Skip to content

Commit

Permalink
lsm :: cgroup attachment type support
Browse files Browse the repository at this point in the history
  • Loading branch information
@altugbozkurt07
Altug Bozkurt authored and altugbozkurt07 committed Jan 14, 2025
1 parent de7e61f commit 92a61ab
Show file tree
Hide file tree
Showing 13 changed files with 399 additions and 198 deletions.
45 changes: 45 additions & 0 deletions aya-ebpf-macros/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ mod fentry;
mod fexit;
mod kprobe;
mod lsm;
mod lsm_cgroup;
mod map;
mod perf_event;
mod raw_tracepoint;
Expand All @@ -34,6 +35,7 @@ use fentry::FEntry;
use fexit::FExit;
use kprobe::{KProbe, KProbeKind};
use lsm::Lsm;
use lsm_cgroup::LsmCgroup;
use map::Map;
use perf_event::PerfEvent;
use proc_macro::TokenStream;
Expand Down Expand Up @@ -326,6 +328,49 @@ pub fn lsm(attrs: TokenStream, item: TokenStream) -> TokenStream {
.into()
}

/// Marks a function as an LSM program that can be attached to cgroups.
/// This program will only trigger for workloads in the attached cgroups.
/// Used to implement security policy and audit logging.
///
/// The hook name is the first and only argument to the macro.
///
/// LSM probes can be attached to the kernel's security hooks to implement mandatory
/// access control policy and security auditing.
///
/// LSM probes require a kernel compiled with `CONFIG_BPF_LSM=y` and `CONFIG_DEBUG_INFO_BTF=y`.
/// In order for the probes to fire, you also need the BPF LSM to be enabled through your
/// kernel's boot paramters (like `lsm=lockdown,yama,bpf`).
///
/// # Minimum kernel version
///
/// The minimum kernel version required to use this feature is 6.0.
///
/// # Examples
///
/// ```no_run
/// use aya_ebpf::{macros::lsm_cgroup, programs::LsmContext};
///
/// #[lsm_cgroup(hook = "file_open")]
/// pub fn file_open(ctx: LsmContext) -> i32 {
/// match unsafe { try_file_open(ctx) } {
/// Ok(ret) => ret,
/// Err(ret) => ret,
/// }
/// }
///
/// unsafe fn try_file_open(_ctx: LsmContext) -> Result<i32, i32> {
/// Err(0)
/// }
/// ```
#[proc_macro_attribute]
pub fn lsm_cgroup(attrs: TokenStream, item: TokenStream) -> TokenStream {
match LsmCgroup::parse(attrs.into(), item.into()) {
Ok(prog) => prog.expand(),
Err(err) => err.into_compile_error(),
}
.into()
}

/// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at
/// a pre-defined kernel trace point.
///
Expand Down
97 changes: 22 additions & 75 deletions aya-ebpf-macros/src/lsm.rs
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
use std::borrow::Cow;

use proc_macro2::TokenStream;
use quote::quote;
use syn::{ItemFn, Result};

use crate::args::{err_on_unknown_args, pop_bool_arg, pop_string_arg};

pub(crate) struct Lsm {
item: ItemFn,
hook: Option<String>,
cgroup: bool,
sleepable: bool,
}

Expand All @@ -19,64 +16,43 @@ impl Lsm {
let mut args = syn::parse2(attrs)?;
let hook = pop_string_arg(&mut args, "hook");
let sleepable = pop_bool_arg(&mut args, "sleepable");
let cgroup = pop_bool_arg(&mut args, "cgroup");
err_on_unknown_args(&args)?;

Ok(Self {
item,
hook,
cgroup,
sleepable,
})
}

pub(crate) fn expand(&self) -> TokenStream {
if self.cgroup{
let section_name = if let Some(name) = &self.hook{
format!("lsm_cgroup/{}", name)
} else {
("lsm_cgroup").to_owned()
};

let fn_name = &self.item.sig.ident;
let item = &self.item;

quote! {
#[no_mangle]
#[link_section = #section_name]
fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
return #fn_name(::aya_ebpf::programs::LsmContext::new(ctx));

#item
}
}
let Self { item, hook, sleepable } = self;
let ItemFn {
attrs: _,
vis,
sig,
block: _,
} = item;
let section_prefix = if *sleepable { "lsm.s" } else { "lsm" };
let section_name: Cow<'_, _>= if let Some(name) = hook {
format!("{}/{}", section_prefix, name).into()
} else {
let section_prefix = if self.sleepable { "lsm.s" } else { "lsm" };
let section_name: Cow<'_, _> = if let Some(hook) = &self.hook {
format!("{}/{}", section_prefix, hook).into()
} else {
section_prefix.into()
};

let fn_vis = &self.item.vis;
let fn_name = self.item.sig.ident.clone();
let item = &self.item;
section_prefix.into()
};
let fn_name = &sig.ident;
// LSM probes need to return an integer corresponding to the correct
// policy decision. Therefore we do not simply default to a return value
// of 0 as in other program types.
quote! {
#[no_mangle]
#[link_section = #section_name]
#vis fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
return #fn_name(::aya_ebpf::programs::LsmContext::new(ctx));

quote! {
#[no_mangle]
#[link_section = #section_name]
#fn_vis fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
return #fn_name(::aya_ebpf::programs::LsmContext::new(ctx));

#item
}
#item
}
}
}

// LSM probes need to return an integer corresponding to the correct
// policy decision. Therefore we do not simply default to a return value
// of 0 as in other program types.
}

#[cfg(test)]
Expand Down Expand Up @@ -141,33 +117,4 @@ mod tests {
};
assert_eq!(expected.to_string(), expanded.to_string());
}

#[test]
fn test_lsm_cgroup() {
let prog = Lsm::parse(
parse_quote! {
hook = "bprm_committed_creds",
cgroup
},
parse_quote! {
fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
0
}
},
)
.unwrap();
let expanded = prog.expand();
let expected = quote! {
#[no_mangle]
#[link_section = "lsm_cgroup/bprm_committed_creds"]
fn bprm_committed_creds(ctx: *mut ::core::ffi::c_void) -> i32 {
return bprm_committed_creds(::aya_ebpf::programs::LsmContext::new(ctx));

fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
0
}
}
};
assert_eq!(expected.to_string(), expanded.to_string());
}
}
87 changes: 87 additions & 0 deletions aya-ebpf-macros/src/lsm_cgroup.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
use std::borrow::Cow;

use proc_macro2::TokenStream;
use quote::quote;
use syn::{ItemFn, Result};

use crate::args::{err_on_unknown_args, pop_string_arg};

pub(crate) struct LsmCgroup {
item: ItemFn,
hook: Option<String>,
}

impl LsmCgroup {
pub(crate) fn parse(attrs: TokenStream, item: TokenStream) -> Result<Self> {
let item = syn::parse2(item)?;
let mut args = syn::parse2(attrs)?;
let hook = pop_string_arg(&mut args, "hook");
err_on_unknown_args(&args)?;

Ok(Self { item, hook })
}

pub(crate) fn expand(&self) -> TokenStream {
let Self { item, hook } = self;
let ItemFn {
attrs: _,
vis,
sig,
block: _,
} = item;
let section_prefix = "lsm_cgroup";
let section_name: Cow<'_, _> = if let Some(name) = hook {
format!("{}/{}", section_prefix, name).into()
} else {
section_prefix.into()
};
let fn_name = &sig.ident;
// LSM probes need to return an integer corresponding to the correct
// policy decision. Therefore we do not simply default to a return value
// of 0 as in other program types.
quote! {
#[no_mangle]
#[link_section = #section_name]
#vis fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
return #fn_name(::aya_ebpf::programs::LsmContext::new(ctx));

#item
}
}
}
}

#[cfg(test)]
mod tests {
use syn::parse_quote;

use super::*;

#[test]
fn test_lsm_cgroup() {
let prog = LsmCgroup::parse(
parse_quote! {
hook = "bprm_committed_creds",
},
parse_quote! {
fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
0
}
},
)
.unwrap();
let expanded = prog.expand();
let expected = quote! {
#[no_mangle]
#[link_section = "lsm_cgroup/bprm_committed_creds"]
fn bprm_committed_creds(ctx: *mut ::core::ffi::c_void) -> i32 {
return bprm_committed_creds(::aya_ebpf::programs::LsmContext::new(ctx));

fn bprm_committed_creds(ctx: &mut ::aya_ebpf::programs::LsmContext) -> i32 {
0
}
}
};
assert_eq!(expected.to_string(), expanded.to_string());
}
}
25 changes: 18 additions & 7 deletions aya-obj/src/obj.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ use crate::{
},
maps::{bpf_map_def, BtfMap, BtfMapDef, LegacyMap, Map, PinningType, MINIMUM_MAP_SIZE},
programs::{
CgroupSockAddrAttachType, CgroupSockAttachType, CgroupSockoptAttachType, LsmAttachType, XdpAttachType
CgroupSockAddrAttachType, CgroupSockAttachType, CgroupSockoptAttachType, LsmAttachType,
XdpAttachType,
},
relocation::*,
util::HashMap,
Expand Down Expand Up @@ -276,6 +277,9 @@ pub enum ProgramSection {
sleepable: bool,
attach_type: LsmAttachType,
},
LsmCgroup {
attach_type: LsmAttachType,
},
BtfTracePoint,
FEntry {
sleepable: bool,
Expand Down Expand Up @@ -435,9 +439,17 @@ impl FromStr for ProgramSection {
"lirc_mode2" => LircMode2,
"perf_event" => PerfEvent,
"raw_tp" | "raw_tracepoint" => RawTracePoint,
"lsm" => Lsm { sleepable: false, attach_type: LsmAttachType::Mac},
"lsm.s" => Lsm { sleepable: true, attach_type: LsmAttachType::Mac },
"lsm_cgroup" => Lsm { sleepable: false, attach_type: LsmAttachType::Cgroup },
"lsm" => Lsm {
sleepable: false,
attach_type: LsmAttachType::Mac,
},
"lsm.s" => Lsm {
sleepable: true,
attach_type: LsmAttachType::Mac,
},
"lsm_cgroup" => LsmCgroup {
attach_type: LsmAttachType::Cgroup,
},
"fentry" => FEntry { sleepable: false },
"fentry.s" => FEntry { sleepable: true },
"fexit" => FExit { sleepable: false },
Expand Down Expand Up @@ -2242,9 +2254,8 @@ mod tests {
assert_matches!(
obj.programs.get("foo"),
Some(Program {
section: ProgramSection::Lsm {
sleepable: false,
attach_type: LsmAttachType::Cgroup
section: ProgramSection::LsmCgroup {
attach_type: LsmAttachType::Cgroup,
},
..
})
Expand Down
4 changes: 2 additions & 2 deletions aya-obj/src/programs/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@
pub mod cgroup_sock;
pub mod cgroup_sock_addr;
pub mod cgroup_sockopt;
pub mod lsm;
mod types;
pub mod xdp;
pub mod lsm;

pub use cgroup_sock::CgroupSockAttachType;
pub use cgroup_sock_addr::CgroupSockAddrAttachType;
pub use cgroup_sockopt::CgroupSockoptAttachType;
pub use xdp::XdpAttachType;
pub use lsm::LsmAttachType;
pub use xdp::XdpAttachType;
Loading

0 comments on commit 92a61ab

Please sign in to comment.