bpfenforcer

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2025 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// MaxTargetContainerCountForBpfLsm is the max count of target containers for BPF LSM,
	// it's equal to the OUTER_MAP_ENTRIES_MAX of BPF code
	MaxTargetContainerCountForBpfLsm int = 100

	// MaxBpfFileRuleCount is the max rule count of file operation primitive.
	MaxBpfFileRuleCount = 50

	// MaxBpfBprmRuleCount is the max rule count of execution file primitive.
	MaxBpfBprmRuleCount = 50

	// MaxBpfNetworkRuleCount is the max rule count of network access primitive.
	MaxBpfNetworkRuleCount = 50

	// MaxBpfMountRuleCount is the max rule count of mount operation primitive.
	MaxBpfMountRuleCount = 50

	// MaxFilePathPatternLength is the max length of path pattern,
	// it's equal to FILE_PATH_PATTERN_SIZE_MAX in BPF code
	MaxFilePathPatternLength = 64

	// PathPatternSize is the size of `struct path_pattern` in BPF code
	PathPatternSize = 4 + MaxFilePathPatternLength*2

	// PathRuleSize is the size of `struct path_rule` in BPF code, it's
	// also the value size of the inner map for file and execution access control.
	PathRuleSize = 4*2 + PathPatternSize

	// IpAddressSize is the size of IP address and mask.
	IpAddressSize = 16

	// NetRuleSize is the size of `struct net_rule` in BPF code, it's
	// also the value size of the inner map for network access control.
	NetRuleSize = 4*3 + 8*3 + IpAddressSize*2

	// MaxFileSystemTypeLength is the max length of fstype pattern,
	// it's equal to FILE_SYSTEM_TYPE_MAX in BPF code
	MaxFileSystemTypeLength = 16

	// MountRuleSize is the size of `struct mount_rule` in BPF code, it's
	// also the value size of the inner map for mount access control.
	MountRuleSize = 4*3 + MaxFileSystemTypeLength + PathPatternSize

	// PinPath is the path we want to pin the maps
	PinPath = "/sys/fs/bpf/varmor"

	// AuditRingBufPinPath is the path we pin the audit ringbuf
	AuditRingBufPinPath = "/sys/fs/bpf/varmor/v_audit_rb"

	// BPF enforcer running mode.
	EnforceMode  = 0x00000001
	AuditMode    = 0x00000002
	ComplainMode = 0x00000004

	// Matching Flags
	PreciseMatch = 0x00000001
	GreedyMatch  = 0x00000002
	PrefixMatch  = 0x00000004
	SuffixMatch  = 0x00000008

	// Matching Flag for Network Rule
	CidrMatch   = 0x00000020
	Ipv4Match   = 0x00000040
	Ipv6Match   = 0x00000080
	PortMatch   = 0x00000100
	SocketMatch = 0x00000200

	// Matching Permissions
	AaMayExec     = 0x00000001
	AaMayWrite    = 0x00000002
	AaMayRead     = 0x00000004
	AaMayAppend   = 0x00000008
	AaPtraceTrace = 0x00000002
	AaPtraceRead  = 0x00000004
	AaMayBeTraced = 0x00000008
	AaMayBeRead   = 0x00000010
	AaMayUmount   = 0x00000200

	// EventHeaderSize is the size of bpf audit event header
	EventHeaderSize = 24

	// Event type
	CapabilityType EventType = 0x00000001
	FileType       EventType = 0x00000002
	BprmType       EventType = 0x00000004
	NetworkType    EventType = 0x00000008
	PtraceType     EventType = 0x00000010
	MountType      EventType = 0x00000020

	// Event Subtype for Network Event
	ConnectType = 0x00000001
	SocketType  = 0x00000002
)

Variables

This section is empty.

Functions

This section is empty.

Types

type BpfCapabilityEvent added in v0.6.0 

type BpfCapabilityEvent struct {
	Capability uint32
}

type BpfEnforcer 

type BpfEnforcer struct {
	TaskStartCh      chan varmortypes.ContainerInfo
	TaskDeleteCh     chan varmortypes.ContainerInfo
	TaskDeleteSyncCh chan bool
	// contains filtered or unexported fields
}

func NewBpfEnforcer 

func NewBpfEnforcer(log logr.Logger) (*BpfEnforcer, error)

NewBpfEnforcer creates a BpfEnforcer, and initialize the BPF settings and resources

func (*BpfEnforcer) Close added in v0.5.5 

func (enforcer *BpfEnforcer) Close()

Close close the BPF resources

func (*BpfEnforcer) DeleteBpfProfile 

func (enforcer *BpfEnforcer) DeleteBpfProfile(profileName string) error

DeleteBpfProfile unload the BPF profile from kernel, then delete it from the cache

func (*BpfEnforcer) IsBpfProfileExist 

func (enforcer *BpfEnforcer) IsBpfProfileExist(profileName string) bool

func (*BpfEnforcer) Run 

func (enforcer *BpfEnforcer) Run(stopCh <-chan struct{})

func (*BpfEnforcer) SaveAndApplyBpfProfile 

func (enforcer *BpfEnforcer) SaveAndApplyBpfProfile(profileName string, bpfContent varmor.BpfContent) error

SaveAndApplyBpfProfile save the BPF profile to the cache, and update it to the kernel for the existing BPF profile

type BpfEvent added in v0.6.0 

type BpfEvent struct {
	Header BpfEventHeader
	Body   interface{}
}

type BpfEventHeader added in v0.6.0 

type BpfEventHeader struct {
	Mode  uint32
	Type  EventType
	MntNs uint32
	Tgid  uint32
	Ktime uint64
}

type BpfMountEvent added in v0.6.0 

type BpfMountEvent struct {
	DevName [4096]byte
	Type    [16]byte
	Flags   uint32
}

type BpfNetworkEvent added in v0.6.0 

type BpfNetworkEvent struct {
	Type   uint32
	Socket BpfNetworkSocket
	Addr   BpfNetworkSockAddr
}

type BpfNetworkSockAddr added in v0.6.0 

type BpfNetworkSockAddr struct {
	SaFamily uint32
	SinAddr  uint32
	Sin6Addr [16]byte
	Port     uint32
}

type BpfNetworkSocket added in v0.6.0 

type BpfNetworkSocket struct {
	Domain   uint32
	Type     uint32
	Protocol uint32
}

type BpfPathEvent added in v0.6.0 

type BpfPathEvent struct {
	Permissions uint32
	Path        [4096]byte
	Padding     [20]byte
}

type BpfPtraceEvent added in v0.6.0 

type BpfPtraceEvent struct {
	Permissions uint32
	External    bool
}

type EventType added in v0.6.0 

type EventType uint32

Audit Event

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.