@@ -16,6 +16,7 @@ Each selector comprises a set of filters:
1616- [ ` matchReturnArgs ` ] ( #return-args-filter ) : filter on the return value.
1717- [ ` matchPIDs ` ] ( #pids-filter ) : filter on PID.
1818- [ ` matchBinaries ` ] ( #binaries-filter ) : filter on binary path.
19+ - [ ` matchParentBinaries ` ] ( #parent-binaries-filter ) : filter on parent binary path.
1920- [ ` matchNamespaces ` ] ( #namespaces-filter ) : filter on Linux namespaces.
2021- [ ` matchCapabilities ` ] ( #capabilities-filter ) : filter on Linux capabilities.
2122- [ ` matchNamespaceChanges ` ] ( #namespace-changes-filter ) : filter on Linux namespaces changes.
@@ -264,7 +265,7 @@ is `followForks: true`, so all the child processes are followed.
264265
265266# ## Follow children
266267
267- the `matchBinaries` filter can be configured to also apply to children of matching processes. To do
268+ The `matchBinaries` filter can be configured to also apply to children of matching processes. To do
268269this, set `followChildren` to `true`. For example :
269270
270271` ` ` yaml
@@ -327,6 +328,63 @@ while the whole `kprobe` call is the following:
327328 - "3"
328329` ` `
329330
331+ # # Parent binaries filter
332+
333+ {{< warning >}}
334+ ` matchParentBinaries` selector can be used only with BPF map `parents_map` enabled (option `--parents-map-enabled`), which adds
335+ additional memory overhead.
336+ {{< /warning >}}
337+
338+ Parent binaries filter provides filtering based on current process parent
339+ binary path, which works similarly to the `matchBinaries` filter. It can be
340+ specified with the `matchParentBinaries` field. For instance, the following
341+ ` matchParentBinaries` selector will match only if binary `cat` was executed
342+ from interactive shell like `zsh`, `bash`, `sh` :
343+
344+ ` ` ` yaml
345+ - matchParentBinaries:
346+ - operator: "In"
347+ values:
348+ - "/usr/bin/bash"
349+ - "/usr/bin/sh"
350+ - "/usr/bin/zsh"
351+ matchBinaries:
352+ - operator: "In"
353+ values:
354+ - "/usr/bin/cat"
355+ ` ` `
356+
357+ The available operators for `matchParentBinaries` are :
358+ - ` In`
359+ - ` NotIn`
360+ - ` Prefix`
361+ - ` NotPrefix`
362+ - ` Postfix`
363+ - ` NotPostfix`
364+
365+ The `values` field has to be a map of `strings`. The default behaviour
366+ is `followForks : true`, so all the child processes are followed.
367+
368+ # ## Follow children
369+
370+ The `matchParentBinaries` filter can be configured to also apply to children of
371+ matching parent processes. To do this, set `followChildren` to `true`. For example :
372+
373+ ` ` ` yaml
374+ - matchParentBinaries:
375+ - operator: "In"
376+ values:
377+ - "/usr/bin/bash"
378+ followChildren: true
379+ ` ` `
380+
381+ This policy will match any process, which direct or transitive parent process binary is `bash`.
382+
383+ There are a number of limitations when using `followChildren` :
384+ - Children created before the policy was installed will not be matched.
385+ - The number of `matchParentBinaries` sections with `followChildren : true` cannot exceed 64.
386+ - Operators other than `In/NotIn` are not supported.
387+
330388# # Namespaces filter
331389
332390Namespaces filters can be specified under the `matchNamespaces` field and
0 commit comments