Skip to content

Rust library for writing Linux security policies using eBPF

License

Notifications You must be signed in to change notification settings

prakashsp23/ebpfguard

 
 

Repository files navigation

Deepfence Logo

GitHub license GitHub stars Workflow Status GitHub issues Slack

Ebpfguard

Ebpfguard is a library for managing Linux security policies. It is based on LSM hooks, but without necessity to write any kernel modules or eBPF programs directly. It allows to write policies in Rust (or YAML) in user space.

It's based on eBPF and Aya library, but takes away the need to use them directly.

Usage example

Deny mount operation for all users.

    const BPF_MAPS_PATH: &str = "/sys/fs/bpf/example_sb_mount";

    // Create a directory where ebpfguard policy manager can store its BPF
    // objects (maps).
    std::fs::create_dir_all(BPF_MAPS_PATH)?;

    // Create a policy manager.
    let mut policy_manager = PolicyManager::new(BPF_MAPS_PATH)?;

    // Attach the policy manager to the mount LSM hook.
    let mut sb_mount = policy_manager.attach_sb_mount()?;

    // Get the receiver end of the alerts channel (for the `file_open` LSM
    // hook).
    let mut sb_mount_rx = sb_mount.alerts().await?;

    // Define policies which deny mount operations for all processes (except
    // for the specified subject, if defined).
    sb_mount
        .add_policy(SbMount {
            subject: PolicySubject::All,
            allow: false,
        })
        .await?;

    if let Some(alert) = sb_mount_rx.recv().await {
        info!(
            "sb_mount alert: pid={} subject={}",
            alert.pid, alert.subject
        );
    }

Imports and cargo file are available in example source code. For more check out examples doc.

Supported LSM hooks

LSM hooks supported by Ebpfguard are:

Prerequisites

Check prerequisites doc to set up your environment.

Development

Check development doc for compillation and testing commands.

Get in touch

Thank you for using Ebpfguard. Please feel welcome to participate in the Deepfence community.

  • Deepfence Community Website
  • Got a question, need some help? Find the Deepfence team on Slack
  • GitHub issues Got a feature request or found a bug? Raise an issue

License

Ebpfguard's userspace part is licensed under Apache License, version 2.0.

eBPF programs inside ebpfguard-ebpf directory are licensed under GNU General Public License, version 2.

About

Rust library for writing Linux security policies using eBPF

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Rust 95.7%
  • C 1.9%
  • Python 1.8%
  • Dockerfile 0.6%