Add more files

bpf-apps/Makefile

@@ -1,4 +1,4 @@
-APPS = hello execsnoop execsnoop_v2 bashreadline hello_btf
+APPS = hello execsnoop execsnoop_v2 bashreadline hello_btf block_shell
 bpftool = $(shell which bpftool || ../tools/bpftool)
 
 .PHONY: all
@@ -8,14 +8,14 @@ $(APPS):
 	clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -I/usr/include/x86_64-linux-gnu -I. -c $@.bpf.c -o $@.bpf.o
 	$(bpftool) gen skeleton $@.bpf.o > $@.skel.h
 	clang -g -O2 -Wall -I . -c $@.c -o $@.o
-	clang -Wall -O2 -g $@.o -static -lbpf -lelf -lz -o $@
+	clang -Wall -O2 -g $@.o -lbpf -lelf -lz -o $@
 
 vmlinux:
 	$(bpftool) btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
 
 libbpf:
 	git clone https://github.com/libbpf/libbpf /tmp/libbpf
-	cd /tmp/libbpf/src && make BUILD_STATIC_ONLY=1 && sudo make install
+	cd /tmp/libbpf/src && make && sudo make install
 
 format:
 	VERSION_CONTROL=none indent -linux *.h *.c

bpf-apps/bashreadline.skel.h

@@ -21,8 +21,7 @@ struct bashreadline_bpf {
 	} links;
 };
 
-static void
-bashreadline_bpf__destroy(struct bashreadline_bpf *obj)
+static void bashreadline_bpf__destroy(struct bashreadline_bpf *obj)
 {
 	if (!obj)
 		return;
@@ -34,8 +33,9 @@ bashreadline_bpf__destroy(struct bashreadline_bpf *obj)
 static inline int
 bashreadline_bpf__create_skeleton(struct bashreadline_bpf *obj);
 
-static inline struct bashreadline_bpf *
-bashreadline_bpf__open_opts(const struct bpf_object_open_opts *opts)
+static inline struct bashreadline_bpf *bashreadline_bpf__open_opts(const struct
+								   bpf_object_open_opts
+								   *opts)
 {
 	struct bashreadline_bpf *obj;
 
@@ -48,25 +48,22 @@ bashreadline_bpf__open_opts(const struct bpf_object_open_opts *opts)
 		goto err;
 
 	return obj;
-err:
+ err:
 	bashreadline_bpf__destroy(obj);
 	return NULL;
 }
 
-static inline struct bashreadline_bpf *
-bashreadline_bpf__open(void)
+static inline struct bashreadline_bpf *bashreadline_bpf__open(void)
 {
 	return bashreadline_bpf__open_opts(NULL);
 }
 
-static inline int
-bashreadline_bpf__load(struct bashreadline_bpf *obj)
+static inline int bashreadline_bpf__load(struct bashreadline_bpf *obj)
 {
 	return bpf_object__load_skeleton(obj->skeleton);
 }
 
-static inline struct bashreadline_bpf *
-bashreadline_bpf__open_and_load(void)
+static inline struct bashreadline_bpf *bashreadline_bpf__open_and_load(void)
 {
 	struct bashreadline_bpf *obj;
 
@@ -80,14 +77,12 @@ bashreadline_bpf__open_and_load(void)
 	return obj;
 }
 
-static inline int
-bashreadline_bpf__attach(struct bashreadline_bpf *obj)
+static inline int bashreadline_bpf__attach(struct bashreadline_bpf *obj)
 {
 	return bpf_object__attach_skeleton(obj->skeleton);
 }
 
-static inline void
-bashreadline_bpf__detach(struct bashreadline_bpf *obj)
+static inline void bashreadline_bpf__detach(struct bashreadline_bpf *obj)
 {
 	return bpf_object__detach_skeleton(obj->skeleton);
 }
@@ -119,7 +114,8 @@ bashreadline_bpf__create_skeleton(struct bashreadline_bpf *obj)
 	/* programs */
 	s->prog_cnt = 1;
 	s->prog_skel_sz = sizeof(*s->progs);
-	s->progs = (struct bpf_prog_skeleton *)calloc(s->prog_cnt, s->prog_skel_sz);
+	s->progs =
+	    (struct bpf_prog_skeleton *)calloc(s->prog_cnt, s->prog_skel_sz);
 	if (!s->progs)
 		goto err;
 
@@ -391,9 +387,9 @@ bashreadline_bpf__create_skeleton(struct bashreadline_bpf *obj)
 \0\0\0";
 
 	return 0;
-err:
+ err:
 	bpf_object__destroy_skeleton(s);
 	return -1;
 }
 
-#endif /* __BASHREADLINE_BPF_SKEL_H__ */
+#endif				/* __BASHREADLINE_BPF_SKEL_H__ */

bpf-apps/block_shell.bpf.c

@@ -0,0 +1,49 @@
+/* Blocking all bash commands */
+/* Require: "CONFIG_BPF_LSM=y" and CONFIG_LSM="bpf,..." */
+#include "vmlinux.h"
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+#define EPERM 1
+#define NULL 0
+
+static __always_inline int handle_new_process(struct task_struct *parent,
+					      struct task_struct *child)
+{
+	char bash[] = "bash";
+
+	pid_t pid = BPF_CORE_READ(child, pid);
+	char comm[16];
+	bpf_get_current_comm(&comm, sizeof(comm));
+	u64 pidns = child->nsproxy->pid_ns_for_children->ns.inum;
+
+	for (int i = 0; i < sizeof(bash); i++) {
+		if (comm[i] != bash[i]) {
+			return 0;
+		}
+	}
+
+	bpf_printk("lsm: blocking %s (pid: %d) in pidns %ld\n", comm, pid,
+		   pidns);
+	return -EPERM;
+}
+
+SEC("lsm/task_alloc")
+int BPF_PROG(task_alloc, struct task_struct *task, unsigned long clone_flags,
+	     int ret_prev)
+{
+	struct task_struct *parent = BPF_CORE_READ(task, real_parent);
+	if (parent == NULL) {
+		return -EPERM;	/* Shouldn't happen */
+	}
+
+	/* Handle results of previous programs */
+	if (ret_prev != 0) {
+		return ret_prev;
+	}
+
+	return handle_new_process(parent, task);
+}
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";

bpf-apps/block_shell.c

@@ -0,0 +1,50 @@
+/* Blocking all bash commands */
+/* Require: "CONFIG_BPF_LSM=y" and CONFIG_LSM="bpf,..." */
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/resource.h>
+#include <bpf/libbpf.h>
+#include "block_shell.skel.h"
+
+int main(int argc, char **argv)
+{
+	struct block_shell_bpf *obj;
+	int err = 0;
+
+	struct rlimit rlim_new = {
+		.rlim_cur = RLIM_INFINITY,
+		.rlim_max = RLIM_INFINITY,
+	};
+
+	err = setrlimit(RLIMIT_MEMLOCK, &rlim_new);
+	if (err) {
+		fprintf(stderr, "failed to change rlimit\n");
+		return 1;
+	}
+	obj = block_shell_bpf__open();
+	if (!obj) {
+		fprintf(stderr, "failed to open and/or load BPF object\n");
+		return 1;
+	}
+
+	err = block_shell_bpf__load(obj);
+	if (err) {
+		fprintf(stderr, "failed to load BPF object %d\n", err);
+		goto cleanup;
+	}
+
+	err = block_shell_bpf__attach(obj);
+	if (err) {
+		fprintf(stderr, "failed to attach BPF programs\n");
+		goto cleanup;
+	}
+
+	printf
+	    ("Successfully started! Tracing /sys/kernel/debug/tracing/trace_pipe...\n");
+
+	system("cat /sys/kernel/debug/tracing/trace_pipe");
+
+ cleanup:
+	block_shell_bpf__destroy(obj);
+	return err != 0;
+}