Tracing Policy
This reference documentation is generated from the Tracing Policy CRD specification, detailing its fields and usage.
A TracingPolicy is a user-configurable Kubernetes custom resource (CR) that defines how Tetragon observes events in both the kernel and userspace using eBPF. It supports a variety of hook points including kprobes, uprobes, tracepoints, LSM hooks, and USDTs, giving users fine-grained control over what to trace and what actions to take. Policies consist of hook points, selectors for in-kernel filtering, and optional actions that can be executed when a match occurs.
Tracing policies can be loaded and unloaded dynamically at runtime or applied at startup using configuration flags. Although structured as Kubernetes CRs, they can also be used in non-Kubernetes environments via Tetragon’s CLI or daemon flags. In Kubernetes, policies can be managed using kubectl or tools like Argo CD.
Tracing Policy API Reference
Packages:
cilium.io/v1alpha1
Resource Types:
TracingPolicy
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | cilium.io/v1alpha1 | true |
| kind | string | TracingPolicy | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
Tracing policy specification. |
true |
TracingPolicy.spec
Tracing policy specification.
| Name | Type | Description | Required |
|---|---|---|---|
| containerSelector | object |
ContainerSelector selects containers that this policy applies to.
A map of container fields will be constructed in the same way as a map of labels.
The name of the field represents the label "key", and the value of the field - label "value".
Currently, only the "name" field is supported. |
false |
| enforcers | []object |
A enforcer spec. |
false |
| kprobes | []object |
A list of kprobe specs. |
false |
| lists | []object |
A list of list specs. |
false |
| loader | boolean |
Enable loader events |
false |
| lsmhooks | []object |
A list of uprobe specs. |
false |
| options | []object |
A list of overloaded options |
false |
| podSelector | object |
PodSelector selects pods that this policy applies to |
false |
| tracepoints | []object |
A list of tracepoint specs. |
false |
| uprobes | []object |
A list of uprobe specs. |
false |
| usdts | []object |
A list of usdt specs. |
false |
TracingPolicy.spec.containerSelector
ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label “key”, and the value of the field - label “value”. Currently, only the “name” field is supported.
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
false |
| matchLabels | map[string]string |
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. |
false |
TracingPolicy.spec.containerSelector.matchExpressions[index]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
key is the label key that the selector applies to. |
true |
| operator | enum |
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. Enum: In, NotIn, Exists, DoesNotExist |
true |
| values | []string |
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. |
false |
TracingPolicy.spec.enforcers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| calls | []string |
Calls where enforcer is executed in |
true |
TracingPolicy.spec.kprobes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| call | string |
Name of the function to apply the kprobe spec to. |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| data | []object |
A list of data to include in the trace output. |
false |
| ignore | object |
Conditions for ignoring this kprobe |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| return | boolean |
Indicates whether to collect return value of the traced function. Default: false |
false |
| returnArg | object |
A return argument to include in the trace output. |
false |
| returnArgAction | string |
An action to perform on the return argument.
Available actions are: Post;TrackSock;UntrackSock |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed and short-circuited. |
false |
| syscall | boolean |
Indicates whether the traced function is a syscall. Default: true |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicy.spec.kprobes[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.kprobes[index].data[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.kprobes[index].ignore
Conditions for ignoring this kprobe
| Name | Type | Description | Required |
|---|---|---|---|
| callNotFound | boolean |
Ignores calls that are not present in the system |
false |
TracingPolicy.spec.kprobes[index].returnArg
A return argument to include in the trace output.
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.kprobes[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicy.spec.kprobes[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicy.spec.kprobes[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.kprobes[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.lists[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of the list |
true |
| pattern | string |
Pattern for 'generated' lists. |
false |
| type | enum |
Indicates the type of the list values. Enum: syscalls, generated_syscalls, generated_ftrace |
false |
| validated | boolean |
List was validated |
false |
| values | []string |
Values of the list |
false |
TracingPolicy.spec.lsmhooks[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hook | string |
Name of the function to apply the kprobe spec to. |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicy.spec.lsmhooks[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.options[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of the option |
true |
| value | string |
Value of the option |
false |
TracingPolicy.spec.podSelector
PodSelector selects pods that this policy applies to
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
false |
| matchLabels | map[string]string |
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. |
false |
TracingPolicy.spec.podSelector.matchExpressions[index]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
key is the label key that the selector applies to. |
true |
| operator | enum |
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. Enum: In, NotIn, Exists, DoesNotExist |
true |
| values | []string |
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. |
false |
TracingPolicy.spec.tracepoints[index]
| Name | Type | Description | Required |
|---|---|---|---|
| event | string |
Tracepoint event |
true |
| subsystem | string |
Tracepoint subsystem |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| raw | boolean |
Enable raw tracepoint arguments |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicy.spec.tracepoints[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.tracepoints[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicy.spec.tracepoints[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicy.spec.tracepoints[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.tracepoints[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.uprobes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Name of the traced binary |
true |
| addrs | []integer |
List of the traced addresses |
false |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| btfPath | string |
path for a BTF file for the traced binary |
false |
| data | []object |
A list of data to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| offsets | []integer |
List of the traced offsets |
false |
| refCtrOffsets | []integer |
List of the traced ref_ctr_offsets |
false |
| return | boolean |
Indicates whether to collect return value of the traced function. Default: false |
false |
| returnArg | object |
A return argument to include in the trace output. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| symbols | []string |
List of the traced symbols |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicy.spec.uprobes[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.uprobes[index].data[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.uprobes[index].returnArg
A return argument to include in the trace output.
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.uprobes[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.usdts[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Usdt name |
true |
| path | string |
Name of the traced binary |
true |
| provider | string |
Usdt provider name |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| btfPath | string |
path for a BTF file for the traced binary |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicy.spec.usdts[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicy.spec.usdts[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | cilium.io/v1alpha1 | true |
| kind | string | TracingPolicyNamespaced | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
Tracing policy specification. |
true |
TracingPolicyNamespaced.spec
Tracing policy specification.
| Name | Type | Description | Required |
|---|---|---|---|
| containerSelector | object |
ContainerSelector selects containers that this policy applies to.
A map of container fields will be constructed in the same way as a map of labels.
The name of the field represents the label "key", and the value of the field - label "value".
Currently, only the "name" field is supported. |
false |
| enforcers | []object |
A enforcer spec. |
false |
| kprobes | []object |
A list of kprobe specs. |
false |
| lists | []object |
A list of list specs. |
false |
| loader | boolean |
Enable loader events |
false |
| lsmhooks | []object |
A list of uprobe specs. |
false |
| options | []object |
A list of overloaded options |
false |
| podSelector | object |
PodSelector selects pods that this policy applies to |
false |
| tracepoints | []object |
A list of tracepoint specs. |
false |
| uprobes | []object |
A list of uprobe specs. |
false |
| usdts | []object |
A list of usdt specs. |
false |
TracingPolicyNamespaced.spec.containerSelector
ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label “key”, and the value of the field - label “value”. Currently, only the “name” field is supported.
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
false |
| matchLabels | map[string]string |
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. |
false |
TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
key is the label key that the selector applies to. |
true |
| operator | enum |
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. Enum: In, NotIn, Exists, DoesNotExist |
true |
| values | []string |
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. |
false |
TracingPolicyNamespaced.spec.enforcers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| calls | []string |
Calls where enforcer is executed in |
true |
TracingPolicyNamespaced.spec.kprobes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| call | string |
Name of the function to apply the kprobe spec to. |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| data | []object |
A list of data to include in the trace output. |
false |
| ignore | object |
Conditions for ignoring this kprobe |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| return | boolean |
Indicates whether to collect return value of the traced function. Default: false |
false |
| returnArg | object |
A return argument to include in the trace output. |
false |
| returnArgAction | string |
An action to perform on the return argument.
Available actions are: Post;TrackSock;UntrackSock |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed and short-circuited. |
false |
| syscall | boolean |
Indicates whether the traced function is a syscall. Default: true |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicyNamespaced.spec.kprobes[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.kprobes[index].data[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.kprobes[index].ignore
Conditions for ignoring this kprobe
| Name | Type | Description | Required |
|---|---|---|---|
| callNotFound | boolean |
Ignores calls that are not present in the system |
false |
TracingPolicyNamespaced.spec.kprobes[index].returnArg
A return argument to include in the trace output.
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.lists[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of the list |
true |
| pattern | string |
Pattern for 'generated' lists. |
false |
| type | enum |
Indicates the type of the list values. Enum: syscalls, generated_syscalls, generated_ftrace |
false |
| validated | boolean |
List was validated |
false |
| values | []string |
Values of the list |
false |
TracingPolicyNamespaced.spec.lsmhooks[index]
| Name | Type | Description | Required |
|---|---|---|---|
| hook | string |
Name of the function to apply the kprobe spec to. |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.options[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of the option |
true |
| value | string |
Value of the option |
false |
TracingPolicyNamespaced.spec.podSelector
PodSelector selects pods that this policy applies to
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
matchExpressions is a list of label selector requirements. The requirements are ANDed. |
false |
| matchLabels | map[string]string |
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed. |
false |
TracingPolicyNamespaced.spec.podSelector.matchExpressions[index]
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
key is the label key that the selector applies to. |
true |
| operator | enum |
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist. Enum: In, NotIn, Exists, DoesNotExist |
true |
| values | []string |
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch. |
false |
TracingPolicyNamespaced.spec.tracepoints[index]
| Name | Type | Description | Required |
|---|---|---|---|
| event | string |
Tracepoint event |
true |
| subsystem | string |
Tracepoint subsystem |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| raw | boolean |
Enable raw tracepoint arguments |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.uprobes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Name of the traced binary |
true |
| addrs | []integer |
List of the traced addresses |
false |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| btfPath | string |
path for a BTF file for the traced binary |
false |
| data | []object |
A list of data to include in the trace output. |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| offsets | []integer |
List of the traced offsets |
false |
| refCtrOffsets | []integer |
List of the traced ref_ctr_offsets |
false |
| return | boolean |
Indicates whether to collect return value of the traced function. Default: false |
false |
| returnArg | object |
A return argument to include in the trace output. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| symbols | []string |
List of the traced symbols |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicyNamespaced.spec.uprobes[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.uprobes[index].data[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.uprobes[index].returnArg
A return argument to include in the trace output.
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.usdts[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Usdt name |
true |
| path | string |
Name of the traced binary |
true |
| provider | string |
Usdt provider name |
true |
| args | []object |
A list of function arguments to include in the trace output. |
false |
| btfPath | string |
path for a BTF file for the traced binary |
false |
| message | string |
A short message of 256 characters max that will be included
in the event output to inform users what is going on. |
false |
| selectors | []object |
Selectors to apply before producing trace output. Selectors are ORed. |
false |
| tags | []string |
Tags to categorize the event, will be include in the event output.
Maximum of 16 Tags are supported. |
false |
TracingPolicyNamespaced.spec.usdts[index].args[index]
| Name | Type | Description | Required |
|---|---|---|---|
| index | integer |
Position of the argument. Format: int32 Minimum: 0 |
true |
| type | enum |
Argument type. Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog Default: auto |
true |
| btfType | string |
Type of original argument. This is currently only used in UsdtSpecs and UprobeSpecs for arguments with
the Resolve attribute set. It relies on the BTF file defined by BTFPath to extract the
type. |
false |
| label | string |
Label to output in the JSON |
false |
| maxData | boolean |
Read maximum possible data (currently 327360). This field is only used
for char_buff data. When this value is false (default), the bpf program
will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon
supports fetching up to 327360 bytes if this flag is turned on Default: false |
false |
| resolve | string |
Resolve the path to a specific attribute Default: |
false |
| returnCopy | boolean |
This field is used only for char_buf and char_iovec types. It indicates
that this argument should be read later (when the kretprobe for the
symbol is triggered) because it might not be populated when the kprobe
is triggered at the entrance of the function. For example, a buffer
supplied to read(2) won't have content until kretprobe is triggered. Default: false |
false |
| sizeArgIndex | integer |
Specifies the position of the corresponding size argument for this argument.
This field is used only for char_buf and char_iovec types. Format: int32 Minimum: 0 |
false |
| source | string |
Source of the data, if missing the default if function arguments |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index]
KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.
| Name | Type | Description | Required |
|---|---|---|---|
| matchActions | []object |
A list of actions to execute when this selector matches |
false |
| matchArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
| matchBinaries | []object |
A list of binary exec name filters. |
false |
| matchCapabilities | []object |
A list of capabilities and IDs |
false |
| matchCapabilityChanges | []object |
IDs for capabilities changes |
false |
| matchData | []object |
A list of argument filters. MatchData are ANDed. |
false |
| matchNamespaceChanges | []object |
IDs for namespace changes |
false |
| matchNamespaces | []object |
A list of namespaces and IDs |
false |
| matchPIDs | []object |
A list of process ID filters. MatchPIDs are ANDed. |
false |
| matchParentBinaries | []object |
A list of process parent exec name filters. |
false |
| matchReturnActions | []object |
A list of actions to execute when MatchReturnArgs selector matches |
false |
| matchReturnArgs | []object |
A list of argument filters. MatchArgs are ANDed. |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Capabilities to match. |
true |
| isNamespaceCapability | boolean |
Indicates whether these caps are namespace caps. Default: false |
false |
| type | enum |
Type of capabilities Enum: Effective, Inheritable, Permitted Default: Effective |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace types (e.g., Mnt, Pid) to match. |
true |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index]
| Name | Type | Description | Required |
|---|---|---|---|
| namespace | enum |
Namespace selector name. Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User |
true |
| operator | enum |
Namespace selector operator. Enum: In, NotIn |
true |
| values | []string |
Namespace IDs (or host_ns for host namespace) of namespaces to match. |
true |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
PID selector operator. Enum: In, NotIn |
true |
| values | []integer |
Process IDs to match. |
true |
| followForks | boolean |
Matches any descendant processes of the matching PIDs. Default: false |
false |
| isNamespacePID | boolean |
Indicates whether PIDs are namespace PIDs. Default: false |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix |
true |
| values | []string |
Value to compare the argument against. |
true |
| followChildren | boolean |
In addition to binaries, match children processes of specified binaries. Default: false |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| action | enum |
Action to execute.
NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to
be removed in version 1.5. Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set |
true |
| argError | integer |
error value for override action Format: int32 |
false |
| argFd | integer |
An arg index for the fd for fdInstall action Format: int32 |
false |
| argFqdn | string |
A FQDN to lookup for the dnsLookup action |
false |
| argIndex | integer |
An arg index for the set action Format: int32 |
false |
| argName | integer |
An arg index for the filename for fdInstall action Format: int32 |
false |
| argRegs | []string |
An arg value for the regs action |
false |
| argSig | integer |
A signal number for signal action Format: int32 |
false |
| argSock | integer |
An arg index for the sock for trackSock and untrackSock actions Format: int32 |
false |
| argUrl | string |
A URL for the getUrl action |
false |
| argValue | integer |
An arg value for the set action Format: int32 |
false |
| imaHash | boolean |
Enable collection of file hashes from integrity subsystem.
Only valid with the post action. |
false |
| kernelStackTrace | boolean |
Enable kernel stack trace export. Only valid with the post action. |
false |
| rateLimit | string |
A time period within which repeated messages will not be posted. Can be
specified in seconds (default or with 's' suffix), minutes ('m' suffix)
or hours ('h' suffix). Only valid with the post action. |
false |
| rateLimitScope | string |
The scope of the provided rate limit argument. Can be "thread" (default),
"process" (all threads for the same process), or "global". If "thread" is
selected then rate limiting applies per thread; if "process" is selected
then rate limiting applies per process; if "global" is selected then rate
limiting applies regardless of which process or thread caused the action.
Only valid with the post action and with a rateLimit specified. |
false |
| userStackTrace | boolean |
Enable user stack trace export. Only valid with the post action. |
false |
TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| operator | enum |
Filter operation. Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr |
true |
| args | []integer |
Position of the operator arguments (in spec file) to apply fhe filter to. |
false |
| index | integer |
Position of the argument (in function prototype) to apply fhe filter to. Format: int32 Minimum: 0 |
false |
| values | []string |
Value to compare the argument against. |
false |