mirror/xdp-project-bpf-examples
1
0
Fork 0
mirror of https://github.com/xdp-project/bpf-examples.git synced 2024-05-06 15:54:53 +00:00
Code Issues Projects Releases Wiki Activity

lsm-nobpf: Check for presence of BPF LSM before loading

Browse Source 
If the BPF LSM is compiled-in but not enabled, the loading of the BPF
program will succeed, but it won't actually do anything. Detect this
and abort rather than silently not working.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This commit is contained in:
Toke Høiland-Jørgensen
2020-10-12 16:48:22 +02:00
parent 54259af20a
commit 40706ad9fa
2 changed files with 38 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lsm-nobpf/README.org
View File

@ -17,4 +17,6 @@ mountpoint (or protecting it in some other way) serves as a way to make this
permanent. Alternatively, the userspace program can keep running and hold on to permanent. Alternatively, the userspace program can keep running and hold on to
the link FD to prevent detachment. the link FD to prevent detachment.
To use, just compile and run =./lsm-nobpf= as root. To use, just compile and run =./lsm-nobpf= as root. Note that you need to build
the BPF LSM (CONFIG_BPF_LSM=y) *and* enable it in the running kernel (include
'bpf' in =CONFIG_LSM= at compile time, or by the =lsm= kernel parameter at boot).

38
lsm-nobpf/lsm-nobpf.c
View File

@ -1,16 +1,48 @@
#include <bpf/libbpf.h> #include <bpf/libbpf.h>
#include <unistd.h> #include <unistd.h>
#include <errno.h> #include <errno.h>
#include <string.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
struct bpf_object *obj = NULL;
struct bpf_link *link = NULL; struct bpf_link *link = NULL;
struct bpf_program *prog; struct bpf_program *prog;
struct bpf_object *obj; int err = 0, fd;
char buf[100]; char buf[100];
int err = 0; ssize_t len;
char *c;
obj = bpf_object__open_file("lsm-nobpf-kern.o", NULL); fd = open("/sys/kernel/security/lsm", O_RDONLY);
if (fd < 0) {
err = -errno;
printf("Error opening /sys/kernel/security/lsm ('%s') - securityfs "
"not mounted?\n",
strerror(-err));
goto out;
}
len = read(fd, buf, sizeof(buf));
if (len == -1) {
err = -errno;
printf("Error reading /sys/kernel/security/lsm: %s\n",
strerror(-err));
close(fd);
goto out;
}
close(fd);
buf[sizeof(buf)-1] = '\0';
c = strstr(buf, "bpf");
if (!c) {
printf("BPF LSM not loaded - make sure CONFIG_LSM or lsm kernel "
"param includes 'bpf'!\n");
err = -EINVAL;
goto out;
}
obj = bpf_object__open_file("lsm-nobpf-kern.o", NULL);
err = libbpf_get_error(obj); err = libbpf_get_error(obj);
if (err) { if (err) {
libbpf_strerror(err, buf, sizeof(buf)); libbpf_strerror(err, buf, sizeof(buf));