Tracing Policy

This reference documentation is generated from the Tracing Policy CRD specification, detailing its fields and usage.

A TracingPolicy is a user-configurable Kubernetes custom resource (CR) that defines how Tetragon observes events in both the kernel and userspace using eBPF. It supports a variety of hook points including kprobes, uprobes, tracepoints, LSM hooks, and USDTs, giving users fine-grained control over what to trace and what actions to take. Policies consist of hook points, selectors for in-kernel filtering, and optional actions that can be executed when a match occurs.

Tracing policies can be loaded and unloaded dynamically at runtime or applied at startup using configuration flags. Although structured as Kubernetes CRs, they can also be used in non-Kubernetes environments via Tetragon’s CLI or daemon flags. In Kubernetes, policies can be managed using kubectl or tools like Argo CD.

Tracing Policy API Reference

Packages:

cilium.io/v1alpha1

Resource Types:

TracingPolicy

↩ Parent

NameTypeDescriptionRequired
apiVersionstringcilium.io/v1alpha1true
kindstringTracingPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobjectTracing policy specification.
true

TracingPolicy.spec

↩ Parent

Tracing policy specification.

NameTypeDescriptionRequired
containerSelectorobjectContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label "key", and the value of the field - label "value". Currently, only the "name" field is supported.
false
enforcers[]objectA enforcer spec.
false
fentries[]objectA list of fentry specs.
false
hostSelectorobjectHostSelector selects hosts that this policy applies to. For now only ~ (none) and {} (all) is supported.

Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    		• false
    kprobes[]objectA list of kprobe specs.
    		false
    lists[]objectA list of list specs.
    		false
    loaderbooleanEnable loader events
    		false
    lsmhooks[]objectA list of uprobe specs.
    		false
    options[]objectA list of overloaded options
    		false
    podSelectorobjectPodSelector selects pods that this policy applies to
    		false
    selectorsMacrosmap[string]objectSelectorsMacros is used to define selectors macros, which can be used in probes/hooks selectors by their names.
    		false
    tracepoints[]objectA list of tracepoint specs.
    		false
    uprobes[]objectA list of uprobe specs.
    		false
    usdts[]objectA list of usdt specs.
    		false

    TracingPolicy.spec.containerSelector

    ↩ Parent

    ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label “key”, and the value of the field - label “value”. Currently, only the “name” field is supported.

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicy.spec.containerSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicy.spec.enforcers[index]

    ↩ Parent

    NameTypeDescriptionRequired
    calls[]stringCalls where enforcer is executed in
    		true

    TracingPolicy.spec.fentries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    callstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    data[]objectA list of data to include in the trace output.
    		false
    ignoreobjectConditions for ignoring this kprobe
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    returnArgActionstringAn action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed and short-circuited.
    		false
    syscallbooleanIndicates whether the traced function is a syscall.

    Default: true
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.fentries[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.fentries[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.fentries[index].ignore

    ↩ Parent

    Conditions for ignoring this kprobe

    NameTypeDescriptionRequired
    callNotFoundbooleanIgnores calls that are not present in the system
    		false

    TracingPolicy.spec.fentries[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.fentries[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.fentries[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.fentries[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.fentries[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.hostSelector

    ↩ Parent

    HostSelector selects hosts that this policy applies to. For now only ~ (none) and {} (all) is supported.

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicy.spec.hostSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicy.spec.kprobes[index]

    ↩ Parent

    NameTypeDescriptionRequired
    callstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    data[]objectA list of data to include in the trace output.
    		false
    ignoreobjectConditions for ignoring this kprobe
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    returnArgActionstringAn action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed and short-circuited.
    		false
    syscallbooleanIndicates whether the traced function is a syscall.

    Default: true
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.kprobes[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.kprobes[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.kprobes[index].ignore

    ↩ Parent

    Conditions for ignoring this kprobe

    NameTypeDescriptionRequired
    callNotFoundbooleanIgnores calls that are not present in the system
    		false

    TracingPolicy.spec.kprobes[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.kprobes[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.kprobes[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.kprobes[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.kprobes[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.lists[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringName of the list
    		true
    patternstringPattern for 'generated' lists.
    		false
    typeenumIndicates the type of the list values.

    Enum: syscalls, generated_syscalls, generated_ftrace
    		false
    validatedbooleanList was validated
    		false
    values[]stringValues of the list
    		false

    TracingPolicy.spec.lsmhooks[index]

    ↩ Parent

    NameTypeDescriptionRequired
    hookstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.lsmhooks[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.options[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringName of the option
    		true
    valuestringValue of the option
    		false

    TracingPolicy.spec.podSelector

    ↩ Parent

    PodSelector selects pods that this policy applies to

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicy.spec.podSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicy.spec.selectorsMacros[key]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.selectorsMacros[key].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.selectorsMacros[key].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.selectorsMacros[key].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.selectorsMacros[key].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.selectorsMacros[key].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.selectorsMacros[key].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.selectorsMacros[key].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.selectorsMacros[key].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.selectorsMacros[key].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.selectorsMacros[key].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.selectorsMacros[key].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.selectorsMacros[key].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.tracepoints[index]

    ↩ Parent

    NameTypeDescriptionRequired
    eventstringTracepoint event
    		true
    subsystemstringTracepoint subsystem
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    rawbooleanEnable raw tracepoint arguments
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.tracepoints[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.tracepoints[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.tracepoints[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.tracepoints[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.uprobes[index]

    ↩ Parent

    NameTypeDescriptionRequired
    pathstringName of the traced binary
    		true
    addrs[]integerList of the traced addresses
    		false
    args[]objectA list of function arguments to include in the trace output.
    		false
    btfPathstringpath for a BTF file for the traced binary
    		false
    data[]objectA list of data to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    offsets[]integerList of the traced offsets
    		false
    refCtrOffsets[]integerList of the traced ref_ctr_offsets
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    symbols[]stringList of the traced symbols
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.uprobes[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.uprobes[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.uprobes[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.uprobes[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.uprobes[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.uprobes[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.uprobes[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.usdts[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringUsdt name
    		true
    pathstringName of the traced binary
    		true
    providerstringUsdt provider name
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    btfPathstringpath for a BTF file for the traced binary
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicy.spec.usdts[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicy.spec.usdts[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicy.spec.usdts[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicy.spec.usdts[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicy.spec.usdts[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced

    ↩ Parent

    NameTypeDescriptionRequired
    apiVersionstringcilium.io/v1alpha1true
    kindstringTracingPolicyNamespacedtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobjectTracing policy specification.
    		true

    TracingPolicyNamespaced.spec

    ↩ Parent

    Tracing policy specification.

    NameTypeDescriptionRequired
    containerSelectorobjectContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label "key", and the value of the field - label "value". Currently, only the "name" field is supported.
    		false
    enforcers[]objectA enforcer spec.
    		false
    fentries[]objectA list of fentry specs.
    		false
    hostSelectorobjectHostSelector selects hosts that this policy applies to. For now only ~ (none) and {} (all) is supported.

    Validations:
  • !has(self.matchLabels) && !has(self.matchExpressions): The hostSelector should be either null or {}.
    		• false
    kprobes[]objectA list of kprobe specs.
    		false
    lists[]objectA list of list specs.
    		false
    loaderbooleanEnable loader events
    		false
    lsmhooks[]objectA list of uprobe specs.
    		false
    options[]objectA list of overloaded options
    		false
    podSelectorobjectPodSelector selects pods that this policy applies to
    		false
    selectorsMacrosmap[string]objectSelectorsMacros is used to define selectors macros, which can be used in probes/hooks selectors by their names.
    		false
    tracepoints[]objectA list of tracepoint specs.
    		false
    uprobes[]objectA list of uprobe specs.
    		false
    usdts[]objectA list of usdt specs.
    		false

    TracingPolicyNamespaced.spec.containerSelector

    ↩ Parent

    ContainerSelector selects containers that this policy applies to. A map of container fields will be constructed in the same way as a map of labels. The name of the field represents the label “key”, and the value of the field - label “value”. Currently, only the “name” field is supported.

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicyNamespaced.spec.containerSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicyNamespaced.spec.enforcers[index]

    ↩ Parent

    NameTypeDescriptionRequired
    calls[]stringCalls where enforcer is executed in
    		true

    TracingPolicyNamespaced.spec.fentries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    callstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    data[]objectA list of data to include in the trace output.
    		false
    ignoreobjectConditions for ignoring this kprobe
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    returnArgActionstringAn action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed and short-circuited.
    		false
    syscallbooleanIndicates whether the traced function is a syscall.

    Default: true
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.fentries[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.fentries[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.fentries[index].ignore

    ↩ Parent

    Conditions for ignoring this kprobe

    NameTypeDescriptionRequired
    callNotFoundbooleanIgnores calls that are not present in the system
    		false

    TracingPolicyNamespaced.spec.fentries[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.fentries[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.hostSelector

    ↩ Parent

    HostSelector selects hosts that this policy applies to. For now only ~ (none) and {} (all) is supported.

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicyNamespaced.spec.hostSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicyNamespaced.spec.kprobes[index]

    ↩ Parent

    NameTypeDescriptionRequired
    callstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    data[]objectA list of data to include in the trace output.
    		false
    ignoreobjectConditions for ignoring this kprobe
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    returnArgActionstringAn action to perform on the return value. Use returnArg to include the return value in the event output. Supported actions are: TrackSock;UntrackSock
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed and short-circuited.
    		false
    syscallbooleanIndicates whether the traced function is a syscall.

    Default: true
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.kprobes[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.kprobes[index].ignore

    ↩ Parent

    Conditions for ignoring this kprobe

    NameTypeDescriptionRequired
    callNotFoundbooleanIgnores calls that are not present in the system
    		false

    TracingPolicyNamespaced.spec.kprobes[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.kprobes[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.lists[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringName of the list
    		true
    patternstringPattern for 'generated' lists.
    		false
    typeenumIndicates the type of the list values.

    Enum: syscalls, generated_syscalls, generated_ftrace
    		false
    validatedbooleanList was validated
    		false
    values[]stringValues of the list
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index]

    ↩ Parent

    NameTypeDescriptionRequired
    hookstringName of the function to apply the kprobe spec to.
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.lsmhooks[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.options[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringName of the option
    		true
    valuestringValue of the option
    		false

    TracingPolicyNamespaced.spec.podSelector

    ↩ Parent

    PodSelector selects pods that this policy applies to

    NameTypeDescriptionRequired
    matchExpressions[]objectmatchExpressions is a list of label selector requirements. The requirements are ANDed.
    		false
    matchLabelsmap[string]stringmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    		false

    TracingPolicyNamespaced.spec.podSelector.matchExpressions[index]

    ↩ Parent

    A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

    NameTypeDescriptionRequired
    keystringkey is the label key that the selector applies to.
    		true
    operatorenumoperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

    Enum: In, NotIn, Exists, DoesNotExist
    		true
    values[]stringvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.selectorsMacros[key].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index]

    ↩ Parent

    NameTypeDescriptionRequired
    eventstringTracepoint event
    		true
    subsystemstringTracepoint subsystem
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    rawbooleanEnable raw tracepoint arguments
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.tracepoints[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.uprobes[index]

    ↩ Parent

    NameTypeDescriptionRequired
    pathstringName of the traced binary
    		true
    addrs[]integerList of the traced addresses
    		false
    args[]objectA list of function arguments to include in the trace output.
    		false
    btfPathstringpath for a BTF file for the traced binary
    		false
    data[]objectA list of data to include in the trace output.
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    offsets[]integerList of the traced offsets
    		false
    refCtrOffsets[]integerList of the traced ref_ctr_offsets
    		false
    returnbooleanIndicates whether to collect return value of the traced function.

    Default: false
    		false
    returnArgobjectA return argument to include in the trace output.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    symbols[]stringList of the traced symbols
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.uprobes[index].data[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.uprobes[index].returnArg

    ↩ Parent

    A return argument to include in the trace output.

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.uprobes[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.usdts[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namestringUsdt name
    		true
    pathstringName of the traced binary
    		true
    providerstringUsdt provider name
    		true
    args[]objectA list of function arguments to include in the trace output.
    		false
    btfPathstringpath for a BTF file for the traced binary
    		false
    messagestringA short message of 256 characters max that will be included in the event output to inform users what is going on.
    		false
    selectors[]objectSelectors to apply before producing trace output. Selectors are ORed.
    		false
    tags[]stringTags to categorize the event, will be include in the event output. Maximum of 16 Tags are supported.
    		false

    TracingPolicyNamespaced.spec.usdts[index].args[index]

    ↩ Parent

    NameTypeDescriptionRequired
    indexintegerPosition of the argument.

    Format: int32
    Minimum: 0
    		true
    typeenumArgument type.

    Enum: auto, int, sint8, int8, uint8, sint16, int16, uint16, uint32, sint32, int32, ulong, uint64, size_t, long, sint64, int64, char_buf, char_iovec, skb, sock, sockaddr, socket, sockaddr_un, string, fd, file, filename, path, nop, bpf_attr, perf_event, bpf_map, user_namespace, capability, kiocb, iov_iter, cred, const_buf, load_info, module, syscall64, kernel_cap_t, cap_inheritable, cap_permitted, cap_effective, linux_binprm, data_loc, net_device, bpf_cmd, dentry, bpf_prog
    Default: auto
    		true
    btfTypestringType to use as the initial resolve type. For kprobe args it looks up the named struct from the kernel BTF, casting the argument's type before traversing the resolve path. For UprobeSpecs and UsdtSpecs it looks up the type from the BTF file defined by BTFPath.
    		false
    btfTypeModulestringKernel module that contains the BTFType. This is used only for kprobe args. The module must already be loaded and expose BTF in /sys/kernel/btf.
    		false
    labelstringLabel to output in the JSON
    		false
    maxDatabooleanRead maximum possible data (currently 327360). This field is only used for char_buff data. When this value is false (default), the bpf program will fetch at most 4096 bytes. In later kernels (>=5.4) tetragon supports fetching up to 327360 bytes if this flag is turned on

    Default: false
    		false
    resolvestringResolve the path to a specific attribute

    Default:
    		false
    returnCopybooleanThis field is used only for char_buf and char_iovec types. It indicates that this argument should be read later (when the kretprobe for the symbol is triggered) because it might not be populated when the kprobe is triggered at the entrance of the function. For example, a buffer supplied to read(2) won't have content until kretprobe is triggered.

    Default: false
    		false
    sizeArgIndexintegerSpecifies the position of the corresponding size argument for this argument. This field is used only for char_buf and char_iovec types.

    Format: int32
    Minimum: 0
    		false
    sourcestringSource of the data, if missing the default if function arguments
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index]

    ↩ Parent

    KProbeSelector selects function calls for kprobe based on PIDs and function arguments. The results of MatchPIDs and MatchArgs are ANDed.

    NameTypeDescriptionRequired
    macros[]stringA list of macros names, defined in spec.selectorsMacros. Filters specified in macros will be appended to corresponding filters of the selector.
    		false
    matchActions[]objectA list of actions to execute when this selector matches
    		false
    matchArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false
    matchBinaries[]objectA list of binary exec name filters.
    		false
    matchCapabilities[]objectA list of capabilities and IDs
    		false
    matchCapabilityChanges[]objectIDs for capabilities changes
    		false
    matchData[]objectA list of argument filters. MatchData are ANDed.
    		false
    matchNamespaceChanges[]objectIDs for namespace changes
    		false
    matchNamespaces[]objectA list of namespaces and IDs
    		false
    matchPIDs[]objectA list of process ID filters. MatchPIDs are ANDed.
    		false
    matchParentBinaries[]objectA list of process parent exec name filters.
    		false
    matchReturnActions[]objectA list of actions to execute when MatchReturnArgs selector matches
    		false
    matchReturnArgs[]objectA list of argument filters. MatchArgs are ANDed.
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilities[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchCapabilityChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringCapabilities to match.
    		true
    isNamespaceCapabilitybooleanIndicates whether these caps are namespace caps.

    Default: false
    		false
    typeenumType of capabilities

    Enum: Effective, Inheritable, Permitted
    Default: Effective
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchData[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaceChanges[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace types (e.g., Mnt, Pid) to match.
    		true

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchNamespaces[index]

    ↩ Parent

    NameTypeDescriptionRequired
    namespaceenumNamespace selector name.

    Enum: Uts, Ipc, Mnt, Pid, PidForChildren, Net, Time, TimeForChildren, Cgroup, User
    		true
    operatorenumNamespace selector operator.

    Enum: In, NotIn
    		true
    values[]stringNamespace IDs (or host_ns for host namespace) of namespaces to match.
    		true

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchPIDs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumPID selector operator.

    Enum: In, NotIn
    		true
    values[]integerProcess IDs to match.
    		true
    followForksbooleanMatches any descendant processes of the matching PIDs.

    Default: false
    		false
    isNamespacePIDbooleanIndicates whether PIDs are namespace PIDs.

    Default: false
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchParentBinaries[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: In, NotIn, Prefix, NotPrefix, Postfix, NotPostfix
    		true
    values[]stringValue to compare the argument against.
    		true
    followChildrenbooleanIn addition to binaries, match children processes of specified binaries.

    Default: false
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnActions[index]

    ↩ Parent

    NameTypeDescriptionRequired
    actionenumAction to execute. NOTE: actions FollowFD, UnfollowFD, and CopyFD are marked as deprecated and planned to be removed in version 1.5.

    Enum: Post, FollowFD, UnfollowFD, Sigkill, CopyFD, Override, GetUrl, DnsLookup, NoPost, Signal, TrackSock, UntrackSock, NotifyEnforcer, CleanupEnforcerNotification, Set
    		true
    argErrorintegererror value for override action

    Format: int32
    		false
    argFdintegerAn arg index for the fd for fdInstall action

    Format: int32
    		false
    argFqdnstringA FQDN to lookup for the dnsLookup action
    		false
    argIndexintegerAn arg index for the set action

    Format: int32
    		false
    argNameintegerAn arg index for the filename for fdInstall action

    Format: int32
    		false
    argRegs[]stringAn arg value for the regs action
    		false
    argSigintegerA signal number for signal action

    Format: int32
    		false
    argSockintegerAn arg index for the sock for trackSock and untrackSock actions

    Format: int32
    		false
    argUrlstringA URL for the getUrl action
    		false
    argValueintegerAn arg value for the set action

    Format: int32
    		false
    imaHashbooleanEnable collection of file hashes from integrity subsystem. Only valid with the post action.
    		false
    kernelStackTracebooleanEnable kernel stack trace export. Only valid with the post action.
    		false
    rateLimitstringA time period within which repeated messages will not be posted. Can be specified in seconds (default or with 's' suffix), minutes ('m' suffix) or hours ('h' suffix). Only valid with the post action.
    		false
    rateLimitScopestringThe scope of the provided rate limit argument. Can be "thread" (default), "process" (all threads for the same process), or "global". If "thread" is selected then rate limiting applies per thread; if "process" is selected then rate limiting applies per process; if "global" is selected then rate limiting applies regardless of which process or thread caused the action. Only valid with the post action and with a rateLimit specified.
    		false
    userStackTracebooleanEnable user stack trace export. Only valid with the post action.
    		false

    TracingPolicyNamespaced.spec.usdts[index].selectors[index].matchReturnArgs[index]

    ↩ Parent

    NameTypeDescriptionRequired
    operatorenumFilter operation.

    Enum: Equal, NotEqual, Prefix, NotPrefix, Postfix, NotPostfix, GreaterThan, LessThan, GT, LT, Mask, SPort, NotSPort, SPortPriv, NotSportPriv, DPort, NotDPort, DPortPriv, NotDPortPriv, SAddr, NotSAddr, DAddr, NotDAddr, Protocol, Family, State, InMap, NotInMap, CapabilitiesGained, InRange, NotInRange, SubString, SubStringIgnCase, CelExpr, FileType, NotFileType
    		true
    args[]integerPosition of the operator arguments (in spec file) to apply fhe filter to.
    		false
    indexintegerPosition of the argument (in function prototype) to apply fhe filter to.

    Format: int32
    Minimum: 0
    		false
    values[]stringValue to compare the argument against.
    		false
    Last modified May 5, 2026: tetragon: Add generated code for previous changes (697721fe7)