Add dynamic parameter extration for specific use cases

[ScriptSathi]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem?

Hello ! I have not found any related topics, so I opening it.

For some CVE mitigations, it is necessary to have access to certain hooks, but if you can't reach the data, you won't be able to do anything.
So this feature should allow extracting any parameter from structure argument such as linux_binprm or struct file and gather any data inside.

Describe the feature you would like

The feature could look like this

# ...
spec:
  lsmhooks:
  - hook: "bprm_check_security"
    args:
      - index: 0
        type: "linux_binprm"
        extractParam: "file.f_path.dentry.d_name.name"
# Or    extractParam: "argc"
# ...

After this, we could match the data with the normal Tetragon behavior, like Equal or Postfix.

Describe your proposed solution

To do such a feature, it is possible to search for a specific type in BTF file and extract the offsets of the required data. Then, those offsets could be given to the BPF program that would use it to reach the data.

To make it simpler to understand, let's take an example using the above config

- Split extractParam string in order to have an array of childrens
- Search the parent, `linux_binprm` and look for any childrens called `file`.
  If found, we store the offset 
- If `file` parameter is found in `linux_binprm` search inside `file` to reach the child `f_path`
- And so on, until the end of the array.
- After all the offsets have been found, we gave it to the BPF program and loop on the argument buffer to search for the required data.
- Then we read the data and it should work

Code of Conduct

• I agree to follow this project's Code of Conduct