tracingpolicies: add CapabiliitesGained operator #3887
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kkourt
added
the
release-note/minor
olsajiri
reviewed
Jul 13, 2025
kkourt
force-pushed
the
pr/kkourt/capabilities-gained
branch
2 times, most recently
from
796eaf6 to
9ca719d
Compare
|
Pushed a new version where I: merged commits so that all commits compile, added a test, constrained this feature only for kernels that support large programs (since 4.19 was failing to load the prog). |
kkourt
force-pushed
the
pr/kkourt/capabilities-gained
branch
2 times, most recently
from
1548a21 to
4ee7a02
Compare
kkourt
changed the title
mtardy
approved these changes
Jul 15, 2025
This commit replaces the new Arg *uint32 field introduced in 4488a6d with an array. The intention is to enable operators that use multiple arguments, which will happen in subsequent commits. Note that the above commit has not yet been in a released version of tetragon, so breaking the compatibility is OK. Having an array, we use the same semantics as the pointer. If the array is empty, we use Index instead. The commit also updates the tests and the docs. Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
Signed-off-by: Kornilios Kourtis <[email protected]>
Introduce a CapabilitiesGained operator that uses two arguments. The index of the second argument is copied into values so that it can be extracted by the bpf code. Signed-off-by: Kornilios Kourtis <[email protected]>
Support the op_capabilities_gained operator. The operator is treated as
a specifial case. The second argument index is extracted from the
values, from which we get the args offset and, finally, the value.
The CapabilitiesGained operator checks whether a capability argument
has gained capabilities compared to another argument.
For example:
```
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "capabilities-gained"
spec:
kprobes:
- call: "security_capset"
syscall: false
return: true
args:
- index: 1
type: "cap_effective"
resolve: "cap_effective"
label: "old_creds.cap_effective"
- index: 2
type: "cap_effective"
label: "cap_effective"
returnArg:
index: 0
type: "int"
selectors:
- matchActions:
- action: Post
matchArgs:
- operator: CapabilitiesGained
args:
- 0
- 1
```
Signed-off-by: Kornilios Kourtis <[email protected]>
Add a capabiliites-gained test program that performs three capset sycalls, with only one gaining capabilities. Use it to test the CapabilitiesGained operator. Signed-off-by: Kornilios Kourtis <[email protected]>
Set the CapabilitiesGained operator to only work when large progrs are supported in the kernel, since loading the generic program fails in 4.19. Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/capabilities-gained
branch
from
4ee7a02 to
ce21f25
Compare
Thanks! Pushed a new commit that also updates that docs. |
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change the newly introduced
Argto be an array so that we can support operators that work with multiple arguments.(The Arg change has not yet been released, so this is not a breaking change).
Using above change, implement a
CapabilitiesGainedoperator.See commits.
Example policy:
TODO:
Arg