■ ■ ■ ■ ■ ■
examples/demo_socket_listen/src/main.rs
1 | | - | use std::{ |
2 | | - | fs::{create_dir_all, remove_dir_all}, |
3 | | - | path::PathBuf, |
4 | | - | }; |
| 1 | + | use std::{fs, path::PathBuf}; |
5 | 2 | | |
6 | 3 | | use anyhow::Context; |
7 | 4 | | use clap::Parser; |
8 | | - | use ebpfguard::{policy::PolicySubject, PolicyManager}; |
| 5 | + | use ebpfguard::{ |
| 6 | + | policy::{PolicySubject, Ports, SocketBind}, |
| 7 | + | PolicyManager, |
| 8 | + | }; |
9 | 9 | | use log::info; |
10 | 10 | | |
11 | 11 | | #[derive(Debug, Parser)] |
| skipped 16 lines |
28 | 28 | | log::set_max_level(logger.filter()); |
29 | 29 | | log::set_boxed_logger(Box::from(logger)).context("Failed to set up logger")?; |
30 | 30 | | |
31 | | - | // Create a directory where ebpfguard policy manager can store its BPF |
32 | | - | // objects (maps). |
33 | | - | let bpf_path = opt.bpffs_path.join(opt.bpffs_dir); |
34 | | - | create_dir_all(&bpf_path)?; |
| 31 | + | let bpf_path: PathBuf = opt.bpffs_path.join(opt.bpffs_dir); |
| 32 | + | fs::create_dir_all(&bpf_path)?; |
35 | 33 | | |
36 | 34 | | let mut policy_manager = |
37 | | - | PolicyManager::new(&bpf_path).context("couldn't create policy manager")?; |
| 35 | + | PolicyManager::new(&bpf_path).context("kernel verifier rejected eBPF hooks object file")?; |
38 | 36 | | |
39 | 37 | | let mut socket_bind = policy_manager |
40 | 38 | | .attach_socket_bind() |
41 | | - | .context("couldn't load eBPF bytecode to kernel")?; |
| 39 | + | .context("couldn't attach socket_bind hook")?; |
42 | 40 | | |
43 | 41 | | let mut rx = socket_bind |
44 | 42 | | .alerts() |
45 | 43 | | .await |
46 | | - | .context("couldn't get notifications channel for bind events")?; |
| 44 | + | .context("couldn't get alerts channel for bind events")?; |
47 | 45 | | |
48 | | - | let policy = ebpfguard::policy::SocketBind { |
| 46 | + | let policy = SocketBind { |
49 | 47 | | subject: PolicySubject::All, |
50 | | - | allow: ebpfguard::policy::Ports::All, |
51 | | - | deny: ebpfguard::policy::Ports::Ports(opt.deny.clone()), |
| 48 | + | allow: Ports::All, |
| 49 | + | deny: Ports::Ports(opt.deny.clone()), |
52 | 50 | | }; |
| 51 | + | |
53 | 52 | | socket_bind |
54 | 53 | | .add_policy(policy) |
55 | 54 | | .await |
56 | | - | .context("failed to install policy")?; |
| 55 | + | .context("failed to add policy")?; |
57 | 56 | | |
58 | 57 | | info!( |
59 | 58 | | "Will block next 4 attempts to listen on a ports {:?}", |
| skipped 10 lines |
70 | 69 | | } |
71 | 70 | | |
72 | 71 | | info!("Exiting..."); |
73 | | - | remove_dir_all(&bpf_path).context("Failed to clean up bpf maps directory")?; |
| 72 | + | fs::remove_dir_all(&bpf_path).context("Failed to clean up bpf maps directory")?; |
74 | 73 | | |
75 | 74 | | Ok(()) |
76 | 75 | | } |
| skipped 1 lines |