rbbcc 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6550ee287fe7fb0e1e51112ed55345e2f7b314e9d581b8f28a166eec6f4542aa
-  data.tar.gz: 9c826257aa21ad3ba3862eb7324683db36f9081d02b45b61a5c189ecb24f8836
+  metadata.gz: 0cafb82823139848b9c16a2182ef4ba3c86c391126700ee6cbb31ab0a427da85
+  data.tar.gz: 711be4b7c0bf09879445d02b7bf0379b9c51dc186f56129227c416a0515e00ff
 SHA512:
-  metadata.gz: 50cb035a4d0db91343599437ef2183b9a60eb138ee156ee406f2dd505e9725f8289f7ebdc6c6e04a07264d3eb6095a7a1c8b09a6b509840e6af03b767c38179d
-  data.tar.gz: bc64019b6a2aa9d3be9c255e9f49c15f6313984e504b910306eff4ad7c410d478b5b106d24dd6ae489848c23e7ae274537d8b38fd59773e0a2f14518e601610f
+  metadata.gz: 007c4273121411d6548b071fe48fda59c36af94a36c7de183a8fbacceba722c837115af8a2892ec79277957217b5152b58ec12ce4dd56c153293a2ac6fae9894
+  data.tar.gz: 94da55a1738a534d0bffc95ac2ebabcb431e5ea98785506a0006e1d249b83d602f8bbcaec47890124afbf42a9a11f394f986b9795b194db0acb101a8d536ca26

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.10.0)
+    rbbcc (0.11.0)
       fiddle
 
 GEM
@@ -23,6 +23,7 @@ GEM
 PLATFORMS
   aarch64-linux
   arm64-darwin-21
+  arm64-darwin-24
   arm64-darwin-25
 
 DEPENDENCIES

data/examples/dns_blocker.rb

@@ -0,0 +1,134 @@
+#!/usr/bin/env ruby
+#
+# dns_blocker.rb  Block DNS queries for a specified domain using TC/eBPF.
+#
+# Uses TC clsact qdisc and attaches a SCHED_CLS BPF program to the
+# egress path.  Because pyroute2 is unavailable in Ruby, the BPF
+# program is pinned to /sys/fs/bpf and attached via the `tc` shell
+# command.
+#
+# Usage (must be run as root):
+#   ruby dns_blocker.rb -i eth0 -d ruby-lang.org
+#
+
+require 'rbbcc'
+require 'optparse'
+
+include RbBCC
+
+def domain_to_payload_check_code(domain)
+  # Convert a domain name to DNS wire format (length-prefixed labels)
+  # For example, "example.com" becomes "\\x07example\\x03com\\x00"
+  dns_expression = domain.split('.').map { |label| "#{label.length.chr}#{label}" }.join + "\x00"
+  c_check_code = dns_expression.chars.map.with_index { |c, i| "payload[offset+#{i}] == #{c.ord}" }.join(" &&\n  ")
+  c_check_code
+end
+
+BPF_TEXT = ->(domain) {
+  <<~CLANG
+  // Some Hack :(
+  #define BPF_LOAD_ACQ -1
+  #define BPF_STORE_REL -2
+
+  #include <uapi/linux/bpf.h>
+  #include <uapi/linux/pkt_cls.h>
+  #include <linux/if_ether.h>
+  #include <linux/ip.h>
+  #include <linux/udp.h>
+
+  int block_dns(struct __sk_buff *skb) {
+      void *data     = (void *)(long)skb->data;
+      void *data_end = (void *)(long)skb->data_end;
+
+      // Ethernet header check
+      struct ethhdr *eth = data;
+      if ((void *)(eth + 1) > data_end) return TC_ACT_OK;
+      if (eth->h_proto != bpf_htons(ETH_P_IP)) return TC_ACT_OK;
+
+      // IP header check
+      struct iphdr *ip = (void *)(eth + 1);
+      if ((void *)(ip + 1) > data_end) return TC_ACT_OK;
+      if (ip->protocol != IPPROTO_UDP) return TC_ACT_OK;
+
+      // UDP header check
+      struct udphdr *udp = (void *)ip + (ip->ihl * 4);
+      if ((void *)(udp + 1) > data_end) return TC_ACT_OK;
+
+      // Only care about port 53 (DNS) egress queries
+      if (udp->dest != bpf_htons(53)) return TC_ACT_OK;
+
+      // DNS payload boundary check: DNS header (12 bytes) + "example.com" wire format (13 bytes)
+      unsigned char *payload = (unsigned char *)(udp + 1);
+      if ((void *)(payload + 12 + 13) > data_end) return TC_ACT_OK;
+
+      // "example.com" in DNS wire format: \\x07example\\x03com\\x00
+      int offset = 12;
+      if (#{domain_to_payload_check_code(domain)}) {
+          bpf_trace_printk("Blocked DNS query for #{domain}\\n");
+          return TC_ACT_SHOT;
+      }
+
+      return TC_ACT_OK;
+  }
+  CLANG
+  }
+
+PIN_PATH = "/sys/fs/bpf/dns_blocker_prog"
+
+def setup_tc(interface)
+  # Run idempotently
+  system("sudo tc qdisc add dev #{interface} clsact 2>/dev/null")
+end
+
+def attach_tc(interface)
+  system(
+    "sudo tc filter add dev #{interface} egress" +
+    " bpf pinned #{PIN_PATH} da",
+    exception: true
+  )
+end
+
+def cleanup_tc(interface)
+  # Run idempotently
+  system("sudo tc qdisc del dev #{interface} clsact 2>/dev/null")
+  File.unlink(PIN_PATH) if File.exist?(PIN_PATH)
+end
+
+options = {domain: "example.com"}
+OptionParser.new { |opts|
+  opts.banner = "Usage: #{$0} -i INTERFACE"
+  opts.on("-i", "--interface IFACE", "Network interface to monitor (e.g. eth0)") do |v|
+    options[:interface] = v
+  end
+  opts.on("-d", "--domain DOMAIN", "Domain to block (default: example.com)") do |v|
+    options[:domain] = v
+  end
+}.parse!
+
+iface = options[:interface] || abort("Error: Interface name is required")
+
+# Clean up any leftover state from a previous run
+cleanup_tc(iface)
+
+puts "[*] Compiling BPF program..."
+b = BCC.new(text: BPF_TEXT.call(options[:domain]))
+fn = b.load_func("block_dns", BPF::SCHED_CLS)
+
+# Pin the loaded BPF program so that `tc` can reference it by path
+puts "[*] Pinning BPF program to #{PIN_PATH} ..."
+BCC.pin!(fn, PIN_PATH)
+
+# Set up clsact qdisc and attach the pinned program to egress
+puts "[*] Attaching TC filter to #{iface} (egress) ..."
+setup_tc(iface)
+attach_tc(iface)
+
+puts "[*] Blocking DNS queries for #{options[:domain]} on #{iface}. Press Ctrl+C to stop."
+begin
+  b.trace_print
+rescue Interrupt
+  puts "\n[*] Shutting down..."
+ensure
+  cleanup_tc(iface)
+  puts "[*] Cleanup done."
+end

data/examples/lsm_sockblock.rb

@@ -0,0 +1,142 @@
+#!/usr/bin/env ruby
+#
+# lsm_sockblock.rb  Monitor/block AF_ALG socket_create via BPF LSM.
+#
+# This example uses LSM_PROBE(socket_create) and a BPF_ARRAY map for mode:
+#   0 = preview (log only)
+#   1 = block   (return -EPERM)
+#
+# The config map is pinned to bpffs so mode can be changed externally.
+#
+# Usage:
+#   sudo ruby examples/lsm_sockblock.rb
+#   sudo ruby examples/lsm_sockblock.rb --mode block
+#   sudo ruby examples/lsm_sockblock.rb --pin-path /sys/fs/bpf/my_config_map
+
+require 'optparse'
+require 'socket'
+require 'rbbcc'
+
+include RbBCC
+
+PROGRAM = <<~CLANG
+  #include <linux/lsm_hooks.h>
+  #include <linux/socket.h>
+  #include <uapi/asm-generic/errno-base.h>
+
+  struct data_t {
+      u32 pid;
+      int family;
+      int type;
+      int is_warning;
+      int is_blocked;
+      char comm[16];
+  };
+
+  BPF_PERF_OUTPUT(events);
+  BPF_ARRAY(config_map, u32, 1);
+
+  LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+  {
+      u32 pid = bpf_get_current_pid_tgid() >> 32;
+      struct data_t data = {};
+
+      u32 key = 0;
+      u32 *mode = config_map.lookup(&key);
+      int is_block_mode = (mode && *mode == 1);
+
+      data.pid = pid;
+      data.family = family;
+      data.type = type;
+      bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+      if (family == AF_ALG) {
+          data.is_blocked = is_block_mode;
+          data.is_warning = 1;
+          events.perf_submit(ctx, &data, sizeof(data));
+
+          if (is_block_mode) {
+              return -EPERM;
+          }
+      } else {
+          data.is_blocked = 0;
+          data.is_warning = 0;
+          events.perf_submit(ctx, &data, sizeof(data));
+      }
+
+      return 0;
+  }
+CLANG
+
+options = {
+  mode: "preview",
+  pin_path: "/sys/fs/bpf/rbbcc_lsm_config_map"
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: #{$0} [--mode preview|block] [--pin-path PATH]"
+
+  opts.on("--mode MODE", ["preview", "block"], "Operation mode (default: preview)") do |v|
+    options[:mode] = v
+  end
+
+  opts.on("--pin-path PATH", "bpffs pin path (default: /sys/fs/bpf/rbbcc_lsm_config_map)") do |v|
+    options[:pin_path] = v
+  end
+end.parse!
+
+mode_value = (options[:mode] == "block") ? 1 : 0
+
+families = Socket.constants.grep(/^AF_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+types = Socket.constants.grep(/^SOCK_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+begin
+  b = BCC.new(text: PROGRAM)
+
+  config = b["config_map"]
+  config[0] = mode_value
+
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+  BCC.pin!(config.map_fd, options[:pin_path])
+
+  puts "LSM BPF started in #{options[:mode].upcase} mode."
+  puts "Pinned config map: #{options[:pin_path]}"
+  puts "Tracing AF_ALG socket_create... Press Ctrl-C to exit."
+
+  b["events"].open_perf_buffer do |cpu, data, size|
+    event = b["events"].event(data)
+    family = families.fetch(event.family, "AF_UNKNOWN(#{event.family})")
+    stype = types.fetch(event.type, "SOCK_UNKNOWN(#{event.type})")
+
+    puts "PID: #{event.pid.to_s.ljust(7)} | COMM: #{event.comm.to_s.ljust(15)} | FAMILY: #{family.ljust(14)} | TYPE: #{stype}"
+
+    next if event.is_warning == 0
+
+    mode_str = (event.is_blocked == 1) ? "BLOCK" : "PREVIEW"
+    status = (event.is_blocked == 1) ? "REJECTED" : "WARNING"
+    puts "\e[1;31m[#{mode_str}] #{status}: PID #{event.pid} (#{event.comm}) tried AF_ALG socket creation.\e[0m"
+  end
+
+  loop do
+    b.perf_buffer_poll
+  end
+rescue Interrupt
+  puts "\nStopping..."
+ensure
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+end

data/examples/py-orig/sockblock.py

@@ -0,0 +1,119 @@
+from bcc import BPF, lib
+import socket
+import ctypes
+import os
+
+# 1. C言語側のプログラム
+program = r"""
+#include <linux/lsm_hooks.h>
+#include <linux/socket.h>
+#include <uapi/asm-generic/errno-base.h>
+
+struct data_t {
+    u32 pid;
+    int family;
+    int type;
+    int is_warning;
+    int is_blocked;
+    char comm[16];
+};
+
+BPF_PERF_OUTPUT(events);
+
+// モード保存用マップ (Index 0 を使用)
+// 1: blockモード, 0: previewモード
+BPF_ARRAY(config_map, u32, 1);
+
+LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+{
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+    struct data_t data = {};
+    
+    // マップから現在のモードを取得
+    u32 key = 0;
+    u32 *mode = config_map.lookup(&key);
+    int is_block_mode = (mode && *mode == 1);
+
+    data.pid = pid;
+    data.family = family;
+    data.type = type;
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    if (family == AF_ALG) {
+        data.is_blocked = is_block_mode;
+        data.is_warning = 1;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+
+        // blockモードならエラーを返してシステムコールを失敗させる
+        if (is_block_mode) {
+            return -EPERM; // -1 (Operation not permitted)
+        }
+    } else {
+        data.is_blocked = 0;
+        data.is_warning = 0;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+    }
+
+    return 0;
+}
+"""
+
+# 定数解決用
+families = {getattr(socket, n): n for n in dir(socket) if n.startswith('AF_')}
+types = {getattr(socket, n): n for n in dir(socket) if n.startswith('SOCK_')}
+
+def print_event(cpu, data, size):
+    event = b["events"].event(data)
+
+    family_str = families.get(event.family, f"AF_UNKNOWN({event.family})")
+    type_str = types.get(event.type, f"SOCK_UNKNOWN({event.type})")
+    
+    print(f"PID: {event.pid:<7} | COMM: {event.comm.decode('utf-8'):<15} | "
+          f"FAMILY: {family_str:<12} | TYPE: {type_str}")
+
+    if event.is_warning:
+        mode_str = "BLOCK" if event.is_blocked else "PREVIEW"
+        status = "!! REJECTED !!" if event.is_blocked else "WARNING"
+        
+        print(f"[{mode_str}] {status}: PID {event.pid} ({event.comm.decode()}) "
+            f"tried to create AF_ALG socket.")
+
+# 2. ロードと設定
+try:
+    b = BPF(text=program)
+    
+    # --- モード設定 ---
+    # 1 を書き込むと blockモード、0 だと previewモード
+    mode = 0
+    config_table = b.get_table("config_map")
+    config_table[ctypes.c_uint32(0)] = ctypes.c_uint32(mode)
+
+    # Mapの永続化 - ユーザ空間からモードを変更できるようにするため
+    map_path = "/sys/fs/bpf/my_config_map"
+    if os.path.exists(map_path):
+        os.remove(map_path)
+    print(f"Pinning config map to -> {map_path}")
+    map_fd = config_table.get_fd()
+    res = lib.bpf_obj_pin(map_fd, ctypes.c_char_p(map_path.encode()))
+    if res != 0:
+        raise Exception(f"Failed to pin map to {map_path}: {os.strerror(-res)}")
+
+    # -----------------
+
+    print(f"LSM BPF started in {'BLOCK' if mode == 1 else 'PREVIEW'} mode.")
+    print("Tracing AF_ALG creation... Press Ctrl-C to exit.")
+    
+    b["events"].open_perf_buffer(print_event)
+    
+    while True:
+        try:
+            b.perf_buffer_poll()
+        except KeyboardInterrupt:
+            exit()
+
+except Exception as e:
+    print(f"Failed: {e}")

data/lib/rbbcc/bcc.rb

@@ -180,7 +180,7 @@ module RbBCC
         end
         orig_name = c.inspect
         c.define_singleton_method :inspect do
-          orig_name.sub /(?=>$)/, " original_desc=#{desc.inspect}" rescue super
+          orig_name.sub(/(?=>$)/, " original_desc=#{desc.inspect}") rescue super
         end
         c
       end
@@ -218,6 +218,23 @@ module RbBCC
         fn[:sock] = sock
         fn
       end
+
+      #: (Integer | Hash[Symbol, untyped] fd, String path) -> String
+      def pin!(fd, path)
+        fd = fd[:fd] if fd.is_a?(Hash)
+        unless fd.is_a?(Integer) && fd >= 0
+          raise ArgumentError, "fd must exist and be a non-negative Integer"
+        end
+        unless path.is_a?(String) && !path.empty?
+          raise ArgumentError, "path must be a non-empty String"
+        end
+
+        res = Clib.bpf_obj_pin(fd, path)
+        if res < 0
+          raise SystemCallError.new("Failed to pin BPF object to %s" % path, Fiddle.last_error)
+        end
+        path
+      end
     end
 
     def initialize(text: "", src_file: nil, hdr_file: nil, debug: 0, cflags: [], usdt_contexts: [], allow_rlimit: 0, dev_name: nil)
@@ -279,7 +296,6 @@ module RbBCC
 
     def gen_args_from_usdt
       ptr = Clib.bcc_usdt_genargs(@usdt_contexts.map(&:context).pack('J*'), @usdt_contexts.size)
-      code = ""
       if !ptr || ptr.null?
         return nil
       end
@@ -627,6 +643,9 @@ module RbBCC
             tp: tp,
             fn_name: fn[:name]
           )
+        elsif func_name.start_with?("lsm__")
+          # LSM_PROBE programs are attached by libbcc while loading.
+          load_func(func_name, BPF::LSM)
         end
       end
     end

data/lib/rbbcc/clib.rb

@@ -192,6 +192,7 @@ module RbBCC
 
     extern 'int bpf_open_raw_sock(const char *name)'
     extern 'int bpf_attach_socket(int sockfd, int progfd)'
+    extern 'int bpf_obj_pin(int fd, const char *pathname)'
   end
 end
 

data/lib/rbbcc/consts.rb

@@ -19,5 +19,8 @@ module RbBCC
     SK_MSG = 16
     RAW_TRACEPOINT = 17
     CGROUP_SOCK_ADDR = 18
+    CGROUP_SOCKOPT = 25
+    TRACING = 26
+    LSM = 29
   end
 end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.10.0"
+  VERSION = "0.11.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Uchio Kondo
@@ -84,6 +84,7 @@ files:
 - examples/collectsyscall.rb
 - examples/dddos.rb
 - examples/disksnoop.rb
+- examples/dns_blocker.rb
 - examples/example.gif
 - examples/extract_arg.rb
 - examples/hello_fields.rb
@@ -91,9 +92,11 @@ files:
 - examples/hello_ring_buffer.rb
 - examples/hello_world.rb
 - examples/kvm_hypercall.rb
+- examples/lsm_sockblock.rb
 - examples/mallocstack.rb
 - examples/networking/http_filter/http-parse-simple.c
 - examples/networking/http_filter/http-parse-simple.rb
+- examples/py-orig/sockblock.py
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
 - examples/syscalluname.rb