LsmBlock action to block operations associated with LSM hook.

Signed-off-by: Andrey Fedotov <[email protected]>
cilium · Jun 30, 2024 · dcbccff · dcbccff
1 parent c603efc
commit dcbccff
Show file tree

Hide file tree

Showing 21 changed files with 207 additions and 99 deletions.
diff --git a/api/v1/README.md b/api/v1/README.md
diff --git a/api/v1/tetragon/tetragon.pb.go b/api/v1/tetragon/tetragon.pb.go
diff --git a/api/v1/tetragon/tetragon.proto b/api/v1/tetragon/tetragon.proto
@@ -466,6 +466,8 @@ enum KprobeAction {
 	KPROBE_ACTION_UNTRACKSOCK = 12;
     // NotifyEnforcer action notifies killer sensor.
 	KPROBE_ACTION_NOTIFYENFORCER = 13;
+    // LsmBlock action blocks the operation associated with LSM hook.
+	KPROBE_ACTION_LSMBLOCK = 14;
 }
 
 message ProcessKprobe {

diff --git a/bpf/process/bpf_generic_lsm.c b/bpf/process/bpf_generic_lsm.c
@@ -50,6 +50,14 @@ struct {
 	__type(value, struct event_config);
 } config_map SEC(".maps");
 
+// TODO: Consider to use BPF_MAP_TYPE_BLOOM_FILTER
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 32768);
+	__type(key, __u64);
+	__type(value, bool);
+} lsm_block_map SEC(".maps");
+
 #ifdef __LARGE_BPF_PROG
 struct {
 	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
@@ -66,6 +74,7 @@ static struct generic_maps maps = {
 	.heap = (struct bpf_map_def *)&process_call_heap,
 	.calls = (struct bpf_map_def *)&lsm_calls,
 	.filter = (struct bpf_map_def *)&filter_map,
+	.lsm_block = (struct bpf_map_def *)&lsm_block_map,
 };
 
 FUNC_INLINE int
@@ -172,5 +181,15 @@ generic_lsm_actions(void *ctx)
 __attribute__((section("lsm/5"), used)) int
 generic_lsm_output(void *ctx)
 {
-	return generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_LSM);
+	__u64 id = get_current_pid_tgid();
+	bool *block;
+
+	generic_output(ctx, (struct bpf_map_def *)&process_call_heap, MSG_OP_GENERIC_LSM);
+
+	block = map_lookup_elem(&lsm_block_map, &id);
+	if (!block)
+		return 0;
+
+	map_delete_elem(&lsm_block_map, &id);
+	return -1;
 }
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -108,6 +108,7 @@ enum {
 	ACTION_TRACKSOCK = 10,
 	ACTION_UNTRACKSOCK = 11,
 	ACTION_NOTIFY_KILLER = 12,
+	ACTION_LSM_BLOCK = 13,
 };
 
 enum {
@@ -128,6 +129,7 @@ struct generic_maps {
 	struct bpf_map_def *config;
 	struct bpf_map_def *filter;
 	struct bpf_map_def *override;
+	struct bpf_map_def *lsm_block;
 };
 
 struct selector_action {
@@ -2131,6 +2133,7 @@ do_action(void *ctx, __u32 i, struct selector_action *actions,
 	int socki;
 	int err = 0;
 	int zero = 0;
+	bool block = true;
 	__u64 id;
 
 	e = map_lookup_elem(maps->heap, &zero);
@@ -2219,6 +2222,10 @@ do_action(void *ctx, __u32 i, struct selector_action *actions,
 		signal = actions->act[++i];
 		do_action_notify_enforcer(error, signal);
 		break;
+	case ACTION_LSM_BLOCK:
+		id = get_current_pid_tgid();
+		map_update_elem(maps->lsm_block, &id, &block, BPF_ANY);
+		break;
 	default:
 		break;
 	}

diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
diff --git a/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto b/...thooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md