rbbcc 0.11.0.pre → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c5cbecb6f86bc56c109433915be6daea255c5578145372e7fef05e643c74f22
-  data.tar.gz: 73b4dcb08ed7882ffd905f44b3662e1f26fbc7075b9e832c29f44701304b1826
+  metadata.gz: 0cafb82823139848b9c16a2182ef4ba3c86c391126700ee6cbb31ab0a427da85
+  data.tar.gz: 711be4b7c0bf09879445d02b7bf0379b9c51dc186f56129227c416a0515e00ff
 SHA512:
-  metadata.gz: ce916936932a3a0bb00bf28b3bd67d55b2d2068e0d4d05308296d472306db0ffae3dd495a441189fdcfe0db0c29705a389f31781f0e3971f1ef349b1d0eb4a1f
-  data.tar.gz: 15da5d9cd65ec31dd5a3fd1b3b87ce76edf4c40805f2cb800bbb5178300ec003975aea1bff084e740a1a8820a8137701692c861188bd9b85cbd31a971caf5535
+  metadata.gz: 007c4273121411d6548b071fe48fda59c36af94a36c7de183a8fbacceba722c837115af8a2892ec79277957217b5152b58ec12ce4dd56c153293a2ac6fae9894
+  data.tar.gz: 94da55a1738a534d0bffc95ac2ebabcb431e5ea98785506a0006e1d249b83d602f8bbcaec47890124afbf42a9a11f394f986b9795b194db0acb101a8d536ca26

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.11.0.pre)
+    rbbcc (0.11.0)
       fiddle
 
 GEM

data/examples/dns_blocker.rb

@@ -82,14 +82,15 @@ end
 
 def attach_tc(interface)
   system(
-    "sudo `tc filter add dev #{interface} egress" +
+    "sudo tc filter add dev #{interface} egress" +
     " bpf pinned #{PIN_PATH} da",
     exception: true
   )
 end
 
 def cleanup_tc(interface)
-  system("sudo tc qdisc del dev #{interface} clsact", exception: true)
+  # Run idempotently
+  system("sudo tc qdisc del dev #{interface} clsact 2>/dev/null")
   File.unlink(PIN_PATH) if File.exist?(PIN_PATH)
 end
 

data/examples/lsm_sockblock.rb

@@ -0,0 +1,142 @@
+#!/usr/bin/env ruby
+#
+# lsm_sockblock.rb  Monitor/block AF_ALG socket_create via BPF LSM.
+#
+# This example uses LSM_PROBE(socket_create) and a BPF_ARRAY map for mode:
+#   0 = preview (log only)
+#   1 = block   (return -EPERM)
+#
+# The config map is pinned to bpffs so mode can be changed externally.
+#
+# Usage:
+#   sudo ruby examples/lsm_sockblock.rb
+#   sudo ruby examples/lsm_sockblock.rb --mode block
+#   sudo ruby examples/lsm_sockblock.rb --pin-path /sys/fs/bpf/my_config_map
+
+require 'optparse'
+require 'socket'
+require 'rbbcc'
+
+include RbBCC
+
+PROGRAM = <<~CLANG
+  #include <linux/lsm_hooks.h>
+  #include <linux/socket.h>
+  #include <uapi/asm-generic/errno-base.h>
+
+  struct data_t {
+      u32 pid;
+      int family;
+      int type;
+      int is_warning;
+      int is_blocked;
+      char comm[16];
+  };
+
+  BPF_PERF_OUTPUT(events);
+  BPF_ARRAY(config_map, u32, 1);
+
+  LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+  {
+      u32 pid = bpf_get_current_pid_tgid() >> 32;
+      struct data_t data = {};
+
+      u32 key = 0;
+      u32 *mode = config_map.lookup(&key);
+      int is_block_mode = (mode && *mode == 1);
+
+      data.pid = pid;
+      data.family = family;
+      data.type = type;
+      bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+      if (family == AF_ALG) {
+          data.is_blocked = is_block_mode;
+          data.is_warning = 1;
+          events.perf_submit(ctx, &data, sizeof(data));
+
+          if (is_block_mode) {
+              return -EPERM;
+          }
+      } else {
+          data.is_blocked = 0;
+          data.is_warning = 0;
+          events.perf_submit(ctx, &data, sizeof(data));
+      }
+
+      return 0;
+  }
+CLANG
+
+options = {
+  mode: "preview",
+  pin_path: "/sys/fs/bpf/rbbcc_lsm_config_map"
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: #{$0} [--mode preview|block] [--pin-path PATH]"
+
+  opts.on("--mode MODE", ["preview", "block"], "Operation mode (default: preview)") do |v|
+    options[:mode] = v
+  end
+
+  opts.on("--pin-path PATH", "bpffs pin path (default: /sys/fs/bpf/rbbcc_lsm_config_map)") do |v|
+    options[:pin_path] = v
+  end
+end.parse!
+
+mode_value = (options[:mode] == "block") ? 1 : 0
+
+families = Socket.constants.grep(/^AF_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+types = Socket.constants.grep(/^SOCK_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+begin
+  b = BCC.new(text: PROGRAM)
+
+  config = b["config_map"]
+  config[0] = mode_value
+
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+  BCC.pin!(config.map_fd, options[:pin_path])
+
+  puts "LSM BPF started in #{options[:mode].upcase} mode."
+  puts "Pinned config map: #{options[:pin_path]}"
+  puts "Tracing AF_ALG socket_create... Press Ctrl-C to exit."
+
+  b["events"].open_perf_buffer do |cpu, data, size|
+    event = b["events"].event(data)
+    family = families.fetch(event.family, "AF_UNKNOWN(#{event.family})")
+    stype = types.fetch(event.type, "SOCK_UNKNOWN(#{event.type})")
+
+    puts "PID: #{event.pid.to_s.ljust(7)} | COMM: #{event.comm.to_s.ljust(15)} | FAMILY: #{family.ljust(14)} | TYPE: #{stype}"
+
+    next if event.is_warning == 0
+
+    mode_str = (event.is_blocked == 1) ? "BLOCK" : "PREVIEW"
+    status = (event.is_blocked == 1) ? "REJECTED" : "WARNING"
+    puts "\e[1;31m[#{mode_str}] #{status}: PID #{event.pid} (#{event.comm}) tried AF_ALG socket creation.\e[0m"
+  end
+
+  loop do
+    b.perf_buffer_poll
+  end
+rescue Interrupt
+  puts "\nStopping..."
+ensure
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+end

data/examples/py-orig/sockblock.py

@@ -0,0 +1,119 @@
+from bcc import BPF, lib
+import socket
+import ctypes
+import os
+
+# 1. C言語側のプログラム
+program = r"""
+#include <linux/lsm_hooks.h>
+#include <linux/socket.h>
+#include <uapi/asm-generic/errno-base.h>
+
+struct data_t {
+    u32 pid;
+    int family;
+    int type;
+    int is_warning;
+    int is_blocked;
+    char comm[16];
+};
+
+BPF_PERF_OUTPUT(events);
+
+// モード保存用マップ (Index 0 を使用)
+// 1: blockモード, 0: previewモード
+BPF_ARRAY(config_map, u32, 1);
+
+LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+{
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+    struct data_t data = {};
+    
+    // マップから現在のモードを取得
+    u32 key = 0;
+    u32 *mode = config_map.lookup(&key);
+    int is_block_mode = (mode && *mode == 1);
+
+    data.pid = pid;
+    data.family = family;
+    data.type = type;
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    if (family == AF_ALG) {
+        data.is_blocked = is_block_mode;
+        data.is_warning = 1;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+
+        // blockモードならエラーを返してシステムコールを失敗させる
+        if (is_block_mode) {
+            return -EPERM; // -1 (Operation not permitted)
+        }
+    } else {
+        data.is_blocked = 0;
+        data.is_warning = 0;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+    }
+
+    return 0;
+}
+"""
+
+# 定数解決用
+families = {getattr(socket, n): n for n in dir(socket) if n.startswith('AF_')}
+types = {getattr(socket, n): n for n in dir(socket) if n.startswith('SOCK_')}
+
+def print_event(cpu, data, size):
+    event = b["events"].event(data)
+
+    family_str = families.get(event.family, f"AF_UNKNOWN({event.family})")
+    type_str = types.get(event.type, f"SOCK_UNKNOWN({event.type})")
+    
+    print(f"PID: {event.pid:<7} | COMM: {event.comm.decode('utf-8'):<15} | "
+          f"FAMILY: {family_str:<12} | TYPE: {type_str}")
+
+    if event.is_warning:
+        mode_str = "BLOCK" if event.is_blocked else "PREVIEW"
+        status = "!! REJECTED !!" if event.is_blocked else "WARNING"
+        
+        print(f"[{mode_str}] {status}: PID {event.pid} ({event.comm.decode()}) "
+            f"tried to create AF_ALG socket.")
+
+# 2. ロードと設定
+try:
+    b = BPF(text=program)
+    
+    # --- モード設定 ---
+    # 1 を書き込むと blockモード、0 だと previewモード
+    mode = 0
+    config_table = b.get_table("config_map")
+    config_table[ctypes.c_uint32(0)] = ctypes.c_uint32(mode)
+
+    # Mapの永続化 - ユーザ空間からモードを変更できるようにするため
+    map_path = "/sys/fs/bpf/my_config_map"
+    if os.path.exists(map_path):
+        os.remove(map_path)
+    print(f"Pinning config map to -> {map_path}")
+    map_fd = config_table.get_fd()
+    res = lib.bpf_obj_pin(map_fd, ctypes.c_char_p(map_path.encode()))
+    if res != 0:
+        raise Exception(f"Failed to pin map to {map_path}: {os.strerror(-res)}")
+
+    # -----------------
+
+    print(f"LSM BPF started in {'BLOCK' if mode == 1 else 'PREVIEW'} mode.")
+    print("Tracing AF_ALG creation... Press Ctrl-C to exit.")
+    
+    b["events"].open_perf_buffer(print_event)
+    
+    while True:
+        try:
+            b.perf_buffer_poll()
+        except KeyboardInterrupt:
+            exit()
+
+except Exception as e:
+    print(f"Failed: {e}")

data/lib/rbbcc/bcc.rb

@@ -643,6 +643,9 @@ module RbBCC
             tp: tp,
             fn_name: fn[:name]
           )
+        elsif func_name.start_with?("lsm__")
+          # LSM_PROBE programs are attached by libbcc while loading.
+          load_func(func_name, BPF::LSM)
         end
       end
     end

data/lib/rbbcc/consts.rb

@@ -19,5 +19,8 @@ module RbBCC
     SK_MSG = 16
     RAW_TRACEPOINT = 17
     CGROUP_SOCK_ADDR = 18
+    CGROUP_SOCKOPT = 25
+    TRACING = 26
+    LSM = 29
   end
 end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.11.0.pre"
+  VERSION = "0.11.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.11.0.pre
+  version: 0.11.0
 platform: ruby
 authors:
 - Uchio Kondo
@@ -92,9 +92,11 @@ files:
 - examples/hello_ring_buffer.rb
 - examples/hello_world.rb
 - examples/kvm_hypercall.rb
+- examples/lsm_sockblock.rb
 - examples/mallocstack.rb
 - examples/networking/http_filter/http-parse-simple.c
 - examples/networking/http_filter/http-parse-simple.rb
+- examples/py-orig/sockblock.py
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
 - examples/syscalluname.rb
@@ -142,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.6
 specification_version: 4
 summary: BCC port for MRI
 test_files: []