tracingpolicy: add observer arm/disarm kprobes operations

Output: "function_name": "disarm_kprobe_ftrace", "args": [ { "kprobe_arg": { "offset": 0, "symbol": "__pfx_security_bprm_committing_creds" } } ], "action": "KPROBE_ACTION_POST", "policy_name": "kprobes-observe", "return_action": "KPROBE_ACTION_POST", "message": "Disable a kprobe (kernel probe)" "function_name": "disarm_kprobe_ftrace", "args": [ { "kprobe_arg": { "offset": 0, "symbol": "__pfx_wake_up_new_task" } } ], "action": "KPROBE_ACTION_POST", "policy_name": "kprobes-observe", "return_action": "KPROBE_ACTION_POST", "message": "Disable a kprobe (kernel probe)" "function_name": "disarm_kprobe_ftrace", "args": [ { "kprobe_arg": { "offset": 0, "symbol": "__pfx_acct_process" } } ], "action": "KPROBE_ACTION_POST", "policy_name": "kprobes-observe", "return_action": "KPROBE_ACTION_POST", "message": "Disable a kprobe (kernel probe)" Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
cilium · Jan 5, 2024 · 73e74a2 · 73e74a2
1 parent aa3904b
commit 73e74a2
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/install/tetragon.tp.d/90.kprobes.observe/kprobes_observe.yaml b/install/tetragon.tp.d/90.kprobes.observe/kprobes_observe.yaml
@@ -7,6 +7,24 @@ metadata:
     description: "Observe Kprobes operations"
 spec:
   kprobes:
+  - call: "arm_kprobe"
+    syscall: false
+    args:
+    - index: 0
+      type: "kprobe"
+    message: "Enable a kprobe (kernel probe)"
+  - call: "arch_disarm_kprobe"
+    syscall: false
+    args:
+    - index: 0
+      type: "kprobe"
+    message: "Disable a kprobe (kernel probe)"
+  - call: "disarm_kprobe_ftrace"
+    syscall: false
+    args:
+    - index: 0
+      type: "kprobe"
+    message: "Disable a kprobe (kernel probe)"
   # Kprobes /sys/kernel/debug/kprobes/enabled is set by default,
   # any update is suspicious since it could lead to disable kprobes.
   - call: "write_enabled_file_bool"