admin管理员组

文章数量:1277342

Using a eBPF lsm program, I trace file opening events for a specific container. Events are filtered by cgroups.

void handle_event(struct file *file, long ret, __u64 cgroup_id, void *ctx) {

    struct event event = {};
    event.pid = bpf_get_current_pid_tgid() >> 32;
    event.uid = bpf_get_current_uid_gid();
    event.cgroup = cgroup_id;
    bpf_get_current_comm(&eventm, sizeof(eventm));
    bpf_d_path(&file->f_path, event.fname, sizeof(event.fname));

    // publish the event
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
}

In a first version, I attach filter the incoming events based on the cgroup of the current task:

SEC("lsm/file_open")
int BPF_PROG(file_open_lsm_in_bpf_cgroup_filtering, struct file *file, long ret){
    __u64 cgroup_id = bpf_get_current_cgroup_id();
    __u32 key = 0;
    __u32 *cgroup_id_ptr = bpf_map_lookup_elem(&cgroups, &key);
    if (cgroup_id_ptr && *cgroup_id_ptr == cgroup_id) {
        handle_event(file, ret, cgroup_id, ctx);
    }
    return 0;
}

In a second version, I attach the same eBPF program to the target cgroup:

SEC("lsm_cgroup/file_open")
int BPF_PROG(file_open_lsm_pre_bpf_cgroup_filtering, struct file *file, long ret){
    __u64 cgroup_id = bpf_get_current_cgroup_id();
    handle_event(file, ret, cgroup_id, ctx);
    return 0;
}

I observed a really strange behavior. With the above two program do not trace the log the same events (version 2 only logs about 10% of the logs logged by version 1). Now if I change the return value of version 2 to 1, as such:

SEC("lsm_cgroup/file_open")
int BPF_PROG(file_open_lsm_pre_bpf_cgroup_filtering, struct file *file, long ret){
    __u64 cgroup_id = bpf_get_current_cgroup_id();
    handle_event(file, ret, cgroup_id, ctx);
    return 1;
}

Then, both programs have exactly the same output traces. How could this be possible? Which elements shall I investigate to troubleshoot this situation?

本文标签: linux security moduleeBPF LSM program differs in behavior when changing the return valueStack Overflow

版权声明:本文标题:linux security module - eBPF LSM program differs in behavior when changing the return value - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741207190a2358384.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。