use-case:policy: add monitor unload kernel modules

Signed-off-by: Djalal Harouni <[email protected]>
cilium · Aug 31, 2023 · 844f920 · 844f920
1 parent 31ad1df
commit 844f920
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/examples/tracingpolicy/host-changes/monitor-kernel-modules.yaml b/examples/tracingpolicy/host-changes/monitor-kernel-modules.yaml
@@ -5,10 +5,13 @@
 #  - Explicitly load modules using init_module() and finit_module().
 #  - Implicitly or automatically loading a module due to a missing kernel feature.
 #  - Loading of unsigned modules
+#  - Unload a module using the standard API
 #
 # Limitation:
 #  - For init_module() we are not able to get the full path of the module, as loading
 #    the module is done by userspace then data is passed to kernel.
+#  - Some exploits or rootkits may hide modules by unlinking them from the kernel module
+#    state without unloading it. To detect those the load module hooks are the way.
 #
 apiVersion: cilium.io/v1alpha1
 kind: TracingPolicy
@@ -55,4 +58,11 @@ spec:
     args:
     - index: 1
       type: "load_info"
+  - call: "free_module"
+    # Report the module being unloaded. Limitation: some exploits may unlink the module directly
+    # from the kernel internal state but not stop it. This hook won't catch it.
+    syscall: false
+    args:
+    - index: 0
+      type: "module"