Skip to content

Commit

Permalink
tetragon: Adding lists documentation
Browse files Browse the repository at this point in the history 
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
  • Loading branch information
@olsajiri @kkourt
olsajiri authored and kkourt committed Sep 5, 2023
1 parent 005f3d3 commit 04874e0
Showing 1 changed file with 181 additions and 0 deletions.
181 changes: 181 additions & 0 deletions docs/content/en/docs/concepts/tracing-policy/hooks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,187 @@ spec:
# [...]
```

### Lists

It's possible to define list of functions and use it in the kprobe's `call` field.

Following example traces all `sys_dup[23]` syscalls.


```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
- "sys_dup3"
kprobes:
- call: "list:dups"
```

It is basically a shortcut for following policy:

```yaml
spec:
kprobes:
- call: "sys_dup"
syscall: true
- call: "sys_dup2"
syscall: true
- call: "sys_dup3"
syscall: true
```

As shown in subsequent examples, its main benefit is allowing a single definition for
calls that have the same filters.

The list is defined under `lists` field with arbitrary values for `name` and `values` fields.

```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
- "sys_dup3"
...
```

It's possible to define multiple lists.

```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
- "sys_dup3"
name: "another"
- "sys_open"
- "sys_close"
```

Specific list can be referenced in kprobe's `call` field with `"list:NAME"` value.

```yaml
spec:
lists:
- name: "dups"
...
kprobes:
- call: "list:dups"
```

The kprobe definition creates a kprobe for each item in the list and shares the rest
of the config specified for kprobe.

List can also specify `type` field that implies extra checks on the values (like for `syscall` type)
or denote that the list is generated automatically (see below).
User must specify `syscall` type for list with syscall functions. Also `syscall` functions
can't be mixed with regular functions in the list.

The additional selector configuration is shared with all functions in the list.
In following example we create 3 kprobes that share the same pid filter.


```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
- "sys_dup3"
kprobes:
- call: "list:dups"
selectors:
- matchPIDs:
- operator: In
followForks: true
isNamespacePID: false
values:
- 12345
```

It's possible to use argument filter together with the `list`.

It's important to understand that the argument will be retrieved by using the specified
argument type for all the functions in the list.

Following example adds argument filter for first argument on all functions in dups list to
match value 9999.

```yaml
spec:
lists:
- name: "dups"
type: "syscalls"
values:
- "sys_dup"
- "sys_dup2"
- "sys_dup3"
kprobes:
- call: "list:dups"
args:
- index: 0
type: int
selectors:
- matchArgs:
- index: 0
operator: "Equal"
values:
- 9999
```

There are two additional special types of generated lists.

The `generated_syscalls` type of list that generates list with all possible
syscalls on the system.

Following example traces all syscalls for `/usr/bin/kill` binary.

```yaml
spec:
lists:
- name: "all-syscalls"
type: "generated_syscalls"
kprobes:
- call: "list:all-syscalls"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/kill"
```

The `generated_ftrace` type of list that generates functions from ftrace `available_filter_functions`
file with specified filter. The filter is specified with `pattern` field and expects regular expression.

Following example traces all kernel `ksys_*` functions for `/usr/bin/kill` binary.

```yaml
spec:
lists:
- name: "ksys"
type: "generated_ftrace"
pattern: "^ksys_*"
kprobes:
- call: "list:ksys"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/kill"
```

## Uprobes

{{% pageinfo %}}
Expand Down

0 comments on commit 04874e0

Please sign in to comment.