# This 'privileges-setuid-root' Tracing Policy monitors processes trying # to change their uids/gids to user root. # # __sys_setuid # - __x64_sys_setuid # - __ia32_sys_setuid # - __x64_sys_setuid16 # - __ia32_sys_setuid16 # # __sys_setgid # - __x64_sys_setgid # - __ia32_sys_setgid # - __x64_sys_setgid16 # - __ia32_sys_setgid16 # # __sys_setreuid # - __x64_sys_setreuid # - __ia32_sys_setreuid # - __x64_sys_setreuid16 # - __ia32_sys_setreuid16 # # __sys_setregid # - __x64_sys_setregid # - __ia32_sys_setregid # - __x64_sys_setregid16 # - __ia32_sys_setregid16 # # __sys_setresuid # - __x64_sys_setresuid # - __ia32_sys_setresuid # - __x64_sys_setresuid16 # - __ia32_sys_setresuid16 # # __sys_setresgid # - __x64_sys_setresgid # - __ia32_sys_setresgid # - __x64_sys_setresgid16 # - __ia32_sys_setresgid16 # # __sys_setfsuid # - __x64_sys_setfsuid # - __ia32_sys_setfsuid # - __x64_sys_setfsuid16 # - __ia32_sys_setfsuid16 # # __sys_setfsgid # - __x64_sys_setfsgid # - __ia32_sys_setfsgid # - __x64_sys_setfsgid16 # - __ia32_sys_setfsgid16 # apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "privileges-setuid-root" spec: kprobes: - call: "__sys_setuid" syscall: false return: true args: - index: 0 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setgid" syscall: false return: true args: - index: 0 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setreuid" syscall: false return: true args: - index: 0 type: "int" - index: 1 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 1 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setregid" syscall: false return: true args: - index: 0 type: "int" - index: 1 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 1 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setresuid" syscall: false return: true args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 1 # We care about the effective user id to reduce noise operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 2 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setresgid" syscall: false return: true args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 1 # We care about the effective group id to reduce noise operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - matchArgs: - index: 2 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setfsuid" syscall: false return: true args: - index: 0 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min - call: "__sys_setfsgid" syscall: false return: true args: - index: 0 type: "int" returnArg: index: 0 type: "int" selectors: - matchArgs: - index: 0 operator: "Equal" values: - "0" matchActions: - action: Post rateLimit: "1m" # Rate limit messages to 1min