Argument types
Each argument definition specifies data type to be retrieved from kernel argument. The list contains simple POD types and several complex kernel objects that are represented by extracted data type.
List of described data types:
sint8, int8uint8sint16, int16uint16int, sint32, int32uint32long, sint64, int64ulong, uint64, size_tstringskbsockchar_bufchar_iovecfilenamepathfdcredconst_bufnopbpf_attrperf_eventbpf_mapuser_namespacecapabilitykiocbiov_iterload_infomodulesyscall64kernel_cap_tcap_inheritablecap_permittedcap_effectivelinux_binprmdata_locnet_devicesockaddrsocketfiledentry
sint8, int8
The data type extracts 8-bit signed value.
uint8
The data type extracts 8-bit unsigned value.
sint16, int16
The data type extracts 16-bit signed value.
uint16
The data type extracts 16-bit unsigned value.
int, sint32, int32
The data type extracts 32-bit signed value.
uint32
The data type extracts 32-bit unsigned value.
long, sint64, int64
The data type extracts 64-bit signed value.
ulong, uint64, size_t
The data type extracts 64-bit unsigned value.
string
The data type extracts string terminated with zero byte.
skb
TBD
sock
TBD
char_buf
TBD
char_iovec
TBD
filename
TBD
fd
TBD
cred
TBD
const_buf
TBD
nop
TBD
bpf_attr
TBD
perf_event
TBD
bpf_map
TBD
user_namespace
TBD
capability
TBD
kiocb
TBD
iov_iter
TBD
load_info
TBD
module
TBD
syscall64
TBD
kernel_cap_t
TBD
cap_inheritable
TBD
cap_permitted
TBD
cap_effective
TBD
linux_binprm
The linux_binprm data type represents kernel struct linux_binprm object
and retrieves the struct linux_binprm::file full path.
See general path limitations in path retrieval limits)
data_loc
TBD
net_device
TBD
sockaddr
TBD
socket
TBD
file
The file data type represents kernel struct file object and retrieves
the file’s full path.
See general path limitations in path retrieval limits)
dentry
The dentry data type represents kernel struct dentry object retrieves
the related path within one mountpoint.
This stems from the fact that with just struct dentry tetragon does not have
mount information and does not have enough data to pass through main point within
the path.
See general path limitations in path retrieval limits)
path
The path data type represents kernel struct path object retrieves
the related path.
See general path limitations in path retrieval limits)
path retrieval limits
We allow to retrieve full path when running on kernels v5.3 and later.
When running on older kernels there’s limit of 256 path components, which means we can retrieve maximum path (4096) but only with 256 path entries (directories and file name).