search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.58k stars 3.88k forks source link

can't deny access to a specific file #4967

Open walkovernamtso opened 6 months ago

walkovernamtso commented 6 months ago

I want to deny acess to a specific file, for example "exa.txt". But failed. (Testing like this: "vi exa.txt", I can still create it) Anything wrong in my code?

//my code from bcc import BPF

prog = """

include <uapi/linux/ptrace.h>

include <uapi/linux/limits.h>

include <linux/sched.h>

include <linux/fs.h>

static int strnkkcmp(char s1, char s2, int size) {for (int i = 0; i < size; ++i) if (s1[i] != s2[i]) return 1; return 0; }

int trace_syscall_openat(struct pt_regs ctx, int dfd, const char __user filename, int flags) { u32 pid = bpf_get_current_pid_tgid() >> 32; u32 uid = bpf_get_current_uid_gid();

char buf[64];
char searchname[9]="exa.txt";
bpf_probe_read(&buf, sizeof(buf), filename);  
buf[sizeof(buf) - 1] = 0;

if (strnkkcmp(buf, searchname, sizeof(searchname)) == 0) {
    bpf_trace_printk(" This file is not accessible!\\n");
    return -1;
}

return 0;

}

"""

b = BPF(text=prog) fnname_openat = b.get_syscall_prefix().decode() + 'openat' b.attach_kprobe(event=fnname_openat, fn_name="trace_syscall_openat") while True: try: b.trace_print() except KeyboardInterrupt: exit()

ShawnZhong commented 2 months ago

The return code of kprobe hooks cannot be used to alter the behavior of the kernel. You might want to look for LSM hooks: https://docs.kernel.org/bpf/prog_lsm.html If your kernel is compiled with CONFIG_BPF_KPROBE_OVERRIDE and the function is marked as ALLOW_ERROR_INJECTION, you can use bpf_override_return to change the return value.