use-case: add policy to use load_info and report if module is signed

This allows to report if the module is signed, this information is constructed early inside the 'load_info' before parsing the final information into 'load_info->module'. Example output: "function_name": "find_module_sections", "args": [ { "module_arg": { "name": "xfs", "signature_ok": true } } ], "action": "KPROBE_ACTION_POST" Signed-off-by: Djalal Harouni <[email protected]>
cilium · Sep 9, 2023 · 0abe95a · 0abe95a
1 parent 033a025
commit 0abe95a
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/examples/tracingpolicy/host-changes/monitor-signed-kernel-modules.yaml b/examples/tracingpolicy/host-changes/monitor-signed-kernel-modules.yaml
@@ -0,0 +1,51 @@
+# This tracing policy monitors kernel modules operations.
+#
+# Description:
+#  This tracing policy reports loading of signed and unsigned modules
+#
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "monitor-signed-kernel-modules"
+  #annotations:
+    #description: "Monitor kernel modules signature"
+    #author: "Djalal Harouni"
+spec:
+  kprobes:
+  - call: "security_kernel_module_request"
+    # Automatic module loading detection
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "string"
+    returnArg:
+      index: 0
+      type: "int"
+  - call: "security_kernel_read_file"
+    # Explicit module loading using file descriptor finit_module() to print module full path
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2"  # READING_MODULE
+  - call: "find_module_sections"
+    # On some kernels find_module_sections is inlined, if so this kprobe will fail.
+    syscall: false
+    args:
+    - index: 0
+      type: "nop"
+    - index: 1
+      type: "load_info"
+