Add resolvePath to matchBinaries #3583
Description
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem?
When writing policies that match on binaries, we need to refer to the absolute path of the binary (that returned by realpath) rather than a handy symlink. This approach ensures there is no ambiguity regarding which binary the policy refers to. However, this requires users to run realpath on any binaries they would like to match on, and use those paths in the policy.
Describe the feature you would like
We could add a 'resolvePath: true' parameter to matchBinaries paths (probably once per matchBinaries section rather than once per path). This would indicate to Tetragon that the paths might be symlinked and it should resolve them at the point of loading the policy. The default action would still be to expect an absolute path, but this would allow a user to override that if they were confident that resolving the paths is sensible and beneficial.
Describe your proposed solution
Add 'resolvePath: true' or similar to the matchBinaries section. If set, call realpath on all values in the section.
Code of Conduct
- I agree to follow this project's Code of Conduct