mirror/xdp-project-bpf-examples
1
0
Fork 0
mirror of https://github.com/xdp-project/bpf-examples.git synced 2024-05-06 15:54:53 +00:00
Code Issues Projects Releases Wiki Activity
Files
54259af20af9b11148648933eae0d0f73c4da69c
xdp-project-bpf-examples/lsm-nobpf/README.org

21 lines
933 B
Org Mode
Raw Normal View History

Add bpf-nolsm example for disabling bpf() Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2020-10-12 13:37:54 +02:00
#+OPTIONS: ^:nil
* BPF security module to disable BPF
This module demonstrates how to write a BPF security module that will attach to
the bpf LSM hook and disable any further use of the bpf() syscall.
This works by just attaching to the 'bpf' LSM hook, which will be called on
every bpf() syscall, and returning -EACCES. To have the attachment stick
around, we need to pin the bpf_link of the attachment of the BPF program itself,
so we use a global variable to allow a single BPF_OBJ_PIN operation after the
program is attached.
The example userspace program pins the attachment at =/sys/fs/bpf/lsm-nobpf=, so
removing this file serves as a way to re-enable the syscall. Hiding this
mountpoint (or protecting it in some other way) serves as a way to make this
permanent. Alternatively, the userspace program can keep running and hold on to
the link FD to prevent detachment.
To use, just compile and run =./lsm-nobpf= as root.
Reference in New Issue Copy Permalink