Closed
Description
What happened?
Hello! In Tetragon 1.3.0 and below we use file type letter in permission field of file argument to detect some suspicious behavior in one of ours policy (do_dup2 intercept):
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "dup"
spec:
kprobes:
- call: "do_dup2"
syscall: false
return: true
args:
- index: 1
type: "file"
- index: 2
type: "int"
label: "fd"
returnArg:
index: 0
type: "int"
selectors:
- matchArgs:
- index: 2
operator: "Equal"
values:
- "0" # stdin
As result we have required letter in event (some data omitted):
"args":[
{
"file_arg":{
"permission":"srwxrwxrwx"
}
},
{
"int_arg":0,
"label":"fd"
}
]
In Tetragon 1.4.0 this letter is gone (some data omitted):
"args":[
{
"file_arg":{
"permission":"-wxrwxrwx"
}
},
{
"int_arg":0,
"label":"fd"
}
]
Above-mentioned file is socket so we can distinguish one only from file letter in permission field. Looks like a bug.
Tetragon Version
1.4.0
Kernel Version
Linux syft 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64 GNU/Linux
Kubernetes Version
No kubernetes installed.
Bugtool
No response
Relevant log output
Anything else?
No response