-
Tomasz Jonak committed 1 year ago1 parent cd90c568
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
skipped 30 lines 31 31 It's based on eBPF and [Aya](https://aya-rs.dev) library, but takes away 32 32 the need to use them directly. 33 33 34 + ## Usage example 35 + 36 + Deny mount operation for all users. 37 + 38 + ```rust 39 + const BPF_MAPS_PATH: &str = "/sys/fs/bpf/example_sb_mount"; 40 + 41 + // Create a directory where ebpfguard policy manager can store its BPF 42 + // objects (maps). 43 + std::fs::create_dir_all(BPF_MAPS_PATH)?; 44 + 45 + // Create a policy manager. 46 + let mut policy_manager = PolicyManager::new(BPF_MAPS_PATH)?; 47 + 48 + // Attach the policy manager to the mount LSM hook. 49 + let mut sb_mount = policy_manager.attach_sb_mount()?; 50 + 51 + // Get the receiver end of the alerts channel (for the `file_open` LSM 52 + // hook). 53 + let mut sb_mount_rx = sb_mount.alerts().await?; 54 + 55 + // Define policies which deny mount operations for all processes (except 56 + // for the specified subject, if defined). 57 + sb_mount 58 + .add_policy(SbMount { 59 + subject: PolicySubject::All, 60 + allow: false, 61 + }) 62 + .await?; 63 + 64 + if let Some(alert) = sb_mount_rx.recv().await { 65 + info!( 66 + "sb_mount alert: pid={} subject={}", 67 + alert.pid, alert.subject 68 + ); 69 + } 70 + ``` 71 + 72 + Imports and cargo file are available in [example source code](examples/readme_mount). For more examples check out [EXAMPLES.md](doc/EXAMPLES.md). 73 + 74 + 75 + ## Supported LSM hooks 76 + 77 + LSM hooks supported by Ebpfguard are: 78 + 79 + * [`bprm_check_security`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L62) 80 + * [`file_open`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L620) 81 + * [`sb_mount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L128) 82 + * [`sb_remount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L147) 83 + * [`sb_umount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L159) 84 + * [`socket_bind`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L904) 85 + * [`socket_connect`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L912) 86 + * [`task_fix_setuid`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L709) 87 + 34 88 ## Prerequisites 35 89 36 90 ### kernel capabilities skipped 137 lines 174 228 $ rustup component add miri --toolchain nightly 175 229 ``` 176 230 177 - ## LSM hooks 178 - 179 - LSM hooks supported by Ebpfguard are: 180 - 181 - * [`bprm_check_security`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L62) 182 - * [`file_open`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L620) 183 - * [`sb_mount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L128) 184 - * [`sb_remount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L147) 185 - * [`sb_umount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L159) 186 - * [`socket_bind`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L904) 187 - * [`socket_connect`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L912) 188 - * [`task_fix_setuid`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L709) 189 - 190 - ## Examples 191 - 192 - For usage examples check [EXAMPLES.md](EXAMPLES.md). 193 - 194 231 ## Get in touch 195 232 196 - Thank you for using Ebpfguard. Please feel welcome to participate in the [Deepfence community](COMMUNITY.md). 233 + Thank you for using Ebpfguard. Please feel welcome to participate in the [Deepfence community](doc/COMMUNITY.md). 197 234 198 235 * [Deepfence Community Website](https://community.deepfence.io) 199 236 * [<img src="https://img.shields.io/badge/[email protected]?logo=slack">](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) Got a question, need some help? Find the Deepfence team on Slack skipped 13 lines -
COMMUNITY.md doc/COMMUNITY.mdContent is identical
-
EXAMPLES.md doc/EXAMPLES.mdContent is identical
-
-