,7 @@ User records | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | | KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies killer sensor. | +| KPROBE_ACTION_LSMBLOCK | 14 | LsmBlock action blocks the operation associated with LSM hook. | diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go index 8a5d6be212e..6211fe0901c 100644 --- a/api/v1/tetragon/tetragon.pb.go +++ b/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies killer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // LsmBlock action blocks the operation associated with LSM hook. + KprobeAction_KPROBE_ACTION_LSMBLOCK KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,6 +78,7 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_LSMBLOCK", } KprobeAction_value = map[string]int32{ "KPROBE_ACTION_UNKNOWN": 0, @@ -92,6 +95,7 @@ var ( "KPROBE_ACTION_TRACKSOCK": 11, "KPROBE_ACTION_UNTRACKSOCK": 12, "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_LSMBLOCK": 14, } ) @@ -4821,7 +4825,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xb1, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4847,37 +4851,39 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x4c, 0x53, 0x4d, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x0e, 0x2a, 0x4f, 0x0a, 0x10, + 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, + 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, + 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, + 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, + 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, + 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, + 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, + 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, + 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, + 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, + 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, + 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, + 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, + 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, + 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, + 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, + 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, + 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, + 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto index 34a6df09557..952c4a3370f 100644 --- a/api/v1/tetragon/tetragon.proto +++ b/api/v1/tetragon/tetragon.proto @@ -466,6 +466,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies killer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // LsmBlock action blocks the operation associated with LSM hook. + KPROBE_ACTION_LSMBLOCK = 14; } message ProcessKprobe { diff --git a/bpf/process/bpf_generic_lsm.c b/bpf/process/bpf_generic_lsm.c index c3258b87058..65dbd186e97 100644 --- a/bpf/process/bpf_generic_lsm.c +++ b/bpf/process/bpf_generic_lsm.c @@ -50,6 +50,14 @@ struct { __type(value, struct event_config); } config_map SEC(".maps"); +// TODO: Consider to use BPF_MAP_TYPE_BLOOM_FILTER +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 32768); + __type(key, __u64); + __type(value, bool); +} lsm_block_map SEC(".maps"); + #ifdef __LARGE_BPF_PROG struct { __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); @@ -66,6 +74,7 @@ static struct generic_maps maps = { .heap = (struct bpf_map_def *)&process_call_heap, .calls = (struct bpf_map_def *)&lsm_calls, .filter = (struct bpf_map_def *)&filter_map, + .lsm_block = (struct bpf_map_def *)&lsm_block_map, }; FUNC_INLINE int @@ -172,5 +181,15 @@ generic_lsm_actions(void *ctx) __attribute__((section("lsm/5"), used)) int generic_lsm_output(void *ctx) { - return generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_LSM); + __u64 id = get_current_pid_tgid(); + bool *block; + + generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_LSM); + + block = map_lookup_elem(&lsm_block_map, &id); + if (!block) + return 0; + + map_delete_elem(&lsm_block_map, &id); + return -1; } diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h index 09dc7a87e31..1c843ae635a 100644 --- a/bpf/process/types/basic.h +++ b/bpf/process/types/basic.h @@ -108,6 +108,7 @@ enum { ACTION_TRACKSOCK = 10, ACTION_UNTRACKSOCK = 11, ACTION_NOTIFY_KILLER = 12, + ACTION_LSM_BLOCK = 13, }; enum { @@ -128,6 +129,7 @@ struct generic_maps { struct bpf_map_def *config; struct bpf_map_def *filter; struct bpf_map_def *override; + struct bpf_map_def *lsm_block; }; struct selector_action { @@ -2125,6 +2127,7 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, struct generic_maps *maps, bool *post) { struct bpf_map_def *override_tasks = maps->override; + struct bpf_map_def *lsm_block = maps->lsm_block; int signal __maybe_unused = FGS_SIGKILL; int action = actions->act[i]; struct msg_generic_kprobe *e; @@ -2134,6 +2137,7 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, int socki; int err = 0; int zero = 0; + bool block = true; __u64 id; e = map_lookup_elem(maps->heap, &zero); @@ -2222,6 +2226,13 @@ do_action(void *ctx, __u32 i, struct selector_action *actions, signal = actions->act[++i]; do_action_notify_enforcer(error, signal); break; + case ACTION_LSM_BLOCK: + if (!lsm_block) + break; + + id = get_current_pid_tgid(); + map_update_elem(lsm_block, &id, &block, BPF_ANY); + break; default: break; } diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 8a5d6be212e..6211fe0901c 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies killer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // LsmBlock action blocks the operation associated with LSM hook. + KprobeAction_KPROBE_ACTION_LSMBLOCK KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,6 +78,7 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_LSMBLOCK", } KprobeAction_value = map[string]int32{ "KPROBE_ACTION_UNKNOWN": 0, @@ -92,6 +95,7 @@ var ( "KPROBE_ACTION_TRACKSOCK": 11, "KPROBE_ACTION_UNTRACKSOCK": 12, "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_LSMBLOCK": 14, } ) @@ -4821,7 +4825,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xb1, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4847,37 +4851,39 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x4c, 0x53, 0x4d, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x0e, 0x2a, 0x4f, 0x0a, 0x10, + 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, + 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, + 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, + 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, + 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, + 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, + 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, + 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, + 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, + 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, + 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, + 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, + 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, + 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, + 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, + 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, + 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, + 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, + 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 34a6df09557..952c4a3370f 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -466,6 +466,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies killer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // LsmBlock action blocks the operation associated with LSM hook. + KPROBE_ACTION_LSMBLOCK = 14; } message ProcessKprobe { diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md index ac6c20067c9..fb734d3d425 100644 --- a/docs/content/en/docs/reference/grpc-api.md +++ b/docs/content/en/docs/reference/grpc-api.md @@ -690,6 +690,7 @@ User records | KPROBE_ACTION_TRACKSOCK | 11 | TrackSock action tracks socket. | | KPROBE_ACTION_UNTRACKSOCK | 12 | UntrackSock action un-tracks socket. | | KPROBE_ACTION_NOTIFYENFORCER | 13 | NotifyEnforcer action notifies killer sensor. | +| KPROBE_ACTION_LSMBLOCK | 14 | LsmBlock action blocks the operation associated with LSM hook. | diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml index d3b14464c16..33438efa6cf 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..0b5e7fc30cc 100644 --- a/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml +++ b/install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/pkg/api/tracingapi/client_kprobe.go b/pkg/api/tracingapi/client_kprobe.go index d95bb4663f6..388752b4ebd 100644 --- a/pkg/api/tracingapi/client_kprobe.go +++ b/pkg/api/tracingapi/client_kprobe.go @@ -25,6 +25,7 @@ const ( ActionTrackSock = 10 ActionUntrackSock = 11 ActionNotifyKiller = 12 + ActionLsmBlock = 13 ) const ( diff --git a/pkg/grpc/tracing/tracing.go b/pkg/grpc/tracing/tracing.go index 9190759ebbb..bc33c36faa2 100644 --- a/pkg/grpc/tracing/tracing.go +++ b/pkg/grpc/tracing/tracing.go @@ -62,6 +62,8 @@ func kprobeAction(act uint64) tetragon.KprobeAction { return tetragon.KprobeAction_KPROBE_ACTION_UNTRACKSOCK case tracingapi.ActionNotifyKiller: return tetragon.KprobeAction_KPROBE_ACTION_NOTIFYENFORCER + case tracingapi.ActionLsmBlock: + return tetragon.KprobeAction_KPROBE_ACTION_LSMBLOCK default: return tetragon.KprobeAction_KPROBE_ACTION_UNKNOWN } diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d3b14464c16..33438efa6cf 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..0b5e7fc30cc 100644 --- a/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 9d9c7744281..e513ee1320f 100644 --- a/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -196,7 +196,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer;LsmBlock // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional diff --git a/pkg/selectors/kernel.go b/pkg/selectors/kernel.go index 2f6d66b79f3..31dd29bef0c 100644 --- a/pkg/selectors/kernel.go +++ b/pkg/selectors/kernel.go @@ -35,6 +35,7 @@ const ( ActionTypeTrackSock = 10 ActionTypeUntrackSock = 11 ActionTypeNotifyEnforcer = 12 + ActionTypeLsmBlock = 13 ) var actionTypeTable = map[string]uint32{ @@ -51,6 +52,7 @@ var actionTypeTable = map[string]uint32{ "tracksock": ActionTypeTrackSock, "untracksock": ActionTypeUntrackSock, "notifyenforcer": ActionTypeNotifyEnforcer, + "lsmblock": ActionTypeLsmBlock, } var actionTypeStringTable = map[uint32]string{ @@ -67,6 +69,7 @@ var actionTypeStringTable = map[uint32]string{ ActionTypeTrackSock: "tracksock", ActionTypeUntrackSock: "untracksock", ActionTypeNotifyEnforcer: "notifyenforcer", + ActionTypeLsmBlock: "lsmblock", } const ( @@ -953,6 +956,8 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a WriteSelectorUint32(&k.data, userStackTrace) case ActionTypeNoPost: // no arguments + case ActionTypeLsmBlock: + // no arguments case ActionTypeSigKill: // no arguments // NB: we should deprecate this action and just use ActionTypeSignal with SIGKILL diff --git a/pkg/sensors/tracing/genericlsm.go b/pkg/sensors/tracing/genericlsm.go index 5c226a2fd09..f2f63d5d641 100644 --- a/pkg/sensors/tracing/genericlsm.go +++ b/pkg/sensors/tracing/genericlsm.go @@ -156,6 +156,7 @@ func isValidLsmSelectors(selectors []v1alpha1.KProbeSelector) error { case "sigkill": case "signal": case "nopost": + case "lsmblock": return nil case "post": if a.KernelStackTrace || a.UserStackTrace { diff --git a/pkg/sensors/tracing/lsm_test.go b/pkg/sensors/tracing/lsm_test.go index 4e2a445dfad..6760febcc22 100644 --- a/pkg/sensors/tracing/lsm_test.go +++ b/pkg/sensors/tracing/lsm_test.go @@ -7,9 +7,11 @@ import ( "context" "os" "os/exec" + "strconv" "sync" "testing" + "github.com/cilium/tetragon/api/v1/tetragon" ec "github.com/cilium/tetragon/api/v1/tetragon/codegen/eventchecker" "github.com/cilium/tetragon/pkg/bpf" "github.com/cilium/tetragon/pkg/jsonchecker" @@ -18,12 +20,13 @@ import ( sm "github.com/cilium/tetragon/pkg/matchers/stringmatcher" "github.com/cilium/tetragon/pkg/observer/observertesthelper" "github.com/cilium/tetragon/pkg/sensors/base" + "github.com/cilium/tetragon/pkg/testutils" tus "github.com/cilium/tetragon/pkg/testutils/sensors" "github.com/stretchr/testify/assert" ) func TestLSMObjectLoad(t *testing.T) { - if !bpf.HasLSMPrograms() || !kernels.MinKernelVersion("5.7") { + if !bpf.HasLSMPrograms() || !kernels.EnableLargeProgs() { t.Skip() } configHook := ` @@ -55,7 +58,7 @@ spec: } func TestLSMOpenFile(t *testing.T) { - if !bpf.HasLSMPrograms() || !kernels.MinKernelVersion("5.7") { + if !bpf.HasLSMPrograms() || !kernels.EnableLargeProgs() { t.Skip() } var doneWG, readyWG sync.WaitGroup @@ -64,6 +67,9 @@ func TestLSMOpenFile(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime) defer cancel() + testBin := testutils.RepoRootPath("contrib/tester-progs/direct-write-tester") + tempFile := t.TempDir() + "/test" + configHook := ` apiVersion: cilium.io/v1alpha1 kind: TracingPolicy @@ -79,12 +85,12 @@ spec: - matchBinaries: - operator: "In" values: - - "/usr/bin/cat" + - "` + testBin + `" matchArgs: - index: 0 operator: "Equal" values: - - "/etc/passwd" + - "` + tempFile + `" ` configHookRaw := []byte(configHook) @@ -94,11 +100,11 @@ spec: } lsmChecker := ec.NewProcessLsmChecker("lsm-file-checker"). WithFunctionName(sm.Suffix("file_open")). - WithProcess(ec.NewProcessChecker().WithBinary(sm.Full("/usr/bin/cat"))). + WithProcess(ec.NewProcessChecker().WithBinary(sm.Full(testBin))). WithArgs(ec.NewKprobeArgumentListMatcher(). WithOperator(lc.Ordered). WithValues( - ec.NewKprobeArgumentChecker().WithFileArg(ec.NewKprobeFileChecker().WithPath(sm.Full("/etc/passwd"))))) + ec.NewKprobeArgumentChecker().WithFileArg(ec.NewKprobeFileChecker().WithPath(sm.Full(tempFile))))) obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid()) if err != nil { t.Fatalf("GetDefaultObserverWithFile error: %s", err) @@ -106,12 +112,80 @@ spec: observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs) readyWG.Wait() - catCmd := exec.Command("/usr/bin/cat", "/etc/passwd") + testCmd := exec.Command(testBin, tempFile) + + if err := testCmd.Run(); err != nil { + t.Fatalf("failed to run %s: %s", testCmd, err) + } + + err = jsonchecker.JsonTestCheck(t, ec.NewUnorderedEventChecker(lsmChecker)) + assert.NoError(t, err) +} - if err := catCmd.Run(); err != nil { - t.Fatalf("failed to run %s: %s", catCmd, err) +func TestLSMBlockAction(t *testing.T) { + if !bpf.HasLSMPrograms() || !kernels.EnableLargeProgs() { + t.Skip() } + var doneWG, readyWG sync.WaitGroup + defer doneWG.Wait() + + ctx, cancel := context.WithTimeout(context.Background(), tus.Conf().CmdWaitTime) + defer cancel() + + testBin := testutils.RepoRootPath("contrib/tester-progs/nop") + pidStr := strconv.Itoa(int(observertesthelper.GetMyPid())) + + configHook := ` +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "lsm" +spec: + lsmhooks: + - hook: "bprm_check_security" + args: + - index: 0 + type: "linux_binprm" + selectors: + - matchPIDs: + - operator: In + followForks: true + isNamespacePID: false + values: + - ` + pidStr + ` + matchArgs: + - index: 0 + operator: "Postfix" + values: + - "` + testBin + `" + matchActions: + - action: LsmBlock +` + + configHookRaw := []byte(configHook) + err := os.WriteFile(testConfigFile, configHookRaw, 0644) + if err != nil { + t.Fatalf("writeFile(%s): err %s", testConfigFile, err) + } + lsmChecker := ec.NewProcessLsmChecker("lsm-file-checker"). + WithFunctionName(sm.Suffix("bprm_check_security")). + WithProcess(ec.NewProcessChecker(). + WithBinary(sm.Suffix(tus.Conf().SelfBinary))). + WithArgs(ec.NewKprobeArgumentListMatcher(). + WithOperator(lc.Ordered). + WithValues( + ec.NewKprobeArgumentChecker().WithLinuxBinprmArg(ec.NewKprobeLinuxBinprmChecker().WithPath(sm.Full(testBin))))). + WithAction(tetragon.KprobeAction_KPROBE_ACTION_LSMBLOCK) + obs, err := observertesthelper.GetDefaultObserverWithFile(t, ctx, testConfigFile, tus.Conf().TetragonLib, observertesthelper.WithMyPid()) + if err != nil { + t.Fatalf("GetDefaultObserverWithFile error: %s", err) + } + observertesthelper.LoopEvents(ctx, t, &doneWG, &readyWG, obs) + readyWG.Wait() + + testCmd := exec.Command(testBin) + testCmd.Run() err = jsonchecker.JsonTestCheck(t, ec.NewUnorderedEventChecker(lsmChecker)) assert.NoError(t, err) } diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go index 8a5d6be212e..6211fe0901c 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go @@ -57,6 +57,8 @@ const ( KprobeAction_KPROBE_ACTION_UNTRACKSOCK KprobeAction = 12 // NotifyEnforcer action notifies killer sensor. KprobeAction_KPROBE_ACTION_NOTIFYENFORCER KprobeAction = 13 + // LsmBlock action blocks the operation associated with LSM hook. + KprobeAction_KPROBE_ACTION_LSMBLOCK KprobeAction = 14 ) // Enum value maps for KprobeAction. @@ -76,6 +78,7 @@ var ( 11: "KPROBE_ACTION_TRACKSOCK", 12: "KPROBE_ACTION_UNTRACKSOCK", 13: "KPROBE_ACTION_NOTIFYENFORCER", + 14: "KPROBE_ACTION_LSMBLOCK", } KprobeAction_value = map[string]int32{ "KPROBE_ACTION_UNKNOWN": 0, @@ -92,6 +95,7 @@ var ( "KPROBE_ACTION_TRACKSOCK": 11, "KPROBE_ACTION_UNTRACKSOCK": 12, "KPROBE_ACTION_NOTIFYENFORCER": 13, + "KPROBE_ACTION_LSMBLOCK": 14, } ) @@ -4821,7 +4825,7 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x52, 0x06, 0x6f, 0x66, 0x66, 0x73, 0x65, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x79, 0x6d, 0x62, 0x6f, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0x95, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, + 0x52, 0x06, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x2a, 0xb1, 0x03, 0x0a, 0x0c, 0x4b, 0x70, 0x72, 0x6f, 0x62, 0x65, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, @@ -4847,37 +4851,39 @@ var file_tetragon_tetragon_proto_rawDesc = []byte{ 0x5f, 0x55, 0x4e, 0x54, 0x52, 0x41, 0x43, 0x4b, 0x53, 0x4f, 0x43, 0x4b, 0x10, 0x0c, 0x12, 0x20, 0x0a, 0x1c, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x59, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x52, 0x10, 0x0d, - 0x2a, 0x4f, 0x0a, 0x10, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, - 0x54, 0x79, 0x70, 0x65, 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, - 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, - 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, - 0x54, 0x55, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, - 0x01, 0x2a, 0x7c, 0x0a, 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x52, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, - 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, - 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, - 0x53, 0x5f, 0x52, 0x55, 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, - 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, - 0x50, 0x50, 0x45, 0x44, 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, - 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, - 0x8d, 0x02, 0x0a, 0x0f, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, - 0x45, 0x54, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, - 0x4f, 0x50, 0x52, 0x49, 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, - 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, - 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, - 0x41, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, - 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, - 0x55, 0x54, 0x5f, 0x4f, 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, - 0x45, 0x10, 0x80, 0x20, 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, - 0x53, 0x49, 0x47, 0x4e, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, - 0x12, 0x24, 0x0a, 0x1e, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, - 0x5f, 0x4c, 0x49, 0x56, 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, - 0x4c, 0x45, 0x10, 0x80, 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, - 0x54, 0x45, 0x53, 0x54, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x50, 0x52, 0x4f, 0x42, 0x45, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x5f, 0x4c, 0x53, 0x4d, 0x42, 0x4c, 0x4f, 0x43, 0x4b, 0x10, 0x0e, 0x2a, 0x4f, 0x0a, 0x10, + 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x54, 0x79, 0x70, 0x65, + 0x12, 0x1c, 0x0a, 0x18, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, + 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x1d, + 0x0a, 0x19, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, + 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x10, 0x01, 0x2a, 0x7c, 0x0a, + 0x12, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, + 0x75, 0x6c, 0x74, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, + 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x15, + 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x55, + 0x4e, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x19, 0x0a, 0x15, 0x48, 0x45, 0x41, 0x4c, 0x54, + 0x48, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x45, 0x44, + 0x10, 0x02, 0x12, 0x17, 0x0a, 0x13, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x5f, 0x53, 0x54, 0x41, + 0x54, 0x55, 0x53, 0x5f, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x2a, 0x8d, 0x02, 0x0a, 0x0f, + 0x54, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x64, 0x42, 0x69, 0x74, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, + 0x0f, 0x0a, 0x0b, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x45, 0x54, 0x10, 0x00, + 0x12, 0x1c, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x50, 0x52, 0x4f, 0x50, 0x52, 0x49, + 0x45, 0x54, 0x41, 0x52, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x17, + 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x02, 0x12, 0x1e, 0x0a, 0x1a, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x4c, 0x4f, 0x41, 0x44, 0x5f, 0x4d, + 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x04, 0x12, 0x18, 0x0a, 0x13, 0x54, 0x41, 0x49, 0x4e, 0x54, + 0x5f, 0x53, 0x54, 0x41, 0x47, 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x08, 0x12, 0x1d, 0x0a, 0x18, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4f, 0x55, 0x54, 0x5f, 0x4f, + 0x46, 0x5f, 0x54, 0x52, 0x45, 0x45, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x20, + 0x12, 0x1a, 0x0a, 0x15, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x49, 0x47, 0x4e, + 0x45, 0x44, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x40, 0x12, 0x24, 0x0a, 0x1e, + 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x4b, 0x45, 0x52, 0x4e, 0x45, 0x4c, 0x5f, 0x4c, 0x49, 0x56, + 0x45, 0x5f, 0x50, 0x41, 0x54, 0x43, 0x48, 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, + 0x80, 0x02, 0x12, 0x17, 0x0a, 0x11, 0x54, 0x41, 0x49, 0x4e, 0x54, 0x5f, 0x54, 0x45, 0x53, 0x54, + 0x5f, 0x4d, 0x4f, 0x44, 0x55, 0x4c, 0x45, 0x10, 0x80, 0x80, 0x10, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto index 34a6df09557..952c4a3370f 100644 --- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto +++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto @@ -466,6 +466,8 @@ enum KprobeAction { KPROBE_ACTION_UNTRACKSOCK = 12; // NotifyEnforcer action notifies killer sensor. KPROBE_ACTION_NOTIFYENFORCER = 13; + // LsmBlock action blocks the operation associated with LSM hook. + KPROBE_ACTION_LSMBLOCK = 14; } message ProcessKprobe { diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml index d3b14464c16..33438efa6cf 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml index 595c2db0235..0b5e7fc30cc 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml @@ -326,6 +326,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -638,6 +639,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -930,6 +932,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1242,6 +1245,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1565,6 +1569,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -1877,6 +1882,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2137,6 +2143,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action @@ -2449,6 +2456,7 @@ spec: - TrackSock - UntrackSock - NotifyEnforcer + - LsmBlock type: string argError: description: error value for override action diff --git a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go index 9d9c7744281..e513ee1320f 100644 --- a/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go +++ b/vendor/github.com/cilium/tetragon/pkg/k8s/apis/cilium.io/v1alpha1/types.go @@ -196,7 +196,7 @@ type ArgSelector struct { } type ActionSelector struct { - // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer + // +kubebuilder:validation:Enum=Post;FollowFD;UnfollowFD;Sigkill;CopyFD;Override;GetUrl;DnsLookup;NoPost;Signal;TrackSock;UntrackSock;NotifyEnforcer;LsmBlock // Action to execute. Action string `json:"action"` // +kubebuilder:validation:Optional