diff --git a/etc/ebpf/common/src/lib.rs b/etc/ebpf/common/src/lib.rs index ad8e1a238..99520b122 100644 --- a/etc/ebpf/common/src/lib.rs +++ b/etc/ebpf/common/src/lib.rs @@ -1,7 +1,7 @@ #![no_std] pub const MAX_DEVICES: usize = 2; -pub const MAX_FILE_RULES: usize = 5; +pub const MAX_FILE_RULES: usize = 20; #[derive(Clone, Copy, Eq, PartialEq, Hash)] #[repr(C)] diff --git a/etc/ebpf/ebpf/src/file_open.rs b/etc/ebpf/ebpf/src/file_open.rs index 0a77af40e..5732a3b02 100644 --- a/etc/ebpf/ebpf/src/file_open.rs +++ b/etc/ebpf/ebpf/src/file_open.rs @@ -11,28 +11,26 @@ pub const DENY: i32 = -1; #[lsm(hook = "file_open")] pub fn file_open(ctx: LsmContext) -> i32 { - unsafe { try_file_open(ctx).unwrap_or_else(|_| 0) } + unsafe { try_file_open(ctx).unwrap_or_else(|_| ALLOW) } } unsafe fn try_file_open(ctx: LsmContext) -> Result { - let ctx_file: *const vmlinux::file = ctx.arg(0); - let inode = aya_ebpf::helpers::bpf_probe_read_kernel(access::file_inode(ctx_file))?; - let inode_n = aya_ebpf::helpers::bpf_probe_read_kernel(access::inode_i_ino(inode))?; - verify_permission(&ctx, inode_n) -} - -unsafe fn verify_permission(ctx: &LsmContext, target_inode: u64) -> Result { + let target_inode = { + let file: *const vmlinux::file = ctx.arg(0); + let inode = aya_ebpf::helpers::bpf_probe_read_kernel(access::file_inode(file))?; + aya_ebpf::helpers::bpf_probe_read_kernel(access::inode_i_ino(inode))? + }; let task_inode = get_inode_from_current_task()?; if let Some(rule_list) = maps::FILE_RULES.get(&File::new(task_inode)) { info!( - ctx, + &ctx, "file_open attempt on {} by {}", target_inode, task_inode ); // Todo: let's put this log behind a flag as it's for debugging. let pid = aya_ebpf::helpers::bpf_get_current_pid_tgid(); info!( - ctx, + &ctx, "Process {} running bin {} attempting to open file", pid, task_inode );