From 5ead851e7542d317b88c78e885c87ea1c722f140 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@gmail.com>
Date: Tue, 23 Jan 2024 15:39:44 +0100
Subject: [PATCH] policylibrary: annotate setuid root events with tags

Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
---
 .../privileges/privileges-setuid-root.yaml       | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/examples/policylibrary/privileges/privileges-setuid-root.yaml b/examples/policylibrary/privileges/privileges-setuid-root.yaml
index d66aad740a6..3c7134c92fd 100644
--- a/examples/policylibrary/privileges/privileges-setuid-root.yaml
+++ b/examples/policylibrary/privileges/privileges-setuid-root.yaml
@@ -57,6 +57,7 @@ metadata:
 spec:
   kprobes:
   - call: "__sys_setuid"
+    message: "Privileged operation setuid to root"
     syscall: false
     return: true
     args:
@@ -74,7 +75,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setgid"
+    message: "Privileged operation setgid to root"
     syscall: false
     return: true
     args:
@@ -92,7 +95,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setreuid"
+    message: "Privileged operation setuid to root"
     syscall: false
     return: true
     args:
@@ -120,7 +125,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setregid"
+    message: "Privileged operation setgid to root"
     syscall: false
     return: true
     args:
@@ -148,7 +155,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setresuid"
+    message: "Privileged operation setuid to root"
     syscall: false
     return: true
     args:
@@ -178,7 +187,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setresgid"
+    message: "Privileged operation setgid to root"
     syscall: false
     return: true
     args:
@@ -208,7 +219,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setfsuid"
+    message: "Privileged operation setuid to root"
     syscall: false
     return: true
     args:
@@ -226,7 +239,9 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]
   - call: "__sys_setfsgid"
+    message: "Privileged operation setgid to root"
     syscall: false
     return: true
     args:
@@ -244,3 +259,4 @@ spec:
       matchActions:
       - action: Post
         rateLimit: "1m"  # Rate limit messages to 1min
+    tags: [ "observability.privilege", "observability.process" ]