# This tracing policy monitors kernel modules operations.
#
# Description:
#  This tracing policy reports loading of signed and unsigned modules
#
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "monitor-signed-kernel-modules"
  #annotations:
    #description: "Monitor kernel modules signature"
    #author: "Djalal Harouni"
spec:
  kprobes:
  - call: "security_kernel_module_request"
    # Automatic module loading detection
    syscall: false
    return: true
    args:
    - index: 0
      type: "string"
    returnArg:
      index: 0
      type: "int"
  - call: "security_kernel_read_file"
    # Explicit module loading using file descriptor finit_module() to print module full path
    syscall: false
    return: true
    args:
    - index: 0
      type: "file"
    - index: 1
      type: "int"
    returnArg:
      index: 0
      type: "int"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Equal"
        values:
        - "2"  # READING_MODULE
  - call: "find_module_sections"
    # On some kernels find_module_sections is inlined, if so this kprobe will fail.
    syscall: false
    args:
    - index: 0
      type: "nop"
    - index: 1
      type: "load_info"