# This tracing policy monitors kernel modules operations.
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "monitor-kernel-modules"
  annotations:
    description: "Monitor kernel modules operations"
spec:
  kprobes:
  - call: "security_kernel_module_request"
    message: "Kernel module requested and is being loaded automatically"
    syscall: false
    return: true
    args:
    - index: 0
      type: "string"
    returnArg:
      index: 0
      type: "int"
  - call: "security_kernel_read_file"
    message: "Kernel module is being loaded"
    # Explicit module loading using file descriptor finit_module() to print module full path
    syscall: false
    return: true
    args:
    - index: 0
      type: "file"
    - index: 1
      type: "int"
    returnArg:
      index: 0
      type: "int"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "2"  # READING_MODULE