1 | | - | //! **Guardity** is a library for managing Linux security policies. It is based on |
| 1 | + | //! **Ebpfguard** is a library for managing Linux security policies. It is based on |
2 | 2 | | //! [LSM hooks](https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html), |
3 | 3 | | //! but without necessity to write any kernel modules or eBPF programs directly. |
4 | 4 | | //! It allows to write policies in Rust (or YAML) in user space. |
| skipped 32 lines |
37 | 37 | | //! |
38 | 38 | | //! # LSM hooks |
39 | 39 | | //! |
40 | | - | //! LSM hooks supported by Guardity are: |
| 40 | + | //! LSM hooks supported by Ebpfguard are: |
41 | 41 | | //! |
42 | 42 | | //! * [`bprm_check_security`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L62) |
43 | 43 | | //! * [`file_open`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L620) |
| skipped 7 lines |
51 | 51 | | //! |
52 | 52 | | //! ### `file_open` |
53 | 53 | | //! |
54 | | - | //! The [file_open](https://github.com/deepfence/guardity/tree/main/examples/file_open) |
| 54 | + | //! The [file_open](https://github.com/deepfence/ebpfguard/tree/main/examples/file_open) |
55 | 55 | | //! example shows how to define a policy for `file_open` LSM hook as Rust code. |
56 | 56 | | //! It denies the given binary (or all processes, if none defined) from opening |
57 | 57 | | //! the given directory. |
| skipped 30 lines |
88 | 88 | | //! |
89 | 89 | | //! ### `task_fix_setuid` |
90 | 90 | | //! |
91 | | - | //! The [task_fix_setuid](https://github.com/deepfence/guardity/tree/main/examples/task_fix_setuid) |
| 91 | + | //! The [task_fix_setuid](https://github.com/deepfence/ebpfguard/tree/main/examples/task_fix_setuid) |
92 | 92 | | //! example shows how to define a policy for `task_fix_setuid` LSM hook as Rust |
93 | 93 | | //! code. It denies the `setuid` operation for all processes except for the |
94 | 94 | | //! optionally given one. |
| skipped 48 lines |
143 | 143 | | //! ``` |
144 | 144 | | //! |
145 | 145 | | //! You can apply policies from the |
146 | | - | //! [example YAML file](https://github.com/deepfence/guardity/blob/main/examples/cli/policy.yaml): |
| 146 | + | //! [example YAML file](https://github.com/deepfence/ebpfguard/blob/main/examples/cli/policy.yaml): |
147 | 147 | | //! |
148 | 148 | | //! ```bash |
149 | 149 | | //! $ cargo xtask run --example cli -- policy add --path examples/cli/policy.yaml |
| skipped 13 lines |
163 | 163 | | pub mod hooks; |
164 | 164 | | pub mod policy; |
165 | 165 | | |
166 | | - | use error::GuardityError; |
| 166 | + | use error::EbpfguardError; |
167 | 167 | | use hooks::{All, BprmCheckSecurity, FileOpen, SocketBind, SocketConnect, TaskFixSetuid}; |
168 | 168 | | use policy::inode::InodeSubjectMap; |
169 | 169 | | |
| skipped 7 lines |
177 | 177 | | /// # Example |
178 | 178 | | /// |
179 | 179 | | /// ```no_run |
180 | | - | /// use guardity::PolicyManager; |
| 180 | + | /// use ebpfguard::PolicyManager; |
181 | 181 | | /// use std::path::Path; |
182 | 182 | | /// |
183 | 183 | | /// let mut policy_manager = PolicyManager::new(Path::new("/sys/fs/bpf/mypolicies")).unwrap(); |
184 | 184 | | /// ``` |
185 | | - | pub fn new<P: AsRef<Path>>(bpf_path: P) -> Result<Self, GuardityError> { |
| 185 | + | pub fn new<P: AsRef<Path>>(bpf_path: P) -> Result<Self, EbpfguardError> { |
186 | 186 | | #[cfg(debug_assertions)] |
187 | 187 | | let bpf = BpfLoader::new() |
188 | 188 | | .map_pin_path(&bpf_path) |
189 | 189 | | .load(include_bytes_aligned!( |
190 | | - | "../../target/bpfel-unknown-none/debug/guardity" |
| 190 | + | "../../target/bpfel-unknown-none/debug/ebpfguard" |
191 | 191 | | ))?; |
192 | 192 | | #[cfg(not(debug_assertions))] |
193 | 193 | | let bpf = BpfLoader::new() |
194 | 194 | | .map_pin_path(&bpf_path) |
195 | 195 | | .load(include_bytes_aligned!( |
196 | | - | "../../target/bpfel-unknown-none/release/guardity" |
| 196 | + | "../../target/bpfel-unknown-none/release/ebpfguard" |
197 | 197 | | ))?; |
198 | 198 | | |
199 | 199 | | Ok(Self { bpf }) |
200 | 200 | | } |
201 | 201 | | |
202 | 202 | | /// Attaches and returns a handle to all LSM hooks. |
203 | | - | pub fn attach_all(&mut self) -> Result<All, GuardityError> { |
| 203 | + | pub fn attach_all(&mut self) -> Result<All, EbpfguardError> { |
204 | 204 | | let bprm_check_security = self.attach_bprm_check_security()?; |
205 | 205 | | let file_open = self.attach_file_open()?; |
206 | 206 | | let task_fix_setuid = self.attach_task_fix_setuid()?; |
| skipped 9 lines |
216 | 216 | | }) |
217 | 217 | | } |
218 | 218 | | |
219 | | - | pub fn manage_all(&mut self) -> Result<All, GuardityError> { |
| 219 | + | pub fn manage_all(&mut self) -> Result<All, EbpfguardError> { |
220 | 220 | | let bprm_check_security = self.manage_bprm_check_security()?; |
221 | 221 | | let file_open = self.manage_file_open()?; |
222 | 222 | | let task_fix_setuid = self.manage_task_fix_setuid()?; |
| skipped 9 lines |
232 | 232 | | }) |
233 | 233 | | } |
234 | 234 | | |
235 | | - | pub fn attach_bprm_check_security(&mut self) -> Result<BprmCheckSecurity, GuardityError> { |
| 235 | + | pub fn attach_bprm_check_security(&mut self) -> Result<BprmCheckSecurity, EbpfguardError> { |
236 | 236 | | let mut bprm_check_security = self.manage_bprm_check_security()?; |
237 | 237 | | let program_link = self.attach_program("bprm_check_security")?; |
238 | 238 | | bprm_check_security.program_link = Some(program_link); |
| skipped 1 lines |
240 | 240 | | Ok(bprm_check_security) |
241 | 241 | | } |
242 | 242 | | |
243 | | - | pub fn manage_bprm_check_security(&mut self) -> Result<BprmCheckSecurity, GuardityError> { |
| 243 | + | pub fn manage_bprm_check_security(&mut self) -> Result<BprmCheckSecurity, EbpfguardError> { |
244 | 244 | | let perf_array = self |
245 | 245 | | .bpf |
246 | 246 | | .take_map("ALERT_BPRM_CHECK_SECURITY") |
| skipped 6 lines |
253 | 253 | | }) |
254 | 254 | | } |
255 | 255 | | |
256 | | - | pub fn attach_file_open(&mut self) -> Result<FileOpen, GuardityError> { |
| 256 | + | pub fn attach_file_open(&mut self) -> Result<FileOpen, EbpfguardError> { |
257 | 257 | | let mut file_open = self.manage_file_open()?; |
258 | 258 | | let program_link = self.attach_program("file_open")?; |
259 | 259 | | file_open.program_link = Some(program_link); |
| skipped 1 lines |
261 | 261 | | Ok(file_open) |
262 | 262 | | } |
263 | 263 | | |
264 | | - | pub fn manage_file_open(&mut self) -> Result<FileOpen, GuardityError> { |
| 264 | + | pub fn manage_file_open(&mut self) -> Result<FileOpen, EbpfguardError> { |
265 | 265 | | let allowed_map = self.bpf.take_map("ALLOWED_FILE_OPEN").unwrap().try_into()?; |
266 | 266 | | let denied_map = self.bpf.take_map("DENIED_FILE_OPEN").unwrap().try_into()?; |
267 | 267 | | let perf_array = self.bpf.take_map("ALERT_FILE_OPEN").unwrap().try_into()?; |
| skipped 6 lines |
274 | 274 | | }) |
275 | 275 | | } |
276 | 276 | | |
277 | | - | pub fn attach_task_fix_setuid(&mut self) -> Result<TaskFixSetuid, GuardityError> { |
| 277 | + | pub fn attach_task_fix_setuid(&mut self) -> Result<TaskFixSetuid, EbpfguardError> { |
278 | 278 | | let mut task_fix_setuid = self.manage_task_fix_setuid()?; |
279 | 279 | | let program_link = self.attach_program("task_fix_setuid")?; |
280 | 280 | | task_fix_setuid.program_link = Some(program_link); |
| skipped 1 lines |
282 | 282 | | Ok(task_fix_setuid) |
283 | 283 | | } |
284 | 284 | | |
285 | | - | pub fn manage_task_fix_setuid(&mut self) -> Result<TaskFixSetuid, GuardityError> { |
| 285 | + | pub fn manage_task_fix_setuid(&mut self) -> Result<TaskFixSetuid, EbpfguardError> { |
286 | 286 | | let allowed_map = self |
287 | 287 | | .bpf |
288 | 288 | | .take_map("ALLOWED_TASK_FIX_SETUID") |
| skipped 18 lines |
307 | 307 | | }) |
308 | 308 | | } |
309 | 309 | | |
310 | | - | pub fn attach_socket_bind(&mut self) -> Result<SocketBind, GuardityError> { |
| 310 | + | pub fn attach_socket_bind(&mut self) -> Result<SocketBind, EbpfguardError> { |
311 | 311 | | let mut socket_bind = self.manage_socket_bind()?; |
312 | 312 | | let program_link = self.attach_program("socket_bind")?; |
313 | 313 | | socket_bind.program_link = Some(program_link); |
| skipped 1 lines |
315 | 315 | | Ok(socket_bind) |
316 | 316 | | } |
317 | 317 | | |
318 | | - | pub fn manage_socket_bind(&mut self) -> Result<SocketBind, GuardityError> { |
| 318 | + | pub fn manage_socket_bind(&mut self) -> Result<SocketBind, EbpfguardError> { |
319 | 319 | | let allowed_map = self |
320 | 320 | | .bpf |
321 | 321 | | .take_map("ALLOWED_SOCKET_BIND") |
| skipped 14 lines |
336 | 336 | | }) |
337 | 337 | | } |
338 | 338 | | |
339 | | - | pub fn attach_socket_connect(&mut self) -> Result<SocketConnect, GuardityError> { |
| 339 | + | pub fn attach_socket_connect(&mut self) -> Result<SocketConnect, EbpfguardError> { |
340 | 340 | | let mut socket_connect = self.manage_socket_connect()?; |
341 | 341 | | let program_link = self.attach_program("socket_connect")?; |
342 | 342 | | socket_connect.program_link = Some(program_link); |
| skipped 1 lines |
344 | 344 | | Ok(socket_connect) |
345 | 345 | | } |
346 | 346 | | |
347 | | - | pub fn manage_socket_connect(&mut self) -> Result<SocketConnect, GuardityError> { |
| 347 | + | pub fn manage_socket_connect(&mut self) -> Result<SocketConnect, EbpfguardError> { |
348 | 348 | | let allowed_map_v4 = self |
349 | 349 | | .bpf |
350 | 350 | | .take_map("ALLOWED_SOCKET_CONNECT_V4") |
| skipped 30 lines |
381 | 381 | | }) |
382 | 382 | | } |
383 | 383 | | |
384 | | - | fn attach_program(&mut self, name: &str) -> Result<LsmLink, GuardityError> { |
| 384 | + | fn attach_program(&mut self, name: &str) -> Result<LsmLink, EbpfguardError> { |
385 | 385 | | let btf = Btf::from_sys_fs()?; |
386 | 386 | | let program: &mut Lsm = self.bpf.program_mut(name).unwrap().try_into()?; |
387 | 387 | | program.load(name, &btf)?; |
| skipped 7 lines |