STRLCPY/ebpfguard

demo_socket_listen: more tweaks

- added with_default_path static method to PolicyManager
- clarified context errors on various setup stages

Tomasz Jonak committed 12 months ago

0c872b31

1 parent 9b782106

Total 2 files Show one by one

■ ■ ■ ■ ■ ■

ebpfguard/src/lib.rs

		skipped 228 lines
229	229		}
230	230
231	231		impl PolicyManager {
	232	+	/// Default path for storage of eBPFGuard maps
	233	+	const DEFAULT_BPFFS_MAPS_PATH: &str = "/sys/fs/bpf/ebpfguard_default";
	234	+
	235	+	/// Creates a new policy manager with default maps path.
	236	+	///
	237	+	/// Assumes mounted bpf filesystem under /sys/fs/bpf.
	238	+	/// # Example
	239	+	/// ```no_run
	240	+	/// use ebpfguard::PolicyManager;
	241	+	///
	242	+	/// let mut policy_manager = PolicyManager::with_default_path().unwrap();
	243	+	/// ```
	244	+	pub fn with_default_path() -> Result<Self, EbpfguardError> {
	245	+	Self::new(Self::DEFAULT_BPFFS_MAPS_PATH)
	246	+	}
	247	+
232	248		/// Creates a new policy manager.
233	249		///
234	250		/// # Example
		skipped 296 lines

■ ■ ■ ■ ■ ■

examples/demo_socket_listen/src/main.rs

1		-	use std::{
2		-	fs::{create_dir_all, remove_dir_all},
3		-	path::PathBuf,
4		-	};
	1	+	use std::{fs, path::PathBuf};
5	2
6	3		use anyhow::Context;
7	4		use clap::Parser;
8		-	use ebpfguard::{policy::PolicySubject, PolicyManager};
	5	+	use ebpfguard::{
	6	+	policy::{PolicySubject, Ports, SocketBind},
	7	+	PolicyManager,
	8	+	};
9	9		use log::info;
10	10
11	11		#[derive(Debug, Parser)]
		skipped 16 lines
28	28		log::set_max_level(logger.filter());
29	29		log::set_boxed_logger(Box::from(logger)).context("Failed to set up logger")?;
30	30
31		-	// Create a directory where ebpfguard policy manager can store its BPF
32		-	// objects (maps).
33		-	let bpf_path = opt.bpffs_path.join(opt.bpffs_dir);
34		-	create_dir_all(&bpf_path)?;
	31	+	let bpf_path: PathBuf = opt.bpffs_path.join(opt.bpffs_dir);
	32	+	fs::create_dir_all(&bpf_path)?;
35	33
36	34		let mut policy_manager =
37		-	PolicyManager::new(&bpf_path).context("couldn't create policy manager")?;
	35	+	PolicyManager::new(&bpf_path).context("kernel verifier rejected eBPF hooks object file")?;
38	36
39	37		let mut socket_bind = policy_manager
40	38		.attach_socket_bind()
41		-	.context("couldn't load eBPF bytecode to kernel")?;
	39	+	.context("couldn't attach socket_bind hook")?;
42	40
43	41		let mut rx = socket_bind
44	42		.alerts()
45	43		.await
46		-	.context("couldn't get notifications channel for bind events")?;
	44	+	.context("couldn't get alerts channel for bind events")?;
47	45
48		-	let policy = ebpfguard::policy::SocketBind {
	46	+	let policy = SocketBind {
49	47		subject: PolicySubject::All,
50		-	allow: ebpfguard::policy::Ports::All,
51		-	deny: ebpfguard::policy::Ports::Ports(opt.deny.clone()),
	48	+	allow: Ports::All,
	49	+	deny: Ports::Ports(opt.deny.clone()),
52	50		};
	51	+
53	52		socket_bind
54	53		.add_policy(policy)
55	54		.await
56		-	.context("failed to install policy")?;
	55	+	.context("failed to add policy")?;
57	56
58	57		info!(
59	58		"Will block next 4 attempts to listen on a ports {:?}",
		skipped 10 lines
70	69		}
71	70
72	71		info!("Exiting...");
73		-	remove_dir_all(&bpf_path).context("Failed to clean up bpf maps directory")?;
	72	+	fs::remove_dir_all(&bpf_path).context("Failed to clean up bpf maps directory")?;
74	73
75	74		Ok(())
76	75		}
		skipped 1 lines