ebpf: increase size of file rules

fleek-network · Jun 5, 2024 · eb63b8b · eb63b8b
1 parent 2f51e2c
commit eb63b8b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 11 deletions.
diff --git a/etc/ebpf/common/src/lib.rs b/etc/ebpf/common/src/lib.rs
@@ -1,7 +1,7 @@
 #![no_std]
 
 pub const MAX_DEVICES: usize = 2;
-pub const MAX_FILE_RULES: usize = 5;
+pub const MAX_FILE_RULES: usize = 20;
 
 #[derive(Clone, Copy, Eq, PartialEq, Hash)]
 #[repr(C)]

diff --git a/etc/ebpf/ebpf/src/file_open.rs b/etc/ebpf/ebpf/src/file_open.rs
@@ -11,28 +11,26 @@ pub const DENY: i32 = -1;
 
 #[lsm(hook = "file_open")]
 pub fn file_open(ctx: LsmContext) -> i32 {
-    unsafe { try_file_open(ctx).unwrap_or_else(|_| 0) }
+    unsafe { try_file_open(ctx).unwrap_or_else(|_| ALLOW) }
 }
 
 unsafe fn try_file_open(ctx: LsmContext) -> Result<i32, c_long> {
-    let ctx_file: *const vmlinux::file = ctx.arg(0);
-    let inode = aya_ebpf::helpers::bpf_probe_read_kernel(access::file_inode(ctx_file))?;
-    let inode_n = aya_ebpf::helpers::bpf_probe_read_kernel(access::inode_i_ino(inode))?;
-    verify_permission(&ctx, inode_n)
-}
-
-unsafe fn verify_permission(ctx: &LsmContext, target_inode: u64) -> Result<i32, c_long> {
+    let target_inode = {
+        let file: *const vmlinux::file = ctx.arg(0);
+        let inode = aya_ebpf::helpers::bpf_probe_read_kernel(access::file_inode(file))?;
+        aya_ebpf::helpers::bpf_probe_read_kernel(access::inode_i_ino(inode))?
+    };
     let task_inode = get_inode_from_current_task()?;
     if let Some(rule_list) = maps::FILE_RULES.get(&File::new(task_inode)) {
         info!(
-            ctx,
+            &ctx,
             "file_open attempt on {} by {}", target_inode, task_inode
         );
 
         // Todo: let's put this log behind a flag as it's for debugging.
         let pid = aya_ebpf::helpers::bpf_get_current_pid_tgid();
         info!(
-            ctx,
+            &ctx,
             "Process {} running bin {} attempting to open file", pid, task_inode
         );