STRLCPY/ebpfguard

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/binprm.rs

1		-	use aya_bpf::helpers::bpf_get_current_task_btf;
	1	+	use aya_bpf::{
	2	+	cty::c_long,
	3	+	helpers::{bpf_get_current_task, bpf_probe_read_kernel},
	4	+	};
2	5
3	6		use crate::vmlinux::task_struct;
4	7
		skipped 4 lines
9	12		/// ```rust
10	13		/// use ebpfguard_ebpf::binprm::current_binprm_inode;
11	14		///
12		-	/// let inode = current_binprm_inode();
	15	+	/// # fn main() -> Result<(), c_long> {
	16	+	/// let inode = current_binprm_inode()?;
	17	+	/// # Ok(())
	18	+	/// # }
13	19		/// ```
14	20		#[inline(always)]
15		-	pub(crate) fn current_binprm_inode() -> u64 {
16		-	let task = unsafe { bpf_get_current_task_btf() as *mut task_struct };
17		-	unsafe { ((((task).mm).__bindgen_anon_1.exe_file).f_inode).i_ino }
	21	+	pub(crate) fn current_binprm_inode() -> Result<u64, c_long> {
	22	+	let binprm_inode = unsafe {
	23	+	let task = bpf_get_current_task() as *mut task_struct;
	24	+	let mm = bpf_probe_read_kernel(&(*task).mm)?;
	25	+	let file = bpf_probe_read_kernel(&(*mm).__bindgen_anon_1.exe_file)?;
	26	+	let f_inode = bpf_probe_read_kernel(&(*file).f_inode)?;
	27	+	bpf_probe_read_kernel(&(*f_inode).i_ino)?
	28	+	};
	29	+	Ok(binprm_inode)
18	30		}
19	31

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/bprm_check_security.rs

		skipped 6 lines
7	7		let new_binprm: *const linux_binprm = unsafe { ctx.arg(0) };
8	8		let argc = unsafe { (*new_binprm).argc };
9	9
10		-	let old_binprm_inode = current_binprm_inode();
	10	+	let old_binprm_inode = current_binprm_inode()?;
11	11
12	12		if argc < 1 {
13	13		ALERT_BPRM_CHECK_SECURITY.output(
		skipped 10 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/file_open.rs

1		-	use aya_bpf::{maps::HashMap, programs::LsmContext, BpfContext};
	1	+	use aya_bpf::{cty::c_long, maps::HashMap, programs::LsmContext, BpfContext};
2	2		use ebpfguard_common::{
3	3		alerts,
4	4		consts::INODE_WILDCARD,
		skipped 26 lines
31	31		/// file_open::file_open(ctx).into()
32	32		/// }
33	33		/// ```
34		-	pub fn file_open(ctx: LsmContext) -> Action {
	34	+	pub fn file_open(ctx: LsmContext) -> Result<Action, c_long> {
35	35		let file: *const file = unsafe { ctx.arg(0) };
36	36
37		-	let binprm_inode = current_binprm_inode();
	37	+	let binprm_inode = current_binprm_inode()?;
38	38		let inode = unsafe { (((*file).f_path.dentry).d_inode).i_ino };
39	39
40	40		if let Some(paths) = unsafe { ALLOWED_FILE_OPEN.get(&INODE_WILDCARD) } {
41	41		if paths.paths[0] == 0 {
42		-	return check_conditions_and_alert(
	42	+	return Ok(check_conditions_and_alert(
43	43		&ctx,
44	44		&DENIED_FILE_OPEN,
45	45		file,
46	46		inode,
47	47		binprm_inode,
48	48		Mode::Denylist,
49		-	);
	49	+	));
50	50		}
51	51		}
52	52
53	53		if let Some(paths) = unsafe { DENIED_FILE_OPEN.get(&INODE_WILDCARD) } {
54	54		if paths.paths[0] == 0 {
55		-	return check_conditions_and_alert(
	55	+	return Ok(check_conditions_and_alert(
56	56		&ctx,
57	57		&ALLOWED_FILE_OPEN,
58	58		file,
59	59		inode,
60	60		binprm_inode,
61	61		Mode::Allowlist,
62		-	);
	62	+	));
63	63		}
64	64		}
65	65
66		-	Action::Allow
	66	+	Ok(Action::Allow)
67	67		}
68	68
69	69		#[inline(always)]
		skipped 100 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/main.rs

		skipped 18 lines
19	19
20	20		#[lsm(name = "file_open")]
21	21		pub fn prog_file_open(ctx: LsmContext) -> i32 {
22		-	file_open(ctx).into()
	22	+	match file_open(ctx) {
	23	+	Ok(ret) => ret.into(),
	24	+	Err(_) => 0,
	25	+	}
23	26		}
24	27
25	28		#[lsm(name = "task_fix_setuid")]
		skipped 6 lines
32	35
33	36		#[lsm(name = "sb_mount")]
34	37		pub fn prog_sb_mount(ctx: LsmContext) -> i32 {
35		-	sb_mount(ctx).into()
	38	+	match sb_mount(ctx) {
	39	+	Ok(ret) => ret.into(),
	40	+	Err(_) => 0,
	41	+	}
36	42		}
37	43
38	44		#[lsm(name = "sb_remount")]
39	45		pub fn prog_sb_remount(ctx: LsmContext) -> i32 {
40		-	sb_remount(ctx).into()
	46	+	match sb_remount(ctx) {
	47	+	Ok(ret) => ret.into(),
	48	+	Err(_) => 0,
	49	+	}
41	50		}
42	51
43	52		#[lsm(name = "sb_umount")]
44	53		pub fn prog_sb_umount(ctx: LsmContext) -> i32 {
45		-	sb_umount(ctx).into()
	54	+	match sb_umount(ctx) {
	55	+	Ok(ret) => ret.into(),
	56	+	Err(_) => 0,
	57	+	}
46	58		}
47	59
48	60		#[lsm(name = "socket_bind")]
49	61		pub fn prog_socket_bind(ctx: LsmContext) -> i32 {
50		-	socket_bind(ctx).into()
	62	+	match socket_bind(ctx) {
	63	+	Ok(ret) => ret.into(),
	64	+	Err(_) => 0,
	65	+	}
51	66		}
52	67
53	68		#[lsm(name = "socket_connect")]
		skipped 12 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/sb_mount.rs

1		-	use aya_bpf::{maps::HashMap, programs::LsmContext, BpfContext};
	1	+	use aya_bpf::{maps::HashMap, programs::LsmContext, BpfContext, cty::c_long};
2	2		use ebpfguard_common::{alerts, consts::INODE_WILDCARD};
3	3
4	4		use crate::{
		skipped 18 lines
23	23		/// sb_mount(ctx).into()
24	24		/// }
25	25		/// ```
26		-	pub fn sb_mount(ctx: LsmContext) -> Action {
27		-	let binprm_inode = current_binprm_inode();
	26	+	pub fn sb_mount(ctx: LsmContext) -> Result<Action, c_long> {
	27	+	let binprm_inode = current_binprm_inode()?;
28	28
29	29		if unsafe { ALLOWED_SB_MOUNT.get(&INODE_WILDCARD).is_some() } {
30		-	return check_conditions_and_alert(&ctx, &DENIED_SB_MOUNT, binprm_inode, Mode::Denylist);
	30	+	return Ok(check_conditions_and_alert(&ctx, &DENIED_SB_MOUNT, binprm_inode, Mode::Denylist));
31	31		}
32	32
33	33		if unsafe { DENIED_SB_MOUNT.get(&INODE_WILDCARD).is_some() } {
34		-	return check_conditions_and_alert(&ctx, &ALLOWED_SB_MOUNT, binprm_inode, Mode::Allowlist);
	34	+	return Ok(check_conditions_and_alert(&ctx, &ALLOWED_SB_MOUNT, binprm_inode, Mode::Allowlist));
35	35		}
36	36
37		-	Action::Allow
	37	+	Ok(Action::Allow)
38	38		}
39	39
40	40		#[inline(always)]
		skipped 37 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/sb_remount.rs

1		-	use aya_bpf::{maps::HashMap, programs::LsmContext, BpfContext};
	1	+	use aya_bpf::{cty::c_long, maps::HashMap, programs::LsmContext, BpfContext};
2	2		use ebpfguard_common::{alerts, consts::INODE_WILDCARD};
3	3
4	4		use crate::{
		skipped 18 lines
23	23		/// sb_umount(ctx).into()
24	24		/// }
25	25		/// ```
26		-	pub fn sb_remount(ctx: LsmContext) -> Action {
27		-	let binprm_inode = current_binprm_inode();
	26	+	pub fn sb_remount(ctx: LsmContext) -> Result<Action, c_long> {
	27	+	let binprm_inode = current_binprm_inode()?;
28	28
29	29		if unsafe { ALLOWED_SB_REMOUNT.get(&INODE_WILDCARD).is_some() } {
30		-	return check_conditions_and_alert(&ctx, &DENIED_SB_REMOUNT, binprm_inode, Mode::Denylist);
	30	+	return Ok(check_conditions_and_alert(
	31	+	&ctx,
	32	+	&DENIED_SB_REMOUNT,
	33	+	binprm_inode,
	34	+	Mode::Denylist,
	35	+	));
31	36		}
32	37
33	38		if unsafe { DENIED_SB_REMOUNT.get(&INODE_WILDCARD).is_some() } {
34		-	return check_conditions_and_alert(
	39	+	return Ok(check_conditions_and_alert(
35	40		&ctx,
36	41		&ALLOWED_SB_REMOUNT,
37	42		binprm_inode,
38	43		Mode::Allowlist,
39		-	);
	44	+	));
40	45		}
41	46
42		-	Action::Allow
	47	+	Ok(Action::Allow)
43	48		}
44	49
45	50		#[inline(always)]
		skipped 37 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/sb_umount.rs

1		-	use aya_bpf::{maps::HashMap, programs::LsmContext, BpfContext};
	1	+	use aya_bpf::{cty::c_long, maps::HashMap, programs::LsmContext, BpfContext};
2	2		use ebpfguard_common::{alerts, consts::INODE_WILDCARD};
3	3
4	4		use crate::{
		skipped 18 lines
23	23		/// sb_umount(ctx).into()
24	24		/// }
25	25		/// ```
26		-	pub fn sb_umount(ctx: LsmContext) -> Action {
27		-	let binprm_inode = current_binprm_inode();
	26	+	pub fn sb_umount(ctx: LsmContext) -> Result<Action, c_long> {
	27	+	let binprm_inode = current_binprm_inode()?;
28	28
29	29		if unsafe { ALLOWED_SB_UMOUNT.get(&INODE_WILDCARD).is_some() } {
30		-	return check_conditions_and_alert(&ctx, &DENIED_SB_UMOUNT, binprm_inode, Mode::Denylist);
	30	+	return Ok(check_conditions_and_alert(
	31	+	&ctx,
	32	+	&DENIED_SB_UMOUNT,
	33	+	binprm_inode,
	34	+	Mode::Denylist,
	35	+	));
31	36		}
32	37
33	38		if unsafe { DENIED_SB_UMOUNT.get(&INODE_WILDCARD).is_some() } {
34		-	return check_conditions_and_alert(&ctx, &ALLOWED_SB_UMOUNT, binprm_inode, Mode::Allowlist);
	39	+	return Ok(check_conditions_and_alert(
	40	+	&ctx,
	41	+	&ALLOWED_SB_UMOUNT,
	42	+	binprm_inode,
	43	+	Mode::Allowlist,
	44	+	));
35	45		}
36	46
37		-	Action::Allow
	47	+	Ok(Action::Allow)
38	48		}
39	49
40	50		#[inline(always)]
		skipped 37 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/socket_bind.rs

1		-	use aya_bpf::{programs::LsmContext, BpfContext};
	1	+	use aya_bpf::{cty::c_long, programs::LsmContext, BpfContext};
2	2		use ebpfguard_common::{alerts, consts::INODE_WILDCARD, policy::MAX_PORTS};
3	3
4	4		use crate::{
		skipped 25 lines
30	30		/// }
31	31		/// ```
32	32		#[inline(always)]
33		-	pub fn socket_bind(ctx: LsmContext) -> Action {
	33	+	pub fn socket_bind(ctx: LsmContext) -> Result<Action, c_long> {
34	34		let sockaddr: *const sockaddr = unsafe { ctx.arg(1) };
35	35
36	36		if unsafe { (*sockaddr).sa_family } != AF_INET {
37		-	return Action::Allow;
	37	+	return Ok(Action::Allow);
38	38		}
39	39
40	40		let sockaddr_in: const sockaddr_in = sockaddr as const sockaddr_in;
41	41		let port = u16::from_be(unsafe { (*sockaddr_in).sin_port });
42	42
43	43		if port == 0 {
44		-	return Action::Allow;
	44	+	return Ok(Action::Allow);
45	45		}
46	46
47		-	let binprm_inode = current_binprm_inode();
	47	+	let binprm_inode = current_binprm_inode()?;
48	48
49	49		if let Some(ports) = unsafe { ALLOWED_SOCKET_BIND.get(&INODE_WILDCARD) } {
50	50		if ports.all() {
		skipped 4 lines
55	55		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
56	56		0,
57	57		);
58		-	return Action::Deny;
	58	+	return Ok(Action::Deny);
59	59		}
60	60		if ports.ports[..MAX_PORTS - 1].contains(&port) {
61	61		ALERT_SOCKET_BIND.output(
		skipped 1 lines
63	63		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
64	64		0,
65	65		);
66		-	return Action::Deny;
	66	+	return Ok(Action::Deny);
67	67		}
68	68		}
69	69
		skipped 4 lines
74	74		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
75	75		0,
76	76		);
77		-	return Action::Deny;
	77	+	return Ok(Action::Deny);
78	78		}
79	79		if ports.ports[..MAX_PORTS - 1].contains(&port) {
80	80		ALERT_SOCKET_BIND.output(
		skipped 1 lines
82	82		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
83	83		0,
84	84		);
85		-	return Action::Deny;
	85	+	return Ok(Action::Deny);
86	86		}
87	87		}
88	88		} else {
89	89		if ports.ports[..MAX_PORTS - 1].contains(&port) {
90		-	return Action::Allow;
	90	+	return Ok(Action::Allow);
91	91		}
92	92		}
93	93		}
		skipped 2 lines
96	96		if ports.all() {
97	97		if let Some(ports) = unsafe { ALLOWED_SOCKET_BIND.get(&INODE_WILDCARD) } {
98	98		if ports.all() {
99		-	return Action::Allow;
	99	+	return Ok(Action::Allow);
100	100		}
101	101		if ports.ports[..MAX_PORTS - 1].contains(&port) {
102		-	return Action::Allow;
	102	+	return Ok(Action::Allow);
103	103		}
104	104		}
105	105
106	106		if let Some(ports) = unsafe { ALLOWED_SOCKET_BIND.get(&binprm_inode) } {
107	107		if ports.all() {
108		-	return Action::Allow;
	108	+	return Ok(Action::Allow);
109	109		}
110	110		if ports.ports[..MAX_PORTS - 1].contains(&port) {
111		-	return Action::Allow;
	111	+	return Ok(Action::Allow);
112	112		}
113	113		}
114	114
		skipped 2 lines
117	117		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
118	118		0,
119	119		);
120		-	return Action::Deny;
	120	+	return Ok(Action::Deny);
121	121		} else {
122	122		if ports.ports[..MAX_PORTS - 1].contains(&port) {
123	123		ALERT_SOCKET_BIND.output(
		skipped 1 lines
125	125		&alerts::SocketBind::new(ctx.pid(), binprm_inode, port),
126	126		0,
127	127		);
128		-	return Action::Deny;
	128	+	return Ok(Action::Deny);
129	129		}
130	130		}
131	131		}
132	132
133		-	Action::Allow
	133	+	Ok(Action::Allow)
134	134		}
135	135

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/socket_connect.rs

		skipped 52 lines
53	53		let sockaddr_in: const sockaddr_in = sockaddr as const sockaddr_in;
54	54		let addr = u32::from_be(unsafe { (*sockaddr_in).sin_addr.s_addr });
55	55
56		-	let binprm_inode = current_binprm_inode();
	56	+	let binprm_inode = current_binprm_inode()?;
57	57
58	58		if let Some(addrs) = unsafe { ALLOWED_SOCKET_CONNECT_V4.get(&INODE_WILDCARD) } {
59	59		if addrs.all() {
		skipped 29 lines
89	89		let sockaddr_in6: sockaddr_in6 = unsafe { bpf_probe_read_kernel(sockaddr_in6)? };
90	90		let addr = unsafe { sockaddr_in6.sin6_addr.in6_u.u6_addr8 };
91	91
92		-	let binprm_inode = current_binprm_inode();
	92	+	let binprm_inode = current_binprm_inode()?;
93	93
94	94		if let Some(addrs) = unsafe { ALLOWED_SOCKET_CONNECT_V6.get(&INODE_WILDCARD) } {
95	95		if addrs.all() {
		skipped 119 lines

■ ■ ■ ■ ■ ■

ebpfguard-ebpf/src/task_fix_setuid.rs

		skipped 34 lines
35	35		let new_uid = unsafe { (*new).uid.val };
36	36		let new_gid = unsafe { (*new).gid.val };
37	37
38		-	let binprm_inode = current_binprm_inode();
	38	+	let binprm_inode = current_binprm_inode()?;
39	39
40	40		if unsafe { ALLOWED_TASK_FIX_SETUID.get(&INODE_WILDCARD) }.is_some() {
41	41		if unsafe { DENIED_TASK_FIX_SETUID.get(&binprm_inode).is_some() } {
		skipped 39 lines

Merge pull request #38 from deepfence/bpf-get-current-task