Skip to content

Commit

Permalink
tetragon: Add doc for killer sensor
Browse files Browse the repository at this point in the history
Signed-off-by: Jiri Olsa <[email protected]>
  • Loading branch information
olsajiri committed Oct 6, 2023
1 parent b442ac9 commit bf75c17
Showing 1 changed file with 90 additions and 0 deletions.
90 changes: 90 additions & 0 deletions docs/content/en/docs/concepts/tracing-policy/selectors.md
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,7 @@ matches. They are defined under `matchActions` and currently, the following
- [NoPost action](#nopost-action)
- [TrackSock action](#tracksock-action)
- [UntrackSock action](#untracksock-action)
- [Notify Killer](#notify-killer-action)

{{< note >}}
`Sigkill`, `Override`, `FollowFD`, `UnfollowFD`, `CopyFD`, `Post`,
Expand Down Expand Up @@ -897,6 +898,95 @@ broken.

Socket tracking is only available on kernel >=5.3.

### Notify Killer

The `NotifyKiller` action notifies the killer program to kill or override syscall.

The specs needs to have `killer` program definition, that instructs tetragon to load
`killer` program and attach it to specified syscalls.

```yaml
spec:
killers:
- syscalls:
- "list:dups"
```

The syscalls expects list of syscalls or `list:XXX` pointer to list.

Note that currently only single killer definition is allowed.


The `NotifyKiller` action takes 2 arguments.

```yaml
matchActions:
- action: "NotifyKiller"
argError: -1
argSig: 9
```

If pecified the argError will be passed to `bpf_override_return` helper to override the syscall return value.
If pecified the argSig will be passed to `bpf_send_signal` helper to override the syscall return value.

The following is spec for killing `/usr/bin/bash` program whenever it calls `sys_dup` or `sys_dup2` syscalls.

```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
killers:
- syscalls:
- "list:dups"
tracepoints:
- subsystem: "raw_syscalls"
event: "sys_enter"
args:
- index: 4
type: "uint64"
selectors:
- matchArgs:
- index: 0
operator: "InMap"
values:
- "list:dups"
matchBinaries:
- operator: "In"
values:
- "/usr/bin/bash"
matchActions:
- action: "NotifyKiller"
argSig: 9
```

Note the `NotifyKiller` with killer program is meant to be used only on kernel versions
with no support for fast attach of multiple kprobes (`kprobe_multi` link).

With `kprobe_multi` link support the above example can be easily replaced with:

```yaml
spec:
lists:
- name: "syscalls"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
kprobes:
- call: "list:syscalls"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/bash"
matchActions:
- action: "Sigkill"
```

## Selector Semantics

The `selector` semantics of the `CiliumTracingPolicy` follows the standard
Expand Down

0 comments on commit bf75c17

Please sign in to comment.