Tristan d'Audibert
Tristan d'Audibert
Basically, what I think it could be done is similar to Tetragon. LSM is defined here https://elixir.bootlin.com/linux/latest/source/security/security.c What Tetragon do is using user based observability policy to load custom hooks...
I extend this to 50, but did not check if the size can cause any display problem. I'll let this issue open if any bugs occurs
> However, one issue with the approach that the PR follows is that now we have two ways for matching arguments (`matchArgs` and `matchCapabilities`). Is there a reason why we...
Moving to draft until the changes discussed are applied
The CI fails on 4.19. I guess I should restrict the operator to programs with the `__LARGE_BPF_PROG` flag ? EDIT : Done. The feature requires a 5.4+ kernel
I pushed an intermediate version to see if 4.19 CI works. If it does, I'll add the `NotCapability` filter. But it will probably be necessary to restrict it to kernel...
Latest change includes : - Changing operator name from `Capability` to `CapabilityMask` - Removing all reference to the new `op_filter_capability`. The workflow now follows `Mask` operator. - `Mask` operator now...
> lgtm, needs rebase though Do you think the PR is good to merge with such implementation ? With the discussion in https://github.com/cilium/tetragon/pull/3852#issuecomment-3008509829, and with all the messages before, I...
> @tdaudi do you still plan to merge this PR given that we merged #3852? If no further changes are needed, I'm closing this PR. Thanks a lot for #3852
Several problems remain with the draft. - [ ] I use `apt install bpftrace` to install bpftrace. Problem is, on ubuntu the package is not up-to-date. So next step will...