Argument types

Argument types for data retrieval

Each argument definition specifies data type to be retrieved from kernel argument. The list contains simple POD types and several complex kernel objects that are represented by extracted data type.

List of described data types:

sint8, int8

The data type extracts 8-bit signed value.

uint8

The data type extracts 8-bit unsigned value.

sint16, int16

The data type extracts 16-bit signed value.

uint16

The data type extracts 16-bit unsigned value.

int, sint32, int32

The data type extracts 32-bit signed value.

uint32

The data type extracts 32-bit unsigned value.

long, sint64, int64

The data type extracts 64-bit signed value.

ulong, uint64, size_t

The data type extracts 64-bit unsigned value.

string

The data type extracts string terminated with zero byte.

skb

TBD

sock

TBD

char_buf

TBD

char_iovec

TBD

filename

TBD

fd

TBD

cred

TBD

const_buf

TBD

nop

TBD

bpf_attr

TBD

perf_event

TBD

bpf_map

TBD

user_namespace

TBD

capability

TBD

kiocb

TBD

iov_iter

TBD

load_info

TBD

module

TBD

syscall64

TBD

kernel_cap_t

TBD

cap_inheritable

TBD

cap_permitted

TBD

cap_effective

TBD

linux_binprm

The linux_binprm data type represents kernel struct linux_binprm object and retrieves the struct linux_binprm::file full path.

See general path limitations in path retrieval limits)

data_loc

TBD

net_device

TBD

sockaddr

TBD

socket

TBD

file

The file data type represents kernel struct file object and retrieves the file’s full path.

See general path limitations in path retrieval limits)

dentry

The dentry data type represents kernel struct dentry object retrieves the related path within one mountpoint.

This stems from the fact that with just struct dentry tetragon does not have mount information and does not have enough data to pass through main point within the path.

See general path limitations in path retrieval limits)

path

The path data type represents kernel struct path object retrieves the related path.

See general path limitations in path retrieval limits)

path retrieval limits

We allow to retrieve full path when running on kernels v5.3 and later.

When running on older kernels there’s limit of 256 path components, which means we can retrieve maximum path (4096) but only with 256 path entries (directories and file name).