rbbcc 0.11.0.pre → 0.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c5cbecb6f86bc56c109433915be6daea255c5578145372e7fef05e643c74f22
-  data.tar.gz: 73b4dcb08ed7882ffd905f44b3662e1f26fbc7075b9e832c29f44701304b1826
+  metadata.gz: 6795c09c9054d789de4ce10626404bc7f6e5f7cdb12296e2344b270f2a7fa2a7
+  data.tar.gz: e898c4bc91fcc3b7dff968a2daf44d667faf68c5ee9eef29b1eba4f14dc2d123
 SHA512:
-  metadata.gz: ce916936932a3a0bb00bf28b3bd67d55b2d2068e0d4d05308296d472306db0ffae3dd495a441189fdcfe0db0c29705a389f31781f0e3971f1ef349b1d0eb4a1f
-  data.tar.gz: 15da5d9cd65ec31dd5a3fd1b3b87ce76edf4c40805f2cb800bbb5178300ec003975aea1bff084e740a1a8820a8137701692c861188bd9b85cbd31a971caf5535
+  metadata.gz: d40bb0cc232b51f25cc6970580c00bcb52c13cf7423f5082f3bbb447b9ea5d5a59acb958a68df4b3a3639bf86ac8ee72a673313d009cdb18be9eec52dc3176a9
+  data.tar.gz: e9af3796aa61f7f76b0122e13b2ec6c0958c8d33edeb6c0d34a5813e0f38e7f1cbd46eb267290a3935b381d94815cb7b4479d5adfeee428c709124b7456e3fa4

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rbbcc (0.11.0.pre)
+    rbbcc (0.11.1)
       fiddle
 
 GEM

data/examples/dns_blocker.rb

@@ -82,14 +82,15 @@ end
 
 def attach_tc(interface)
   system(
-    "sudo `tc filter add dev #{interface} egress" +
+    "sudo tc filter add dev #{interface} egress" +
     " bpf pinned #{PIN_PATH} da",
     exception: true
   )
 end
 
 def cleanup_tc(interface)
-  system("sudo tc qdisc del dev #{interface} clsact", exception: true)
+  # Run idempotently
+  system("sudo tc qdisc del dev #{interface} clsact 2>/dev/null")
   File.unlink(PIN_PATH) if File.exist?(PIN_PATH)
 end
 

data/examples/lsm_sockblock.rb

@@ -0,0 +1,142 @@
+#!/usr/bin/env ruby
+#
+# lsm_sockblock.rb  Monitor/block AF_ALG socket_create via BPF LSM.
+#
+# This example uses LSM_PROBE(socket_create) and a BPF_ARRAY map for mode:
+#   0 = preview (log only)
+#   1 = block   (return -EPERM)
+#
+# The config map is pinned to bpffs so mode can be changed externally.
+#
+# Usage:
+#   sudo ruby examples/lsm_sockblock.rb
+#   sudo ruby examples/lsm_sockblock.rb --mode block
+#   sudo ruby examples/lsm_sockblock.rb --pin-path /sys/fs/bpf/my_config_map
+
+require 'optparse'
+require 'socket'
+require 'rbbcc'
+
+include RbBCC
+
+PROGRAM = <<~CLANG
+  #include <linux/lsm_hooks.h>
+  #include <linux/socket.h>
+  #include <uapi/asm-generic/errno-base.h>
+
+  struct data_t {
+      u32 pid;
+      int family;
+      int type;
+      int is_warning;
+      int is_blocked;
+      char comm[16];
+  };
+
+  BPF_PERF_OUTPUT(events);
+  BPF_ARRAY(config_map, u32, 1);
+
+  LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+  {
+      u32 pid = bpf_get_current_pid_tgid() >> 32;
+      struct data_t data = {};
+
+      u32 key = 0;
+      u32 *mode = config_map.lookup(&key);
+      int is_block_mode = (mode && *mode == 1);
+
+      data.pid = pid;
+      data.family = family;
+      data.type = type;
+      bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+      if (family == AF_ALG) {
+          data.is_blocked = is_block_mode;
+          data.is_warning = 1;
+          events.perf_submit(ctx, &data, sizeof(data));
+
+          if (is_block_mode) {
+              return -EPERM;
+          }
+      } else {
+          data.is_blocked = 0;
+          data.is_warning = 0;
+          events.perf_submit(ctx, &data, sizeof(data));
+      }
+
+      return 0;
+  }
+CLANG
+
+options = {
+  mode: "preview",
+  pin_path: "/sys/fs/bpf/rbbcc_lsm_config_map"
+}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: #{$0} [--mode preview|block] [--pin-path PATH]"
+
+  opts.on("--mode MODE", ["preview", "block"], "Operation mode (default: preview)") do |v|
+    options[:mode] = v
+  end
+
+  opts.on("--pin-path PATH", "bpffs pin path (default: /sys/fs/bpf/rbbcc_lsm_config_map)") do |v|
+    options[:pin_path] = v
+  end
+end.parse!
+
+mode_value = (options[:mode] == "block") ? 1 : 0
+
+families = Socket.constants.grep(/^AF_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+types = Socket.constants.grep(/^SOCK_/).each_with_object({}) do |name, h|
+  begin
+    v = Socket.const_get(name)
+    h[v] = name.to_s if v.is_a?(Integer)
+  rescue NameError
+    next
+  end
+end
+
+begin
+  b = BCC.new(text: PROGRAM)
+
+  config = b["config_map"]
+  config[0] = mode_value
+
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+  BCC.pin!(config.map_fd, options[:pin_path])
+
+  puts "LSM BPF started in #{options[:mode].upcase} mode."
+  puts "Pinned config map: #{options[:pin_path]}"
+  puts "Tracing AF_ALG socket_create... Press Ctrl-C to exit."
+
+  b["events"].open_perf_buffer do |cpu, data, size|
+    event = b["events"].event(data)
+    family = families.fetch(event.family, "AF_UNKNOWN(#{event.family})")
+    stype = types.fetch(event.type, "SOCK_UNKNOWN(#{event.type})")
+
+    puts "PID: #{event.pid.to_s.ljust(7)} | COMM: #{event.comm.to_s.ljust(15)} | FAMILY: #{family.ljust(14)} | TYPE: #{stype}"
+
+    next if event.is_warning == 0
+
+    mode_str = (event.is_blocked == 1) ? "BLOCK" : "PREVIEW"
+    status = (event.is_blocked == 1) ? "REJECTED" : "WARNING"
+    puts "\e[1;31m[#{mode_str}] #{status}: PID #{event.pid} (#{event.comm}) tried AF_ALG socket creation.\e[0m"
+  end
+
+  loop do
+    b.perf_buffer_poll
+  end
+rescue Interrupt
+  puts "\nStopping..."
+ensure
+  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
+end

data/examples/py-orig/sockblock.py

@@ -0,0 +1,119 @@
+from bcc import BPF, lib
+import socket
+import ctypes
+import os
+
+# 1. C言語側のプログラム
+program = r"""
+#include <linux/lsm_hooks.h>
+#include <linux/socket.h>
+#include <uapi/asm-generic/errno-base.h>
+
+struct data_t {
+    u32 pid;
+    int family;
+    int type;
+    int is_warning;
+    int is_blocked;
+    char comm[16];
+};
+
+BPF_PERF_OUTPUT(events);
+
+// モード保存用マップ (Index 0 を使用)
+// 1: blockモード, 0: previewモード
+BPF_ARRAY(config_map, u32, 1);
+
+LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+{
+    u32 pid = bpf_get_current_pid_tgid() >> 32;
+    struct data_t data = {};
+    
+    // マップから現在のモードを取得
+    u32 key = 0;
+    u32 *mode = config_map.lookup(&key);
+    int is_block_mode = (mode && *mode == 1);
+
+    data.pid = pid;
+    data.family = family;
+    data.type = type;
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    if (family == AF_ALG) {
+        data.is_blocked = is_block_mode;
+        data.is_warning = 1;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+
+        // blockモードならエラーを返してシステムコールを失敗させる
+        if (is_block_mode) {
+            return -EPERM; // -1 (Operation not permitted)
+        }
+    } else {
+        data.is_blocked = 0;
+        data.is_warning = 0;
+
+        // ログデータを送信
+        events.perf_submit(ctx, &data, sizeof(data));
+    }
+
+    return 0;
+}
+"""
+
+# 定数解決用
+families = {getattr(socket, n): n for n in dir(socket) if n.startswith('AF_')}
+types = {getattr(socket, n): n for n in dir(socket) if n.startswith('SOCK_')}
+
+def print_event(cpu, data, size):
+    event = b["events"].event(data)
+
+    family_str = families.get(event.family, f"AF_UNKNOWN({event.family})")
+    type_str = types.get(event.type, f"SOCK_UNKNOWN({event.type})")
+    
+    print(f"PID: {event.pid:<7} | COMM: {event.comm.decode('utf-8'):<15} | "
+          f"FAMILY: {family_str:<12} | TYPE: {type_str}")
+
+    if event.is_warning:
+        mode_str = "BLOCK" if event.is_blocked else "PREVIEW"
+        status = "!! REJECTED !!" if event.is_blocked else "WARNING"
+        
+        print(f"[{mode_str}] {status}: PID {event.pid} ({event.comm.decode()}) "
+            f"tried to create AF_ALG socket.")
+
+# 2. ロードと設定
+try:
+    b = BPF(text=program)
+    
+    # --- モード設定 ---
+    # 1 を書き込むと blockモード、0 だと previewモード
+    mode = 0
+    config_table = b.get_table("config_map")
+    config_table[ctypes.c_uint32(0)] = ctypes.c_uint32(mode)
+
+    # Mapの永続化 - ユーザ空間からモードを変更できるようにするため
+    map_path = "/sys/fs/bpf/my_config_map"
+    if os.path.exists(map_path):
+        os.remove(map_path)
+    print(f"Pinning config map to -> {map_path}")
+    map_fd = config_table.get_fd()
+    res = lib.bpf_obj_pin(map_fd, ctypes.c_char_p(map_path.encode()))
+    if res != 0:
+        raise Exception(f"Failed to pin map to {map_path}: {os.strerror(-res)}")
+
+    # -----------------
+
+    print(f"LSM BPF started in {'BLOCK' if mode == 1 else 'PREVIEW'} mode.")
+    print("Tracing AF_ALG creation... Press Ctrl-C to exit.")
+    
+    b["events"].open_perf_buffer(print_event)
+    
+    while True:
+        try:
+            b.perf_buffer_poll()
+        except KeyboardInterrupt:
+            exit()
+
+except Exception as e:
+    print(f"Failed: {e}")

data/lib/rbbcc/bcc.rb

@@ -242,6 +242,7 @@ module RbBCC
       @uprobe_fds = {}
       @tracepoint_fds = {}
       @raw_tracepoint_fds = {}
+      @lsm_fds = {}
 
       if src_file
         src_file = BCC._find_file(src_file)
@@ -433,6 +434,34 @@ module RbBCC
       @tracepoint_fds.delete(tp)
     end
 
+    def attach_lsm(fn_name: "")
+      if @lsm_fds.keys.include?(fn_name)
+        raise "LSM #{fn_name} has been attached"
+      end
+
+      fn = load_func(fn_name, BPF::LSM)
+      fd = Clib.bpf_attach_lsm(fn[:fd])
+      if fd < 0
+        raise SystemCallError.new("Failed to attach LSM #{fn_name}", Fiddle.last_error)
+      end
+      Util.debug "Attach: #{fn_name}"
+      @lsm_fds[fn_name] = fd
+      self
+    end
+
+    def detach_lsm(fn_name)
+      unless @lsm_fds.keys.include?(fn_name)
+        raise "LSM #{fn_name} is not attached"
+      end
+
+      begin
+        File.for_fd(@lsm_fds[fn_name]).close
+      rescue => e
+        warn "Closing fd failed: #{e.inspect}. Ignore and skip"
+      end
+      @lsm_fds.delete(fn_name)
+    end
+
     def detach_kprobe_event(ev_name)
       unless @kprobe_fds.keys.include?(ev_name)
         raise "Event #{ev_name} not registered"
@@ -471,6 +500,10 @@ module RbBCC
       @tracepoint_fds.size
     end
 
+    def num_open_lsms
+      @lsm_fds.size
+    end
+
     def tracefile
       @tracefile ||= File.open("#{TRACEFS}/trace_pipe", "rb")
     end
@@ -528,6 +561,10 @@ module RbBCC
         detach_raw_tracepoint(k)
       end
 
+      @lsm_fds.each do |k, v|
+        detach_lsm(k)
+      end
+
       if @module
         Clib.bpf_module_destroy(@module)
       end
@@ -643,6 +680,8 @@ module RbBCC
             tp: tp,
             fn_name: fn[:name]
           )
+        elsif func_name.start_with?("lsm__")
+          attach_lsm(fn_name: func_name)
         end
       end
     end

data/lib/rbbcc/clib.rb

@@ -114,6 +114,7 @@ module RbBCC
     extern 'int bpf_attach_tracepoint(int progfd, char *tp_category, char *tp_name)'
     extern 'int bpf_detach_tracepoint(char *tp_category, char *tp_name)'
     extern 'int bpf_attach_raw_tracepoint(int progfd, char *tp_name)'
+    extern 'int bpf_attach_lsm(int progfd)'
     extern 'int bpf_open_perf_event(unsigned int, unsigned long, int, int)'
     extern 'int bpf_close_perf_event_fd(int)'
     extern 'int bpf_get_first_key(int, void *, int)'

data/lib/rbbcc/consts.rb

@@ -19,5 +19,8 @@ module RbBCC
     SK_MSG = 16
     RAW_TRACEPOINT = 17
     CGROUP_SOCK_ADDR = 18
+    CGROUP_SOCKOPT = 25
+    TRACING = 26
+    LSM = 29
   end
 end

data/lib/rbbcc/version.rb

@@ -1,3 +1,3 @@
 module RbBCC
-  VERSION = "0.11.0.pre"
+  VERSION = "0.11.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rbbcc
 version: !ruby/object:Gem::Version
-  version: 0.11.0.pre
+  version: 0.11.1
 platform: ruby
 authors:
 - Uchio Kondo
@@ -92,9 +92,11 @@ files:
 - examples/hello_ring_buffer.rb
 - examples/hello_world.rb
 - examples/kvm_hypercall.rb
+- examples/lsm_sockblock.rb
 - examples/mallocstack.rb
 - examples/networking/http_filter/http-parse-simple.c
 - examples/networking/http_filter/http-parse-simple.rb
+- examples/py-orig/sockblock.py
 - examples/ruby_usdt.rb
 - examples/sbrk_trace.rb
 - examples/syscalluname.rb
@@ -142,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.6
 specification_version: 4
 summary: BCC port for MRI
 test_files: []