Documentation
¶
Index ¶
- Constants
- type BpfEnforcer
- func (enforcer *BpfEnforcer) ClearBprmMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) ClearCapableMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) ClearFileMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) ClearMountMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) ClearNetMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) ClearPtraceMap(mntNsID uint32) error
- func (enforcer *BpfEnforcer) InitEBPF() error
- func (enforcer *BpfEnforcer) LoadMap() (ringbufMap *ebpf.Map, err error)
- func (enforcer *BpfEnforcer) ReadFromAuditEventRingBuf(ringbufMap *ebpf.Map) error
- func (enforcer *BpfEnforcer) RemoveEBPF() error
- func (enforcer *BpfEnforcer) SetBprmMap(mntNsID uint32, pathRule *bpfPathRule) error
- func (enforcer *BpfEnforcer) SetCapableMap(mntNsID uint32, capabilityRule *bpfCapabilityRule) error
- func (enforcer *BpfEnforcer) SetFileMap(mntNsID uint32, pathRule *bpfPathRule) error
- func (enforcer *BpfEnforcer) SetMountMap(mntNsID uint32, mountRule *bpfMountRule) error
- func (enforcer *BpfEnforcer) SetNetMap(mntNsID uint32, networkRules []bpfNetworkRule) error
- func (enforcer *BpfEnforcer) SetPtraceMap(mntNsID uint32, ptraceRule *bpfPtraceRule) error
- func (enforcer *BpfEnforcer) StartEnforcing() error
- func (enforcer *BpfEnforcer) StopEnforcing()
Constants ¶
View Source
const ( BPF_F_INNER_MAP = 0x1000 // The max count of rules for policy primitives. MaxBpfFileRuleCount = 50 MaxBpfBprmRuleCount = 50 MaxBpfNetworkRuleCount = 50 MaxBpfMountRuleCount = 50 // MaxFilePathPatternLength is the max length of path pattern, // it's equal to FILE_PATH_PATTERN_SIZE_MAX in BPF code MaxFilePathPatternLength = 64 // PathPatternSize is the size of `struct path_pattern` in BPF code PathPatternSize = 4 + MaxFilePathPatternLength*2 // PathRuleSize is the size of `struct path_rule` in BPF code, it's // also the value size of the inner map for file and execution access control. PathRuleSize = 4*2 + PathPatternSize // IpAddressSize is the size of IP address and mask. IpAddressSize = 16 // NetRuleSize is the size of `struct net_rule` in BPF code, it's // also the value size of the inner map for network access control. NetRuleSize = 4*3 + 8*3 + IpAddressSize*2 // MaxFileSystemTypeLength is the max length of fstype pattern, // it's equal to FILE_SYSTEM_TYPE_MAX in BPF code MaxFileSystemTypeLength = 16 // MountRuleSize is the size of `struct mount_rule` in BPF code, it's // also the value size of the inner map for mount access control. MountRuleSize = 4*3 + MaxFileSystemTypeLength + PathPatternSize // BPF enforcer running mode. EnforceMode = 0x00000001 AuditMode = 0x00000002 ComplainMode = 0x00000004 // Matching Flag PreciseMatch = 0x00000001 GreedyMatch = 0x00000002 PrefixMatch = 0x00000004 SuffixMatch = 0x00000008 // Matching Flag for Network Rule CidrMatch = 0x00000020 Ipv4Match = 0x00000040 Ipv6Match = 0x00000080 PortMatch = 0x00000100 SocketMatch = 0x00000200 // Matching Permission AaMayExec = 0x00000001 AaMayWrite = 0x00000002 AaMayRead = 0x00000004 AaMayAppend = 0x00000008 AaPtraceTrace = 0x00000002 AaPtraceRead = 0x00000004 AaMayBeTraced = 0x00000008 AaMayBeRead = 0x00000010 AaMayUmount = 0x00000200 // Event Type CapabilityType = 0x00000001 FileType = 0x00000002 BprmType = 0x00000004 NetworkType = 0x00000008 PtraceType = 0x00000010 MountType = 0x00000020 // Event Subtype for Network Event ConnectType = 0x00000001 SocketType = 0x00000002 // EventHeaderSize is the size of bpf audit event header EventHeaderSize = 24 // PinPath is the path we want to pin the maps PinPath = "/sys/fs/bpf/varmor" // AuditRingBufPinPath is the path we pin the audit ringbuf AuditRingBufPinPath = "/sys/fs/bpf/varmor/v_audit_rb" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BpfEnforcer ¶
type BpfEnforcer struct {
// contains filtered or unexported fields
}
func NewBpfEnforcer ¶
func NewBpfEnforcer(log logr.Logger) *BpfEnforcer
func (*BpfEnforcer) ClearBprmMap ¶
func (enforcer *BpfEnforcer) ClearBprmMap(mntNsID uint32) error
func (*BpfEnforcer) ClearCapableMap ¶
func (enforcer *BpfEnforcer) ClearCapableMap(mntNsID uint32) error
func (*BpfEnforcer) ClearFileMap ¶
func (enforcer *BpfEnforcer) ClearFileMap(mntNsID uint32) error
func (*BpfEnforcer) ClearMountMap ¶
func (enforcer *BpfEnforcer) ClearMountMap(mntNsID uint32) error
func (*BpfEnforcer) ClearNetMap ¶
func (enforcer *BpfEnforcer) ClearNetMap(mntNsID uint32) error
func (*BpfEnforcer) ClearPtraceMap ¶
func (enforcer *BpfEnforcer) ClearPtraceMap(mntNsID uint32) error
func (*BpfEnforcer) InitEBPF ¶
func (enforcer *BpfEnforcer) InitEBPF() error
func (*BpfEnforcer) LoadMap ¶
func (enforcer *BpfEnforcer) LoadMap() (ringbufMap *ebpf.Map, err error)
func (*BpfEnforcer) ReadFromAuditEventRingBuf ¶
func (enforcer *BpfEnforcer) ReadFromAuditEventRingBuf(ringbufMap *ebpf.Map) error
func (*BpfEnforcer) RemoveEBPF ¶
func (enforcer *BpfEnforcer) RemoveEBPF() error
func (*BpfEnforcer) SetBprmMap ¶
func (enforcer *BpfEnforcer) SetBprmMap(mntNsID uint32, pathRule *bpfPathRule) error
func (*BpfEnforcer) SetCapableMap ¶
func (enforcer *BpfEnforcer) SetCapableMap(mntNsID uint32, capabilityRule *bpfCapabilityRule) error
func (*BpfEnforcer) SetFileMap ¶
func (enforcer *BpfEnforcer) SetFileMap(mntNsID uint32, pathRule *bpfPathRule) error
func (*BpfEnforcer) SetMountMap ¶
func (enforcer *BpfEnforcer) SetMountMap(mntNsID uint32, mountRule *bpfMountRule) error
func (*BpfEnforcer) SetNetMap ¶
func (enforcer *BpfEnforcer) SetNetMap(mntNsID uint32, networkRules []bpfNetworkRule) error
func (*BpfEnforcer) SetPtraceMap ¶
func (enforcer *BpfEnforcer) SetPtraceMap(mntNsID uint32, ptraceRule *bpfPtraceRule) error
func (*BpfEnforcer) StartEnforcing ¶
func (enforcer *BpfEnforcer) StartEnforcing() error
func (*BpfEnforcer) StopEnforcing ¶
func (enforcer *BpfEnforcer) StopEnforcing()
Click to show internal directories.
Click to hide internal directories.