search

eunomia-bpf / bpftime

Userspace eBPF runtime for fast Uprobe & Syscall hook & Extensions
https://eunomia.dev/bpftime/
MIT License
744 stars 73 forks source link

[FEATURE] Try to implement similar functions to LSM with bpftime. Call it USM. #148

Open zhangying098 opened 7 months ago

zhangying098 commented 7 months ago

If there are good ideas, I will continue to contribute.

ScriptSathi commented 5 months ago

Basically, what I think it could be done is similar to Tetragon. LSM is defined here https://elixir.bootlin.com/linux/latest/source/security/security.c

What Tetragon do is using user based observability policy to load custom hooks and to trigger events on the asked hooks. In the code base, they have both generic eBPF hooks and hard-coded probes for specific tasks.

I think USM framework could do the same. We hook LSM using eBPF only on defined or mandatory hooks (to reduce latency) to trigger events or simply harden the permissions. To do so, I think it is possible to write generic LSM hooks for certain use cases and some hard-coded ones. Then dynamically load them in the kernel.

What do you think of this ?