| skipped 48 lines |
49 | 49 | | //! |
50 | 50 | | //! ## Defining single policies |
51 | 51 | | //! |
| 52 | + | //! ### `file_open` |
| 53 | + | //! |
52 | 54 | | //! The [file_open](https://github.com/deepfence/guardity/tree/main/examples/file_open) |
53 | 55 | | //! example shows how to define a policy for `file_open` LSM hook as Rust code. |
54 | 56 | | //! It denies the given binary (or all processes, if none defined) from opening |
| skipped 29 lines |
84 | 86 | | //! [2023-04-22T20:51:03Z INFO file_open] file_open: pid=3010 subject=980298 path=9633 |
85 | 87 | | //! ``` |
86 | 88 | | //! |
| 89 | + | //! ### `task_fix_setuid` |
| 90 | + | //! |
| 91 | + | //! The [task_fix_setuid](https://github.com/deepfence/guardity/tree/main/examples/task_fix_setuid) |
| 92 | + | //! example shows how to define a policy for `task_fix_setuid` LSM hook as Rust |
| 93 | + | //! code. It denies the `setuid` operation for all processes except for the |
| 94 | + | //! optionally given one. |
| 95 | + | //! |
| 96 | + | //! To try it out, run our example policy program, first without providing any |
| 97 | + | //! binary to allow `setuid` for (so it's denied for all processes): |
| 98 | + | //! |
| 99 | + | //! ```bash |
| 100 | + | //! $ RUST_LOG=info cargo xtask run --example task_fix_setuid |
| 101 | + | //! ``` |
| 102 | + | //! |
| 103 | + | //! Then try to use `sudo`. It should fail with the following error: |
| 104 | + | //! |
| 105 | + | //! ```bash |
| 106 | + | //! sudo -i |
| 107 | + | //! sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted |
| 108 | + | //! sudo: error initializing audit plugin sudoers_audit |
| 109 | + | //! ``` |
| 110 | + | //! |
| 111 | + | //! And the policy program should show log like: |
| 112 | + | //! |
| 113 | + | //! ```bash |
| 114 | + | //! [2023-04-23T15:15:00Z INFO task_fix_setuid] file_open: pid=25604 subject=674642 old_uid=1000 old_gid=1000 new_uid=0 new_gid=1000 |
| 115 | + | //! ``` |
| 116 | + | //! |
| 117 | + | //! Now, let's try to allow `setuid` for a specific binary. Let's use `sudo`: |
| 118 | + | //! |
| 119 | + | //! ```bash |
| 120 | + | //! $ RUST_LOG=info cargo xtask run --example task_fix_setuid -- --allow /usr/bin/sudo |
| 121 | + | //! ``` |
| 122 | + | //! |
| 123 | + | //! Then try to use `sudo` again. It should work this time: |
| 124 | + | //! |
| 125 | + | //! ```bash |
| 126 | + | //! $ sudo -i |
| 127 | + | //! # whoami |
| 128 | + | //! root |
| 129 | + | //! ``` |
| 130 | + | //! |
87 | 131 | | //! ## Daemon with CLI and YAML engine |
88 | 132 | | //! |
89 | 133 | | //! Run the daemon with: |
| skipped 22 lines |
112 | 156 | | programs::{lsm::LsmLink, Lsm}, |
113 | 157 | | Bpf, BpfLoader, Btf, |
114 | 158 | | }; |
115 | | - | use hooks::{All, BprmCheckSecurity, FileOpen, SocketBind, SocketConnect, TaskFixSetuid}; |
116 | | - | use policy::inode::InodeSubjectMap; |
117 | 159 | | |
118 | 160 | | pub mod alerts; |
119 | 161 | | pub mod error; |
120 | 162 | | pub mod fs; |
121 | 163 | | pub mod hooks; |
122 | 164 | | pub mod policy; |
| 165 | + | |
| 166 | + | use hooks::{All, BprmCheckSecurity, FileOpen, SocketBind, SocketConnect, TaskFixSetuid}; |
| 167 | + | use policy::inode::InodeSubjectMap; |
123 | 168 | | |
124 | 169 | | pub struct PolicyManager { |
125 | 170 | | bpf: Bpf, |
| skipped 223 lines |