@@ -16,6 +16,7 @@ Each selector comprises a set of filters:
1616- [ ` matchReturnArgs ` ] ( #return-args-filter ) : filter on the return value.
1717- [ ` matchPIDs ` ] ( #pids-filter ) : filter on PID.
1818- [ ` matchBinaries ` ] ( #binaries-filter ) : filter on binary path.
19+ - [ ` matchParentBinaries ` ] ( #parent-binaries-filter ) : filter on parent binary path.
1920- [ ` matchNamespaces ` ] ( #namespaces-filter ) : filter on Linux namespaces.
2021- [ ` matchCapabilities ` ] ( #capabilities-filter ) : filter on Linux capabilities.
2122- [ ` matchNamespaceChanges ` ] ( #namespace-changes-filter ) : filter on Linux namespaces changes.
@@ -264,7 +265,7 @@ is `followForks: true`, so all the child processes are followed.
264265
265266# ## Follow children
266267
267- the `matchBinaries` filter can be configured to also apply to children of matching processes. To do
268+ The `matchBinaries` filter can be configured to also apply to children of matching processes. To do
268269this, set `followChildren` to `true`. For example :
269270
270271` ` ` yaml
@@ -278,7 +279,7 @@ this, set `followChildren` to `true`. For example:
278279There are a number of limitations when using followChildren :
279280- Children created before the policy was installed will not be matched
280281- The number of `matchBinaries` sections with `followChildren : true` cannot exceed 64.
281- - Operators other than `In` are not supported.
282+ - Operators other than `In/NotIn ` are not supported.
282283
283284
284285**Further examples**
@@ -327,6 +328,58 @@ while the whole `kprobe` call is the following:
327328 - "3"
328329` ` `
329330
331+ # # Parent binaries filter
332+
333+ Parent binaries filter provides filtering based on current process parent
334+ binary path, which works similarly to the `matchBinaries` filter. It can be
335+ specified with the `matchParentBinaries` field. For instance, the following
336+ ` matchParentBinaries` selector will match only if binary `cat` was executed
337+ from interactive shell like `zsh`, `bash`, `sh` :
338+
339+ ` ` ` yaml
340+ - matchParentBinaries:
341+ - operator: "In"
342+ values:
343+ - "/usr/bin/bash"
344+ - "/usr/bin/sh"
345+ - "/usr/bin/zsh"
346+ matchBinaries:
347+ - operator: "In"
348+ values:
349+ - "/usr/bin/cat"
350+ ` ` `
351+
352+ The available operators for `matchParentBinaries` are :
353+ - ` In`
354+ - ` NotIn`
355+ - ` Prefix`
356+ - ` NotPrefix`
357+ - ` Postfix`
358+ - ` NotPostfix`
359+
360+ The `values` field has to be a map of `strings`. The default behaviour
361+ is `followForks : true`, so all the child processes are followed.
362+
363+ # ## Follow children
364+
365+ The `matchParentBinaries` filter can be configured to also apply to children of
366+ matching parent processes. To do this, set `followChildren` to `true`. For example :
367+
368+ ` ` ` yaml
369+ - matchParentBinaries:
370+ - operator: "In"
371+ values:
372+ - "/usr/bin/bash"
373+ followChildren: true
374+ ` ` `
375+
376+ This policy will match any process, which direct or transitive parent process binary is `bash`.
377+
378+ There are a number of limitations when using `followChildren` :
379+ - Children created before the policy was installed will not be matched.
380+ - The number of `matchParentBinaries` sections with `followChildren : true` cannot exceed 64.
381+ - Operators other than `In/NotIn` are not supported.
382+
330383# # Namespaces filter
331384
332385Namespaces filters can be specified under the `matchNamespaces` field and
0 commit comments