Support for monitoring bash user input with uretprobe (function return value capture) #4118
Description
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem?
No response
Describe the feature you would like
adding support for uretprobes so that we can monitoring bash user input via readline() return values
Describe your proposed solution
I have been experimenting with tracing bash input using Tetragon policies.
For example, attaching an uprobe to /bin/bash with symbol: readline:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: trace-bash-readline
spec:
uprobes:
- path: "/bin/bash"
symbols:
- "readline"
args:
- index: 0
type: "string"
returnCopy: trueWhat I observe is that the event only contains the prompt string (PS1 with escape codes), not the actual user input typed (e.g. echo hello).
From my understanding of how GNU Readline works:
arg0= the prompt string (what bash prints before waiting for input).- return value of
readline()= the actual line typed by the user.
Currently, Tetragon UProbeSpec only has Args []KProbeArg and returnCopy: true within KProbeArg, but it seems that uretprobe (function return value probes) is not supported, at least for uprobes.
My question:
- Is there a reason Tetragon does not support
uretprobefor uprobes (similar to kretprobes)? - Are there technical limitations (e.g. performance, stability, verifier issues) that prevent return-value capture for uprobes?
- Would you consider adding support for
uretprobesso that monitoring bash user input viareadline()return values becomes possible?
Use case:
Monitoring interactive shell input (commands as typed by the user) is valuable for security auditing and intrusion detection. At the moment, only the prompt string can be captured, which isn’t very useful.
Code of Conduct
- I agree to follow this project's Code of Conduct