policylibrary: add a catch all for setuid root

Signed-off-by: Djalal Harouni <[email protected]>

examples/policylibrary/setuid-root.yaml

@@ -0,0 +1,220 @@
+# This 'setuid-root' Tracing Policy monitors processes trying to change
+# their uids/gids to user root.
+#
+#  __sys_setuid
+#    - __x64_sys_setuid
+#    - __ia32_sys_setuid
+#    - __x64_sys_setuid16
+#    - __ia32_sys_setuid16
+#
+#  __sys_setgid
+#    - __x64_sys_setgid
+#    - __ia32_sys_setgid
+#    - __x64_sys_setgid16
+#    - __ia32_sys_setgid16
+#
+#  __sys_setreuid
+#    - __x64_sys_setreuid
+#    - __ia32_sys_setreuid
+#    - __x64_sys_setreuid16
+#    - __ia32_sys_setreuid16
+#
+#  __sys_setregid
+#    - __x64_sys_setregid
+#    - __ia32_sys_setregid
+#    - __x64_sys_setregid16
+#    - __ia32_sys_setregid16
+#
+# __sys_setresuid
+#    - __x64_sys_setresuid
+#    - __ia32_sys_setresuid
+#    - __x64_sys_setresuid16
+#    - __ia32_sys_setresuid16
+#
+# __sys_setresgid
+#    - __x64_sys_setresgid
+#    - __ia32_sys_setresgid
+#    - __x64_sys_setresgid16
+#    - __ia32_sys_setresgid16
+#
+# __sys_setfsuid
+#    - __x64_sys_setfsuid
+#    - __ia32_sys_setfsuid
+#    - __x64_sys_setfsuid16
+#    - __ia32_sys_setfsuid16
+#
+# __sys_setfsgid
+#    - __x64_sys_setfsgid
+#    - __ia32_sys_setfsgid
+#    - __x64_sys_setfsgid16
+#    - __ia32_sys_setfsgid16
+#
+
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "setuid-root.yaml"
+spec:
+  kprobes:
+  - call: "__sys_setuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setreuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setregid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setresuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    - index: 2
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 2
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setresgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    - index: 2
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+    - matchArgs:
+      - index: 2
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setfsuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+  - call: "__sys_setfsgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"