hubble-fgs: add BPF library policy

Add library policy for BPF auditing. Signed-off-by: John Fastabend <[email protected]>
cilium · Nov 1, 2023 · 6c20b57 · 6c20b57
1 parent 0b1c855
commit 6c20b57
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 27 deletions.
diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md
@@ -46,12 +46,13 @@ and programs can identify bugs and malicious or unexpected BPF activity.
 ### Example jq Filter
 
 ```shell-session
-
+jq 'select(.process_kprobe != null) | select(.process_kprobe.function_name | test("bpf_check")) | "\(.time) \(.process_kprobe.process.binary) \(.process_kprobe.process.arguments) programType:\(.process_kprobe.args[0].bpf_attr_arg.ProgType) programInsn:\(.process_kprobe.args[0].bpf_attr_arg.InsnCnt)"
 ```
 
 ### Example Output
 
 ```shell-session
+"2023-11-01T02:56:54.926403604Z /usr/bin/bpftool prog list programType:BPF_PROG_TYPE_SOCKET_FILTER programInsn:2"
 ```
 
 ## Kernel Module Audit Trail {#kernel-module}
@@ -103,7 +104,7 @@ jq 'select(.process_loader != null) | "\(.time) \(.process_loader.process.pod.na
 ### Example Output
 
 ```shell-session
-"2023-10-31T19:42:33.065233159Z null /usr/bin/curl https://ebpf.io /usr/lib/x86_64-linux-gnu/libssl.so.3"
+"2023-10-31T19:42:33.065233159Z default/xwing /usr/bin/curl https://ebpf.io /usr/lib/x86_64-linux-gnu/libssl.so.3"
 ```
 
 ## Binary Execution in /tmp {#tmp-execs}

diff --git a/examples/policylibrary/bpf.yaml b/examples/policylibrary/bpf.yaml
@@ -1,29 +1,93 @@
 apiVersion: cilium.io/v1alpha1
 kind: TracingPolicy
 metadata:
-  name: "bpf"
+  name: "bpf-library-policy"
 spec:
- kprobes:
- # Bpf verifier check during program loads
- # int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr)
- - call: "bpf_check"
-   syscall: false
-   args:
-   - index: 1
-     type: "bpf_attr"
- # First step of kprobe attach process: open perf event
- # int security_perf_event_alloc(struct perf_event *event)
- - call: "security_perf_event_alloc"
-   syscall: false
-   args:
-   - index: 0
-     type: "perf_event"
- # Second step of kprobe attach process: attach bpf program to perf event: todo
- # Called during bpf map create
- # int security_bpf_map_alloc(struct bpf_map *map)
- - call: "security_bpf_map_alloc"
-   syscall: false
-   args:
-   - index: 0
-     type: "bpf_map"
- # Bpf map lookups/updates: todo
+  kprobes:
+  - call: "bpf_check"
+    syscall: false
+    args:
+    - index: 1
+      type: "bpf_attr"
+  - call: "security_perf_event_alloc"
+    syscall: false
+    args:
+    - index: 0
+      type: "perf_event"
+  - call: "security_bpf_map_alloc"
+    syscall: false
+    args:
+    - index: 0
+      type: "bpf_map"
+  - call: "security_file_permission"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file" # (struct file *) used for getting the path
+    - index: 1
+      type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE
+    returnArg:
+      index: 0
+      type: "int"
+    returnArgAction: "Post"
+    selectors:
+    - matchArgs:      
+      - index: 0
+        operator: "Prefix"
+        values:
+        - "/sys/fs/bpf"      # Reads to BPFFS
+      - index: 1
+        operator: "Equal"
+        values:
+        - "4" # MAY_READ
+    - matchArgs:      
+      - index: 0
+        operator: "Prefix"
+        values:
+        - "/sys/fs/bpf"      # Reads to BPFFS
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2" # MAY_WRITE
+  - call: "security_mmap_file"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file" # (struct file *) used for getting the path
+    - index: 1
+      type: "uint32" # the prot flags PROT_READ(0x01), PROT_WRITE(0x02), PROT_EXEC(0x04)
+    - index: 2
+      type: "uint32" # the mmap flags (i.e. MAP_SHARED, ...)
+    returnArg:
+      index: 0
+      type: "int"
+    returnArgAction: "Post"
+    selectors:
+    - matchArgs:      
+      - index: 0
+        operator: "Prefix"
+        values:
+        - "/sys/fs/bpf"  # Reads to BPFFS
+      - index: 1
+        operator: "Equal"
+        values:
+        - "1" # MAY_READ
+      - index: 2
+        operator: "Mask"
+        values:
+        - "1" # MAP_SHARED
+    - matchArgs:
+      - index: 0
+        operator: "Prefix"
+        values:
+        - "/sys/fs/bpf" # Reads to BPFFS 
+      - index: 1
+        operator: "Mask"
+        values:
+        - "2" # PROT_WRITE
+      - index: 2
+        operator: "Mask"
+        values:
+        - "1" # MAP_SHARED