Skip to content

feat: Add matchScript option to matchBinaries selector for shebang script filtering #4602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ariosmon wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: Add matchScript option to matchBinaries selector for shebang script filtering #4602

ariosmon wants to merge 2 commits into from
+973 −12

Conversation

@ariosmon
Copy link
Contributor

@ariosmon ariosmon commented Feb 3, 2026
edited
Loading

Add support for matching against script paths instead of interpreter paths when filtering shebang scripts. When a script with a shebang (e.g., /path/script.py with #!/usr/bin/python3) is executed, matchBinaries normally matches against the interpreter (/usr/bin/python3). The new matchScript option allows matching against the script path instead.

In this PR you will see two commits:

feat: Add matchScript to matchBinaries for shebang scripts -> Implementation files

chore: Regenerate files -> FIle generated after $ make generate command line

Evidence of the implementation:
1️⃣ Tracing-policy with matchScript: true (new matchBinaries feature added)

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-matchscript-true
spec:
  kprobes:
  - call: "sys_write"
    syscall: true
    args:
    - index: 0
      type: int
    - index: 2
      type: size_t
    selectors:
    - matchBinaries:
      - operator: In
        values:
        - /tmp/test_script.sh
        matchScript: true

Script to run some events:

#!/bin/bash
echo "Hello from script"

Tetragon log

🚀 process 9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh
📝 write   9447eedcf851 /tmp/test_script.sh
💥 exit    9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh 0

2️⃣ Check if the previos implementation with interpreter continue working.

Tracing-policy using matchBinaries /usr/bin/bash

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-usrbash
spec:
  kprobes:
  - call: "sys_write"
    syscall: true
    args:
    - index: 0
      type: int
    - index: 2
      type: size_t
    selectors:
    - matchBinaries:
      - operator: In
        values:
        - /usr/bin/bash

Script to run some events:

#!/bin/bash
echo "Hello from script"

Tetragon log:

📝 write   9447eedcf851 /bin/bash
📝 write   9447eedcf851 /bin/bash
🚀 process 9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh
📝 write   9447eedcf851 /tmp/test_script.sh
💥 exit    9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh 0
📝 write   9447eedcf851 /bin/bash
📝 write   9447eedcf851 /bin/bash

3️⃣ Test without matchScript in the tracingpolicy

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-script-nomatch
spec:
  kprobes:
  - call: "sys_write"
    syscall: true
    args:
    - index: 0
      type: int
    - index: 2
      type: size_t
    selectors:
    - matchBinaries:
      - operator: In
        values:
        - /tmp/test_script.sh

Script to run some events:

#!/bin/bash
echo "Hello from script"

Tetragon log:

🚀 process 9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh
💥 exit    9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh 0

4️⃣ Test with matchScript: false

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: test-nomatchscript
spec:
  kprobes:
  - call: sys_write
    syscall: true
    args:
    - index: 0
      type: int
    - index: 2
      type: size_t
    selectors:
    - matchBinaries:
      - operator: In
        values:
        - /tmp/test_script.sh
        matchScript: false

Script to run some events:

#!/bin/bash
echo "Hello from script"

Tetragon log:

🚀 process 9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh
💥 exit    9447eedcf851 /tmp/test_script.sh /tmp/test_script.sh 0

Unit test:

Please check the unit test created in this path: pkg/sensors/tracing/matchbinaries_script_test.go

go test -v ./pkg/sensors/tracing/... -run TestMatchBinariesMatchScript

Output: 

=== NAME  TestMatchBinariesMatchScriptValidation/NotPostfix
    base.go:215: cleanup: unloading base sensor
=== NAME  TestMatchBinariesMatchScriptValidation
    logcapture.go:24: time=2026-02-03T01:44:09.490Z level=INFO msg="Unloading sensor __base__"
--- PASS: TestMatchBinariesMatchScriptValidation (0.89s)
    --- PASS: TestMatchBinariesMatchScriptValidation/Prefix (0.28s)
    --- PASS: TestMatchBinariesMatchScriptValidation/NotPrefix (0.21s)
    --- PASS: TestMatchBinariesMatchScriptValidation/Postfix (0.21s)
    --- PASS: TestMatchBinariesMatchScriptValidation/NotPostfix (0.20s)
PASS
ok  	github.com/cilium/tetragon/pkg/sensors/tracing	(cached)

@netlify
Copy link

netlify bot commented Feb 3, 2026
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 670730f
🔍 Latest deploy log https://app.netlify.com/projects/tetragon/deploys/69816f322416f80008506608
😎 Deploy Preview https://deploy-preview-4602--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@ariosmon ariosmon force-pushed the ariosmon/pr/machbinaries/shebang branch 7 times, most recently from 670730f to 3f42601 Compare February 3, 2026 03:51
@ariosmon ariosmon force-pushed the ariosmon/pr/machbinaries/shebang branch from 3f42601 to 143841d Compare February 3, 2026 16:28
@ariosmon
chore: Regenerate files
2362f64 
Signed-off-by: ariosmon <[email protected]>
@ariosmon ariosmon force-pushed the ariosmon/pr/machbinaries/shebang branch from 143841d to 2362f64 Compare February 3, 2026 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ariosmon