Test that we can call ima_file_hash helper from generic_lsm

NoPost action is used for test. Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
cilium · Aug 20, 2024 · 7525121 · 7525121
1 parent 2a7a5a8
commit 7525121
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 9 deletions.
diff --git a/bpf/process/bpf_generic_lsm.c b/bpf/process/bpf_generic_lsm.c
@@ -157,3 +157,32 @@ generic_lsm_output(void *ctx)
 
 	return try_override(ctx);
 }
+
+#if defined GENERIC_LSM && defined __LARGE_MAP_KEYS
+__attribute__((section("lsm.s/file_open"), used)) int
+BPF_PROG(ima_file_open, struct file *file)
+{
+
+	struct msg_generic_kprobe *e;
+	int zero = 0;
+	int pathlen, hash_algo = -95; // EOPNOTSUPP
+        int idx = 0;
+
+	e = map_lookup_elem(&process_call_heap, &zero);
+	if(!e)
+	    return 0;
+
+	char *args = e->args;
+
+	args = args_off(e, e->argsoff[idx & MAX_SELECTORS_MASK]);
+	pathlen = *(int *)args & (MAX_STRING - 1);
+	args += pathlen + 6;
+	hash_algo = ima_file_hash(file, args + 4, 64);
+	*(int *)args = hash_algo;
+        __u64 hash = *(__u64 *)(args + 4);
+        bpf_printk("algo: %i\n", hash_algo);
+        bpf_printk("hash: %x\n", hash);
+
+        return 0;
+}
+#endif
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -2272,15 +2272,6 @@ do_action(void *ctx, __u32 i, struct selector_action *actions,
 			e->common.flags |= MSG_COMMON_FLAG_USER_STACKTRACE;
 			e->user_stack_id = get_stackid(ctx, &stack_trace_map, BPF_F_USER_STACK);
 		}
-
-#if defined GENERIC_LSM && defined __LARGE_MAP_KEYS
-		__u32 ima_arg_idx = actions->act[++i];
-
-		if (ima_arg_idx >= 0 && ima_arg_idx < 5) {
-			e->common.flags |= MSG_COMMON_FLAG_IMA_HASH;
-			get_ima_hash(maps->config, e, ima_arg_idx);
-		}
-#endif /* GENERIC_LSM */
 		break;
 	}
 
@@ -2439,6 +2430,11 @@ generic_actions(void *ctx, struct generic_maps *maps)
 	postit = do_actions(ctx, actions, maps);
 	if (postit)
 		tail_call(ctx, maps->calls, TAIL_CALL_SEND);
+#if defined GENERIC_LSM && defined __LARGE_MAP_KEYS
+        else
+		// TEST ima_file_hash
+		tail_call(ctx, maps->calls, 6);
+#endif /* GENERIC_LSM */
 	return 0;
 }
 

diff --git a/pkg/sensors/program/loader.go b/pkg/sensors/program/loader.go
@@ -728,6 +728,15 @@ func installTailCalls(bpfDir string, spec *ebpf.CollectionSpec, coll *ebpf.Colle
 				}
 			}
 		}
+		secName := "lsm.s/file_open"
+		if progName, ok := secToProgName[secName]; ok {
+			if prog, ok := coll.Programs[progName]; ok {
+				err := tailCallsMap.Update(uint32(6), uint32(prog.FD()), ebpf.UpdateAny)
+				if err != nil {
+					return fmt.Errorf("update of tail-call map '%s' failed: %w", pinPath, err)
+				}
+			}
+		}
 		return nil
 	}