1 | | - | use std::{ |
2 | | - | fmt::Debug, |
3 | | - | net::{IpAddr, Ipv4Addr, Ipv6Addr}, |
4 | | - | }; |
5 | | - | |
6 | | - | use aya::{ |
7 | | - | maps::{AsyncPerfEventArray, HashMap, MapData}, |
8 | | - | programs::lsm::LsmLink, |
9 | | - | util::online_cpus, |
10 | | - | }; |
11 | | - | use bytes::BytesMut; |
12 | | - | use ebpfguard_common::{ |
13 | | - | alerts as ebpf_alerts, |
14 | | - | policy::{self as ebpf_policy, IpAddrs}, |
15 | | - | }; |
16 | | - | use once_cell::sync::Lazy; |
17 | | - | use tokio::{ |
18 | | - | sync::{ |
19 | | - | mpsc::{self, Receiver}, |
20 | | - | Mutex, |
21 | | - | }, |
22 | | - | task, |
23 | | - | }; |
24 | | - | |
25 | | - | use crate::{alerts, error::EbpfguardError, policy, InodeSubjectMap}; |
26 | | - | |
27 | | - | static INODE_SUBJECT_MAP: Lazy<Mutex<InodeSubjectMap>> = |
28 | | - | Lazy::new(|| Mutex::new(InodeSubjectMap::default())); |
29 | | - | |
30 | | - | pub struct All { |
31 | | - | pub bprm_check_security: BprmCheckSecurity, |
32 | | - | pub file_open: FileOpen, |
33 | | - | pub task_fix_setuid: TaskFixSetuid, |
34 | | - | pub socket_bind: SocketBind, |
35 | | - | pub socket_connect: SocketConnect, |
36 | | - | } |
37 | | - | |
38 | | - | impl All { |
39 | | - | pub async fn add_policy(&mut self, policy: policy::Policy) -> Result<(), EbpfguardError> { |
40 | | - | match policy { |
41 | | - | policy::Policy::FileOpen(policy) => self.file_open.add_policy(policy).await?, |
42 | | - | policy::Policy::TaskFixSetuid(policy) => { |
43 | | - | self.task_fix_setuid.add_policy(policy).await? |
44 | | - | } |
45 | | - | policy::Policy::SocketBind(policy) => self.socket_bind.add_policy(policy).await?, |
46 | | - | policy::Policy::SocketConnect(policy) => self.socket_connect.add_policy(policy).await?, |
47 | | - | } |
48 | | - | |
49 | | - | Ok(()) |
50 | | - | } |
51 | | - | } |
52 | | - | |
53 | | - | pub struct BprmCheckSecurity { |
54 | | - | #[allow(dead_code)] |
55 | | - | pub(crate) program_link: Option<LsmLink>, |
56 | | - | pub(crate) perf_array: AsyncPerfEventArray<MapData>, |
57 | | - | } |
58 | | - | |
59 | | - | impl BprmCheckSecurity { |
60 | | - | pub async fn alerts(&mut self) -> Result<Receiver<alerts::BprmCheckSecurity>, EbpfguardError> { |
61 | | - | perf_array_alerts::<ebpf_alerts::BprmCheckSecurity, alerts::BprmCheckSecurity>( |
62 | | - | &mut self.perf_array, |
63 | | - | ) |
64 | | - | .await |
65 | | - | } |
66 | | - | } |
67 | | - | |
68 | | - | pub struct FileOpen { |
69 | | - | #[allow(dead_code)] |
70 | | - | pub(crate) program_link: Option<LsmLink>, |
71 | | - | pub(crate) allowed_map: HashMap<MapData, u64, ebpf_policy::Paths>, |
72 | | - | pub(crate) denied_map: HashMap<MapData, u64, ebpf_policy::Paths>, |
73 | | - | pub(crate) perf_array: AsyncPerfEventArray<MapData>, |
74 | | - | } |
75 | | - | |
76 | | - | impl FileOpen { |
77 | | - | pub async fn add_policy(&mut self, policy: policy::FileOpen) -> Result<(), EbpfguardError> { |
78 | | - | let bin_inode = { |
79 | | - | let mut map = INODE_SUBJECT_MAP.lock().await; |
80 | | - | map.resolve_path(policy.subject)? |
81 | | - | }; |
82 | | - | |
83 | | - | let allow: ebpf_policy::Paths = policy.allow.into(); |
84 | | - | let deny: ebpf_policy::Paths = policy.deny.into(); |
85 | | - | |
86 | | - | self.allowed_map.insert(bin_inode, allow, 0)?; |
87 | | - | self.denied_map.insert(bin_inode, deny, 0)?; |
88 | | - | |
89 | | - | Ok(()) |
90 | | - | } |
91 | | - | |
92 | | - | pub async fn list_policies(&self) -> Result<Vec<policy::FileOpen>, EbpfguardError> { |
93 | | - | let mut policies = Vec::new(); |
94 | | - | |
95 | | - | for res in self.allowed_map.iter() { |
96 | | - | let (bin_inode, allow) = res?; |
97 | | - | let deny = self.denied_map.get(&bin_inode, 0)?; |
98 | | - | |
99 | | - | let subject = { |
100 | | - | let map = INODE_SUBJECT_MAP.lock().await; |
101 | | - | map.resolve_inode(bin_inode) |
102 | | - | }; |
103 | | - | |
104 | | - | policies.push(policy::FileOpen { |
105 | | - | subject, |
106 | | - | allow: allow.into(), |
107 | | - | deny: deny.into(), |
108 | | - | }); |
109 | | - | } |
110 | | - | |
111 | | - | Ok(policies) |
112 | | - | } |
113 | | - | |
114 | | - | pub async fn alerts(&mut self) -> Result<Receiver<alerts::FileOpen>, EbpfguardError> { |
115 | | - | perf_array_alerts::<ebpf_alerts::FileOpen, alerts::FileOpen>(&mut self.perf_array).await |
116 | | - | } |
117 | | - | } |
118 | | - | |
119 | | - | pub struct TaskFixSetuid { |
120 | | - | #[allow(dead_code)] |
121 | | - | pub(crate) program_link: Option<LsmLink>, |
122 | | - | pub(crate) allowed_map: HashMap<MapData, u64, u8>, |
123 | | - | pub(crate) denied_map: HashMap<MapData, u64, u8>, |
124 | | - | pub(crate) perf_array: AsyncPerfEventArray<MapData>, |
125 | | - | } |
126 | | - | |
127 | | - | impl TaskFixSetuid { |
128 | | - | pub async fn add_policy( |
129 | | - | &mut self, |
130 | | - | policy: policy::TaskFixSetuid, |
131 | | - | ) -> Result<(), EbpfguardError> { |
132 | | - | let bin_inode = { |
133 | | - | let mut map = INODE_SUBJECT_MAP.lock().await; |
134 | | - | map.resolve_path(policy.subject)? |
135 | | - | }; |
136 | | - | |
137 | | - | if policy.allow { |
138 | | - | self.allowed_map.insert(bin_inode, 0, 0)?; |
139 | | - | } else { |
140 | | - | self.denied_map.insert(bin_inode, 0, 0)?; |
141 | | - | } |
142 | | - | |
143 | | - | Ok(()) |
144 | | - | } |
145 | | - | |
146 | | - | pub async fn list_policies(&self) -> Result<Vec<policy::TaskFixSetuid>, EbpfguardError> { |
147 | | - | let mut policies = Vec::new(); |
148 | | - | |
149 | | - | for res in self.allowed_map.iter() { |
150 | | - | let (bin_inode, _) = res?; |
151 | | - | |
152 | | - | let subject = { |
153 | | - | let map = INODE_SUBJECT_MAP.lock().await; |
154 | | - | map.resolve_inode(bin_inode) |
155 | | - | }; |
156 | | - | |
157 | | - | policies.push(policy::TaskFixSetuid { |
158 | | - | subject, |
159 | | - | allow: true, |
160 | | - | }); |
161 | | - | } |
162 | | - | |
163 | | - | for res in self.denied_map.iter() { |
164 | | - | let (bin_inode, _) = res?; |
165 | | - | |
166 | | - | let subject = { |
167 | | - | let map = INODE_SUBJECT_MAP.lock().await; |
168 | | - | map.resolve_inode(bin_inode) |
169 | | - | }; |
170 | | - | |
171 | | - | policies.push(policy::TaskFixSetuid { |
172 | | - | subject, |
173 | | - | allow: false, |
174 | | - | }); |
175 | | - | } |
176 | | - | |
177 | | - | Ok(policies) |
178 | | - | } |
179 | | - | |
180 | | - | pub async fn alerts(&mut self) -> Result<Receiver<alerts::TaskFixSetuid>, EbpfguardError> { |
181 | | - | perf_array_alerts::<ebpf_alerts::TaskFixSetuid, alerts::TaskFixSetuid>(&mut self.perf_array) |
182 | | - | .await |
183 | | - | } |
184 | | - | } |
185 | | - | |
186 | | - | pub struct SocketBind { |
187 | | - | #[allow(dead_code)] |
188 | | - | pub(crate) program_link: Option<LsmLink>, |
189 | | - | pub(crate) allowed_map: HashMap<MapData, u64, ebpf_policy::Ports>, |
190 | | - | pub(crate) denied_map: HashMap<MapData, u64, ebpf_policy::Ports>, |
191 | | - | pub(crate) perf_array: AsyncPerfEventArray<MapData>, |
192 | | - | } |
193 | | - | |
194 | | - | impl SocketBind { |
195 | | - | pub async fn add_policy(&mut self, policy: policy::SocketBind) -> Result<(), EbpfguardError> { |
196 | | - | let bin_inode = { |
197 | | - | let mut map = INODE_SUBJECT_MAP.lock().await; |
198 | | - | map.resolve_path(policy.subject)? |
199 | | - | }; |
200 | | - | |
201 | | - | let allow: ebpf_policy::Ports = policy.allow.into(); |
202 | | - | let deny: ebpf_policy::Ports = policy.deny.into(); |
203 | | - | |
204 | | - | self.allowed_map.insert(bin_inode, allow, 0)?; |
205 | | - | self.denied_map.insert(bin_inode, deny, 0)?; |
206 | | - | |
207 | | - | Ok(()) |
208 | | - | } |
209 | | - | |
210 | | - | pub async fn list_policies(&self) -> Result<Vec<policy::SocketBind>, EbpfguardError> { |
211 | | - | let mut policies = Vec::new(); |
212 | | - | |
213 | | - | for res in self.allowed_map.iter() { |
214 | | - | let (bin_inode, allow) = res?; |
215 | | - | let deny = self.denied_map.get(&bin_inode, 0)?; |
216 | | - | |
217 | | - | let subject = { |
218 | | - | let map = INODE_SUBJECT_MAP.lock().await; |
219 | | - | map.resolve_inode(bin_inode) |
220 | | - | }; |
221 | | - | |
222 | | - | policies.push(policy::SocketBind { |
223 | | - | subject, |
224 | | - | allow: allow.into(), |
225 | | - | deny: deny.into(), |
226 | | - | }); |
227 | | - | } |
228 | | - | |
229 | | - | Ok(policies) |
230 | | - | } |
231 | | - | |
232 | | - | pub async fn alerts(&mut self) -> Result<Receiver<alerts::SocketBind>, EbpfguardError> { |
233 | | - | perf_array_alerts::<ebpf_alerts::SocketBind, alerts::SocketBind>(&mut self.perf_array).await |
234 | | - | } |
235 | | - | } |
236 | | - | |
237 | | - | pub struct SocketConnect { |
238 | | - | #[allow(dead_code)] |
239 | | - | pub(crate) program_link: Option<LsmLink>, |
240 | | - | pub(crate) allowed_map_v4: HashMap<MapData, u64, ebpf_policy::Ipv4Addrs>, |
241 | | - | pub(crate) denied_map_v4: HashMap<MapData, u64, ebpf_policy::Ipv4Addrs>, |
242 | | - | pub(crate) allowed_map_v6: HashMap<MapData, u64, ebpf_policy::Ipv6Addrs>, |
243 | | - | pub(crate) denied_map_v6: HashMap<MapData, u64, ebpf_policy::Ipv6Addrs>, |
244 | | - | pub(crate) perf_array: AsyncPerfEventArray<MapData>, |
245 | | - | } |
246 | | - | |
247 | | - | impl SocketConnect { |
248 | | - | pub async fn add_policy( |
249 | | - | &mut self, |
250 | | - | policy: policy::SocketConnect, |
251 | | - | ) -> Result<(), EbpfguardError> { |
252 | | - | let bin_inode = { |
253 | | - | let mut map = INODE_SUBJECT_MAP.lock().await; |
254 | | - | map.resolve_path(policy.subject)? |
255 | | - | }; |
256 | | - | |
257 | | - | let (allow_v4, allow_v6) = policy.allow.into_ebpf(); |
258 | | - | let (deny_v4, deny_v6) = policy.deny.into_ebpf(); |
259 | | - | |
260 | | - | self.allowed_map_v4.insert(bin_inode, allow_v4, 0)?; |
261 | | - | self.denied_map_v4.insert(bin_inode, deny_v4, 0)?; |
262 | | - | self.allowed_map_v6.insert(bin_inode, allow_v6, 0)?; |
263 | | - | self.denied_map_v6.insert(bin_inode, deny_v6, 0)?; |
264 | | - | |
265 | | - | Ok(()) |
266 | | - | } |
267 | | - | |
268 | | - | pub async fn list_policies(&self) -> Result<Vec<policy::SocketConnect>, EbpfguardError> { |
269 | | - | let mut policies = Vec::new(); |
270 | | - | |
271 | | - | for res in self.allowed_map_v4.iter() { |
272 | | - | let (bin_inode, allow_v4) = res?; |
273 | | - | let deny_v4 = self.denied_map_v4.get(&bin_inode, 0)?; |
274 | | - | let allow_v6 = self.allowed_map_v6.get(&bin_inode, 0)?; |
275 | | - | let deny_v6 = self.denied_map_v6.get(&bin_inode, 0)?; |
276 | | - | |
277 | | - | let subject = { |
278 | | - | let map = INODE_SUBJECT_MAP.lock().await; |
279 | | - | map.resolve_inode(bin_inode) |
280 | | - | }; |
281 | | - | |
282 | | - | let allow = if allow_v4.all() && allow_v6.all() { |
283 | | - | policy::Addresses::All |
284 | | - | } else { |
285 | | - | let mut addrs = Vec::new(); |
286 | | - | for addr in allow_v4.addrs.iter() { |
287 | | - | if *addr == 0 { |
288 | | - | break; |
289 | | - | } |
290 | | - | addrs.push(IpAddr::V4(Ipv4Addr::from(addr.to_owned()))); |
291 | | - | } |
292 | | - | for addr in allow_v6.addrs.iter() { |
293 | | - | if *addr == [0u8; 16] { |
294 | | - | break; |
295 | | - | } |
296 | | - | addrs.push(IpAddr::V6(Ipv6Addr::from(addr.to_owned()))); |
297 | | - | } |
298 | | - | policy::Addresses::Addresses(addrs) |
299 | | - | }; |
300 | | - | let deny = if deny_v4.all() && deny_v6.all() { |
301 | | - | policy::Addresses::All |
302 | | - | } else { |
303 | | - | let mut addrs = Vec::new(); |
304 | | - | for addr in deny_v4.addrs.iter() { |
305 | | - | if *addr == 0 { |
306 | | - | break; |
307 | | - | } |
308 | | - | addrs.push(IpAddr::V4(Ipv4Addr::from(addr.to_owned()))); |
309 | | - | } |
310 | | - | for addr in deny_v6.addrs.iter() { |
311 | | - | if *addr == [0u8; 16] { |
312 | | - | break; |
313 | | - | } |
314 | | - | addrs.push(IpAddr::V6(Ipv6Addr::from(addr.to_owned()))); |
315 | | - | } |
316 | | - | policy::Addresses::Addresses(addrs) |
317 | | - | }; |
318 | | - | |
319 | | - | policies.push(policy::SocketConnect { |
320 | | - | subject, |
321 | | - | allow, |
322 | | - | deny, |
323 | | - | }); |
324 | | - | } |
325 | | - | |
326 | | - | Ok(policies) |
327 | | - | } |
328 | | - | |
329 | | - | pub async fn alerts(&mut self) -> Result<Receiver<alerts::SocketConnect>, EbpfguardError> { |
330 | | - | perf_array_alerts::<ebpf_alerts::SocketConnect, alerts::SocketConnect>(&mut self.perf_array) |
331 | | - | .await |
332 | | - | } |
333 | | - | } |
334 | | - | |
335 | | - | pub async fn perf_array_alerts<E, U>( |
336 | | - | perf_array: &mut AsyncPerfEventArray<MapData>, |
337 | | - | ) -> Result<Receiver<U>, EbpfguardError> |
338 | | - | where |
339 | | - | E: ebpf_alerts::Alert, |
340 | | - | U: alerts::Alert + Debug + Send + From<E> + 'static, |
341 | | - | { |
342 | | - | let (tx, rx) = mpsc::channel(32); |
343 | | - | |
344 | | - | let cpus = online_cpus()?; |
345 | | - | for cpu_id in cpus { |
346 | | - | let tx = tx.clone(); |
347 | | - | let mut buf = perf_array.open(cpu_id, None)?; |
348 | | - | |
349 | | - | task::spawn(async move { |
350 | | - | let mut buffers = (0..10) |
351 | | - | .map(|_| BytesMut::with_capacity(1024)) |
352 | | - | .collect::<Vec<_>>(); |
353 | | - | loop { |
354 | | - | let events = buf.read_events(&mut buffers).await.unwrap(); |
355 | | - | for buf in buffers.iter_mut().take(events.read) { |
356 | | - | let alert: U = { |
357 | | - | let ptr = buf.as_ptr() as *const E; |
358 | | - | let alert = unsafe { ptr.read_unaligned() }; |
359 | | - | alert.into() |
360 | | - | }; |
361 | | - | tx.send(alert).await.unwrap(); |
362 | | - | } |
363 | | - | } |
364 | | - | }); |
365 | | - | } |
366 | | - | |
367 | | - | Ok(rx) |
368 | | - | } |
369 | | - | |