docs: update enforcement page #1630
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mtardy
approved these changes
Oct 20, 2023
Comment on lines
+18
to
+22
| Override the return value of a call means that the function will never be executed and, instead, a | ||
| value (typically an error) will be returned to the caller. Generally speaking, only system calls and | ||
| security check functions allow to change their return value in this manner. Details about how users | ||
| can configure tracing policies to override the return value can be found in the [Override | ||
| action]({{< ref "/docs/concepts/tracing-policy/selectors#override-action" >}}) documentation. |
There was a problem hiding this comment.
Should we mention the kernel option? https://elixir.bootlin.com/linux/v5.13.18/source/kernel/trace/Kconfig#L601. Not really a review of this but maybe for another PR.
There was a problem hiding this comment.
Or we could have a Requirements section at some point would be another option.
There was a problem hiding this comment.
I think the option would be better suited in the Override action documentation (in the selectors) section.
Comment on lines
30
to
31
| performed by the process from being executed. For example, a `SIGKILL` might be send in a `write()` | ||
| system call does not guarantee that the data will not be written to the file. |
There was a problem hiding this comment.
Suggested change
| performed by the process from being executed. For example, a `SIGKILL` might be send in a `write()` | |
| system call does not guarantee that the data will not be written to the file. | |
| performed by the process from being executed. For example, a `SIGKILL` sent in a `write()` | |
| system call does not guarantee that the data will not be written to the file. |
There was a problem hiding this comment.
Can we highlight what it does guarantee though. Maybe,
In contrast with overriding the return value, sending a
signal does not always stop the operation being performed
by the process that triggered the operation. However, it does
ensure that the process is terminated synchronously (and any
threads will be stopped). To ensure the operation is also
stopped the hook must be placed in the kernel carefully
to ensure the kernel performs a check for any signals before
the operation is performed.
In many cases it is sufficient to ensure the process is stopped
and unable to return from the call. Further, the kernel often
checks signals before doing I/O operations so these can be
used as long as kernel code paths are audited.
There was a problem hiding this comment.
Thanks! As discussed offline, I pushed the following:
In contrast with overriding the return value, sending a `SIGKILL` signal does not always stop the
operation being performed by the process that triggered the operation. For example, a `SIGKILL` sent
in a `write()` system call does not guarantee that the data will not be written to the file.
However, it does ensure that the process is terminated synchronously (and any threads will be
stopped). In some cases it may be sufficient to ensure the process is stopped and the process does
not handle the return of the call. To ensure the operation is not completed, though, the `Signal`
action should be combined with the `Override` action.
|
that's weird, the netlify preview was not triggered! the only time we need this it's not triggered 🤔 EDIT: we have it for the other PR that was closed #1629. This thing puzzles me |
kkourt
force-pushed
the
pr/kkourt/docs-enforcement
branch
from
2cf4476 to
ac240d8
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
force-pushed
the
pr/kkourt/docs-enforcement
branch
from
ac240d8 to
3d20be9
Compare
Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/docs-enforcement
branch
from
3d20be9 to
424d22d
Compare
|
Merged. Let's improve later if need be. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.