40706ad9fa
If the BPF LSM is compiled-in but not enabled, the loading of the BPF program will succeed, but it won't actually do anything. Detect this and abort rather than silently not working. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
BPF security module to disable BPF
This module demonstrates how to write a BPF security module that will attach to the bpf LSM hook and disable any further use of the bpf() syscall.
This works by just attaching to the 'bpf' LSM hook, which will be called on every bpf() syscall, and returning -EACCES. To have the attachment stick around, we need to pin the bpf_link of the attachment of the BPF program itself, so we use a global variable to allow a single BPF_OBJ_PIN operation after the program is attached.
The example userspace program pins the attachment at /sys/fs/bpf/lsm-nobpf, so
removing this file serves as a way to re-enable the syscall. Hiding this
mountpoint (or protecting it in some other way) serves as a way to make this
permanent. Alternatively, the userspace program can keep running and hold on to
the link FD to prevent detachment.
To use, just compile and run ./lsm-nobpf as root. Note that you need to build
the BPF LSM (CONFIG_BPF_LSM=y) and enable it in the running kernel (include
'bpf' in CONFIG_LSM at compile time, or by the lsm kernel parameter at boot).