TracingPolicy: add global selectors syntactic sugar #4323
Description
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem?
No response
Describe the feature you would like
Sometimes in tetragon policies we need to write same selectors for each hook we want to intercept and report. For example, we may want to filter out all events, where process binary has specific prefix, e.g. we consider that all events from some directory are false positives.
For instance, we want to intercept call_1, call_2, call_3, and we always want to filter out events where binary locates in dir.
The policy would look like:
spec:
kprobes:
- call: <call_1>
selectors:
- matchBinaries:
- operator: "NotPrefix"
values:
- "dir"
- call: <call_2>
selectors:
- matchBinaries:
- operator: "NotPrefix"
values:
- "dir"
- call: <call_3>
selectors:
- matchBinaries:
- operator: "NotPrefix"
values:
- "dir"
To make such policies prettier and to improve experience of writing new policies, we could add global selectors - selectors that are declared in the beginning of specification and that are appended to every selector in the policy.
With global selectors, the policy would look like this:
spec:
globalSelectors:
matchBinaries:
- operator: "NotPrefix"
values:
- "dir"
kprobes:
- call: <call_1>
- call: <call_2>
- call: <call_3>
Currently in tetragon we have an ability to create lists of calls and to have same selectors for every call in the list (https://tetragon.io/docs/concepts/tracing-policy/hooks/#lists), and it can solve the described problem as well, but if we want to have specific selectors for different calls in the list besides common selectors, it is not sufficient.
For example, we want to intercept system calls open and openat, which have different signatures: open system call has pathname as first argument, and openat has pathname as second argument. We want to catch event when pathname ends with passwd, but we want to filter out events where binary has prefix /opt/myapp, because we consider that our application can read passwd file safely. Because of the fact that these system calls signatures are different, we cannot create a list and have same matchArgs selector, because indices of pathname are different.
With global selectors, the policy would look like this:
spec:
globalSelectors:
matchBinaries:
- operator: "NotPrefix"
values: "/opt/myapp"
kprobes:
- call: "sys_open"
args:
- index: 0
type: "string"
selectors:
- matchArgs:
- index: 0
operator: "Postfix"
values:
- "passwd"
- call: "sys_openat"
args:
- index: 1
type: "string"
selectors:
- matchArgs:
- index: 1
operator: "Postfix"
values:
- "passwd"
Describe your proposed solution
To solve the problem and to add such global selectors, we could add global selectors field GlobalSelectors to TracingPolicySpec with type KProbeSelector.
Every time we parse selectors from the specification, we will append to currently parsed selectors selectors from GlobalSelectors field, and parse them as if they were specified together in same field. E.g.:
func ParseMatchArgs(k *KernelSelectorState, matchArgs []v1alpha1.ArgSelector, matchData []v1alpha1.ArgSelector,
args []v1alpha1.KProbeArg, data []v1alpha1.KProbeArg, globalSelectors *KProbeSelector) error {
matchArgs = append(matchArgs, globalSelectors.MatchArgs)
matchData = append(matchData, globalSelectors.MatchData)
...
}
Code of Conduct
- I agree to follow this project's Code of Conduct