apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "bpf-library-policy" spec: kprobes: - call: "bpf_check" syscall: false args: - index: 1 type: "bpf_attr" - call: "security_perf_event_alloc" syscall: false args: - index: 0 type: "perf_event" - call: "security_bpf_map_alloc" syscall: false args: - index: 0 type: "bpf_map" - call: "security_file_permission" syscall: false return: true args: - index: 0 type: "file" # (struct file *) used for getting the path - index: 1 type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE returnArg: index: 0 type: "int" returnArgAction: "Post" selectors: - matchArgs: - index: 0 operator: "Prefix" values: - "/sys/fs/bpf" # Reads to BPFFS - index: 1 operator: "Equal" values: - "4" # MAY_READ - matchArgs: - index: 0 operator: "Prefix" values: - "/sys/fs/bpf" # Reads to BPFFS - index: 1 operator: "Equal" values: - "2" # MAY_WRITE - call: "security_mmap_file" syscall: false return: true args: - index: 0 type: "file" # (struct file *) used for getting the path - index: 1 type: "uint32" # the prot flags PROT_READ(0x01), PROT_WRITE(0x02), PROT_EXEC(0x04) - index: 2 type: "uint32" # the mmap flags (i.e. MAP_SHARED, ...) returnArg: index: 0 type: "int" returnArgAction: "Post" selectors: - matchArgs: - index: 0 operator: "Prefix" values: - "/sys/fs/bpf" # Reads to BPFFS - index: 1 operator: "Equal" values: - "1" # MAY_READ - index: 2 operator: "Mask" values: - "1" # MAP_SHARED - matchArgs: - index: 0 operator: "Prefix" values: - "/sys/fs/bpf" # Reads to BPFFS - index: 1 operator: "Mask" values: - "2" # PROT_WRITE - index: 2 operator: "Mask" values: - "1" # MAP_SHARED