Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

The v0.1 tag failed to build, so let's move to the next.

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

While tagging rthooks/v0.1, the GH action that builds the images failed
with:

Error: buildx failed with: ERROR: failed to solve: target stage "release" could not be found

Rename the final taret to release to fix this.

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

As noted in
https://github.com/cilium/tetragon/issues/2542#issuecomment-2211161739.
the instructions miss the part of pushing the api tag to the remote
repo.

Fixes: cf0a49dc

 "release_template: also tag API module"

Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

Working with processapi object is better, so change
userinfo.MsgToExecveAccountUnix() to use processapi.MsgExecveEventUnix
as an argument.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>

Manually update the dependency and remove usage of the deprecated
LogSize field.

Signed-off-by: Lorenz Bauer <lmb@isovalent.com>

The Docker buildx plugin is required as part of make image - it may or
not be installed by a users docker installation.

Signed-off-by: SimonB <simonb@kaizo.org>

Apparently, search engines started referencing content from deploy
preview and the Netlify deploy. Since we use GitHub pages to deploy at
the moment, let's ask robots to not index nor follow when building with
Netlify.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Netlify is used only for previews at the moment, we deploy on GitHub
pages.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

This will allow to set some settings for development, on preview and
other non-production environment. For example, trying to have an
appropriate robots.txt/headers to prevent search engine indexation on
previews.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

This is a general rewrite of pkg/metrics library, but it a fully backwards
compatible way. Goals and key components are described in doc.go.

Fixes: #2376

Signed-off-by: Anna Kapuscinska <anna@isovalent.com>

This commit is a preparation for the further extension of pkg/metrics. There
are no functional changes, only moving code around:
- moved helpers for creating metrics from metricwithpod.go and
  granularmetric.go to per-type files: counter.go, gauge.go and histogram.go
- renamed labels.go to filteredlabels.go

Signed-off-by: Anna Kapuscinska <anna@isovalent.com>

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Consolidate commands for multi-node Kubernetes clusters

Signed-off-by: Scott Lowe <scott.lowe@isovalent.com>

Update Docker installation instructions to deploy demo app.
Add Docker Compose file to deploy demo app on Docker.
Update execution events with better Docker instructions.
Fix a few typos.
Change headings to sentence case per style guidelines.

Signed-off-by: Scott Lowe <scott.lowe@isovalent.com>

Update Kubernetes install instructions to call out single node cluster
Assumption.

Update execution monitoring instructions to provide commands for
Using multi-node clusters.

Fixes #2680

Signed-off-by: Scott Lowe <scott.lowe@isovalent.com>

For historic reasons, the tracing sensor has three different aspects:
kprobes, tracepoints, and (recently) lsm hooks.

Also for historic reasons, we did not allow tracepoints and kprobes in
the same policy.

With the addition of the LSM sensor
(8eb13e8a), if a policy includes an lsm
section together with either a kprobe section or a tracepoint section,
the lsm section will be ignored.

This patch rejects policies that have more than one section of kprobes,
tracepoints, and lsm hooks in the policy.

A better solution would be to decouple the tracing sensor, and create
one sensor for kprobes, one for tracepoints, and one for lsm sensors.
See: https://github.com/cilium/tetragon/issues/2706

Fixes: 8eb13e8a



Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>

Having uncommented "Thanks for contributing! Please ensure your pull
request adheres to the following guidelines:" in most PR was generating
unnecessary noise. I think it's relevant that the author of a PR sees the
guideline and the checklist but maybe it's not relevant to display it
every time.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Resize the override_tasks if needed to save memory, thus we are saving
~3MB of kernel memory by kprobe that are not using the override action.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

It can be confusing that only the per policy maps are configured here.
Noting that the per kprobe setup is done elsewhere.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com>

Very similar to 1e9b9c7b

.

It was merged just before that fix and was not yet rebased with the new
base image so it escaped the test failure.

Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>

Store the thread leader namespaces during fork so we can check later
if they changed, as right now they are only stored late during execv
which will point to a new exec_id entry anyway.

Right now during fork they are zeroed in the execve_map which make it
unreliable to detect if they changed between the fork and the final
execve, they will always be reported as if they changed which could be
a false positive report.

While we are it improve how we fetch and store capabilities.

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>

Adding section about LSM hook points.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding examples of lsm tracing policies to monitor file access and
process execution.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Generic LSM BPF needs more complex userspace logic to load,
so ignore it.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding test to check enforcement for generic LSM sensor.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding tests for generic LSM sensor - load and
apply tracing policy.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding PROCESS_LSM to exportAllowList event_set values.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding generic LSM sensor that reads LSM crd config
and setups LSM programs.
The LSM is configured with hook, like:

  spec:
    lsmhooks:
    - hook: "bprm_check_security"

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding LSM message/event definition.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Use features.HaveProgramType(ebpf.LSM) and inspect
/sys/kernel/security/lsm file to check LSM availability.

Try to load and attach simple LSM probe.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Set up tailcalls map for generic LSM sensor.

Add LSMOpen function to override attach points collected from
section names.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>

Adding generic LSM bpf. It follows the kprobe/tracepoint/uprobe
logic also calls same generic functions.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>