bpfenforcer

package
v0.0.0-...-2eae8ef Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 19, 2025 License: GPL-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	BPF_F_INNER_MAP = 0x1000

	// The max count of rules for policy primitives.
	MaxBpfFileRuleCount    = 50
	MaxBpfBprmRuleCount    = 50
	MaxBpfNetworkRuleCount = 50
	MaxBpfMountRuleCount   = 50

	// MaxFilePathPatternLength is the max length of path pattern,
	// it's equal to FILE_PATH_PATTERN_SIZE_MAX in BPF code
	MaxFilePathPatternLength = 64

	// PathPatternSize is the size of `struct path_pattern` in BPF code
	PathPatternSize = 4 + MaxFilePathPatternLength*2

	// PathRuleSize is the size of `struct path_rule` in BPF code, it's
	// also the value size of the inner map for file and execution access control.
	PathRuleSize = 4*2 + PathPatternSize

	// IpAddressSize is the size of IP address and mask.
	IpAddressSize = 16

	// NetRuleSize is the size of `struct net_rule` in BPF code, it's
	// also the value size of the inner map for network access control.
	NetRuleSize = 4*3 + 8*3 + IpAddressSize*2

	// MaxFileSystemTypeLength is the max length of fstype pattern,
	// it's equal to FILE_SYSTEM_TYPE_MAX in BPF code
	MaxFileSystemTypeLength = 16

	// MountRuleSize is the size of `struct mount_rule` in BPF code, it's
	// also the value size of the inner map for mount access control.
	MountRuleSize = 4*3 + MaxFileSystemTypeLength + PathPatternSize

	// BPF enforcer running mode.
	EnforceMode  = 0x00000001
	AuditMode    = 0x00000002
	ComplainMode = 0x00000004

	// Matching Flag
	PreciseMatch = 0x00000001
	GreedyMatch  = 0x00000002
	PrefixMatch  = 0x00000004
	SuffixMatch  = 0x00000008

	// Matching Flag for Network Rule
	CidrMatch   = 0x00000020
	Ipv4Match   = 0x00000040
	Ipv6Match   = 0x00000080
	PortMatch   = 0x00000100
	SocketMatch = 0x00000200

	// Matching Permission
	AaMayExec     = 0x00000001
	AaMayWrite    = 0x00000002
	AaMayRead     = 0x00000004
	AaMayAppend   = 0x00000008
	AaPtraceTrace = 0x00000002
	AaPtraceRead  = 0x00000004
	AaMayBeTraced = 0x00000008
	AaMayBeRead   = 0x00000010
	AaMayUmount   = 0x00000200

	// Event Type
	CapabilityType = 0x00000001
	FileType       = 0x00000002
	BprmType       = 0x00000004
	NetworkType    = 0x00000008
	PtraceType     = 0x00000010
	MountType      = 0x00000020

	// Event Subtype for Network Event
	ConnectType = 0x00000001
	SocketType  = 0x00000002

	// EventHeaderSize is the size of bpf audit event header
	EventHeaderSize = 24

	// PinPath is the path we want to pin the maps
	PinPath = "/sys/fs/bpf/varmor"

	// AuditRingBufPinPath is the path we pin the audit ringbuf
	AuditRingBufPinPath = "/sys/fs/bpf/varmor/v_audit_rb"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type BpfEnforcer

type BpfEnforcer struct {
	// contains filtered or unexported fields
}

func NewBpfEnforcer

func NewBpfEnforcer(log logr.Logger) *BpfEnforcer

func (*BpfEnforcer) ClearBprmMap

func (enforcer *BpfEnforcer) ClearBprmMap(mntNsID uint32) error

func (*BpfEnforcer) ClearCapableMap

func (enforcer *BpfEnforcer) ClearCapableMap(mntNsID uint32) error

func (*BpfEnforcer) ClearFileMap

func (enforcer *BpfEnforcer) ClearFileMap(mntNsID uint32) error

func (*BpfEnforcer) ClearMountMap

func (enforcer *BpfEnforcer) ClearMountMap(mntNsID uint32) error

func (*BpfEnforcer) ClearNetMap

func (enforcer *BpfEnforcer) ClearNetMap(mntNsID uint32) error

func (*BpfEnforcer) ClearPtraceMap

func (enforcer *BpfEnforcer) ClearPtraceMap(mntNsID uint32) error

func (*BpfEnforcer) InitEBPF

func (enforcer *BpfEnforcer) InitEBPF() error

func (*BpfEnforcer) LoadMap

func (enforcer *BpfEnforcer) LoadMap() (ringbufMap *ebpf.Map, err error)

func (*BpfEnforcer) ReadFromAuditEventRingBuf

func (enforcer *BpfEnforcer) ReadFromAuditEventRingBuf(ringbufMap *ebpf.Map) error

func (*BpfEnforcer) RemoveEBPF

func (enforcer *BpfEnforcer) RemoveEBPF() error

func (*BpfEnforcer) SetBprmMap

func (enforcer *BpfEnforcer) SetBprmMap(mntNsID uint32, pathRule *bpfPathRule) error

func (*BpfEnforcer) SetCapableMap

func (enforcer *BpfEnforcer) SetCapableMap(mntNsID uint32, capabilityRule *bpfCapabilityRule) error

func (*BpfEnforcer) SetFileMap

func (enforcer *BpfEnforcer) SetFileMap(mntNsID uint32, pathRule *bpfPathRule) error

func (*BpfEnforcer) SetMountMap

func (enforcer *BpfEnforcer) SetMountMap(mntNsID uint32, mountRule *bpfMountRule) error

func (*BpfEnforcer) SetNetMap

func (enforcer *BpfEnforcer) SetNetMap(mntNsID uint32, networkRules []bpfNetworkRule) error

func (*BpfEnforcer) SetPtraceMap

func (enforcer *BpfEnforcer) SetPtraceMap(mntNsID uint32, ptraceRule *bpfPtraceRule) error

func (*BpfEnforcer) StartEnforcing

func (enforcer *BpfEnforcer) StartEnforcing() error

func (*BpfEnforcer) StopEnforcing

func (enforcer *BpfEnforcer) StopEnforcing()

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL