-
Notifications
You must be signed in to change notification settings - Fork 293
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add the LSM BPF sample code, and enhance the README.md documentation.
Signed-off-by: DavadDi <[email protected]>
- Loading branch information
Showing
5 changed files
with
100 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,5 +11,6 @@ | |
/tc | ||
/ksyscall | ||
/task_iter | ||
/lsm | ||
/cmake-build-debug/ | ||
/cmake-build-release/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
#include "vmlinux.h" | ||
#include <bpf/bpf_helpers.h> | ||
#include <bpf/bpf_tracing.h> | ||
|
||
char LICENSE[] SEC("license") = "GPL"; | ||
|
||
#define EPERM 1 | ||
|
||
SEC("lsm/bpf") | ||
int BPF_PROG(lsm_bpf, int cmd, union bpf_attr *attr, unsigned int size, int ret) | ||
{ | ||
/* ret is the return value from the previous BPF program | ||
* or 0 if it's the first hook. | ||
*/ | ||
if (ret != 0) | ||
return ret; | ||
|
||
bpf_printk("LSM: block bpf() worked"); | ||
return -EPERM; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) | ||
/* Copyright (c) 2024 David Di */ | ||
#include <stdio.h> | ||
#include <unistd.h> | ||
#include <sys/resource.h> | ||
#include <bpf/libbpf.h> | ||
#include "lsm.skel.h" | ||
|
||
/* Notice: Ensure your kernel version is 5.7 or higher, BTF (BPF Type Format) is enabled, | ||
* and the file '/sys/kernel/security/lsm' includes 'bpf'. | ||
*/ | ||
static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) | ||
{ | ||
return vfprintf(stderr, format, args); | ||
} | ||
|
||
int main(int argc, char **argv) | ||
{ | ||
struct lsm_bpf *skel; | ||
int err; | ||
|
||
/* Set up libbpf errors and debug info callback */ | ||
libbpf_set_print(libbpf_print_fn); | ||
|
||
/* Open, load, and verify BPF application */ | ||
skel = lsm_bpf__open_and_load(); | ||
if (!skel) { | ||
fprintf(stderr, "Failed to open and load BPF skeleton\n"); | ||
goto cleanup; | ||
} | ||
|
||
/* Attach lsm handler */ | ||
err = lsm_bpf__attach(skel); | ||
if (err) { | ||
fprintf(stderr, "Failed to attach BPF skeleton\n"); | ||
goto cleanup; | ||
} | ||
|
||
printf("Successfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` " | ||
"to see output of the BPF programs.\n"); | ||
|
||
for (;;) { | ||
/* trigger our BPF program */ | ||
fprintf(stderr, "."); | ||
sleep(1); | ||
} | ||
|
||
cleanup: | ||
lsm_bpf__destroy(skel); | ||
return -err; | ||
} |