# This tracing policy monitors kernel modules operations.
#
# Description:
#  This tracing policy report the process that is trying to:
#  - Explicitly load modules using init_module() and finit_module().
#  - Implicitly or automatically loading a module due to a missing kernel feature.
#  - Loading of unsigned modules
#  - Unload a module using the standard API
#
# Limitation:
#  - For init_module() we are not able to get the full path of the module, as loading
#    the module is done by userspace then data is passed to kernel.
#  - Some exploits or rootkits may hide modules by unlinking them from the kernel module
#    state without unloading it. To detect those the load module hooks are the way.
#
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "monitor-kernel-modules"
  #annotations:
    #description: "Monitor kernel modules operations"
    #author: "Djalal Harouni"
spec:
  kprobes:
  - call: "security_kernel_module_request"
    # Automatic module loading detection
    syscall: false
    return: true
    args:
    - index: 0
      type: "string"
    returnArg:
      index: 0
      type: "int"
  - call: "security_kernel_read_file"
    # Explicit module loading using file descriptor finit_module() to print module full path
    syscall: false
    return: true
    args:
    - index: 0
      type: "file"
    - index: 1
      type: "int"
    returnArg:
      index: 0
      type: "int"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "2"  # READING_MODULE
  - call: "do_init_module"
    # Handles both init_module() and finit_module().
    syscall: false
    args:
    - index: 0
      type: "module"
  - call: "free_module"
    # Report the module being unloaded. Limitation: some exploits may unlink the module directly
    # from the kernel internal state but not stop it. This hook won't catch it.
    syscall: false
    args:
    - index: 0
      type: "module"