https://github.com/deepfence/ebpfguard
Rust library for writing Linux security policies using eBPF
https://github.com/deepfence/ebpfguard
Last synced: about 1 year ago
JSON representation
Rust library for writing Linux security policies using eBPF
- Host: GitHub
- URL: https://github.com/deepfence/ebpfguard
- Owner: deepfence
- License: apache-2.0
- Created: 2023-03-22T13:49:40.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2024-01-22T04:50:36.000Z (over 2 years ago)
- Last Synced: 2025-03-29T23:08:47.782Z (over 1 year ago)
- Language: Rust
- Homepage:
- Size: 4.41 MB
- Stars: 298
- Watchers: 6
- Forks: 91
- Open Issues: 12
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-ebpf - Ebpfguard - Rust library for writing Linux security policies using eBPF. (eBPF Workflow: Tools and Utilities / Aya)
README

[](https://github.com/deepfence/ebpfguard/blob/master/LICENSE)
[](https://github.com/deepfence/ebpfguard/stargazers)
[](https://github.com/deepfence/ebpfguard/actions?query=workflow)
[](https://github.com/deepfence/ebpfguard/issues)
[](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ)
# Ebpfguard
**Ebpfguard** is a library for managing Linux security policies. It is based on
[LSM hooks](https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html),
but without necessity to write any kernel modules or eBPF programs directly.
It allows to write policies in Rust (or YAML) in user space.
It's based on eBPF and [Aya](https://aya-rs.dev) library, but takes away
the need to use them directly.
## Usage example
Deny mount operation for all users.
```rust
const BPF_MAPS_PATH: &str = "/sys/fs/bpf/example_sb_mount";
// Create a directory where ebpfguard policy manager can store its BPF
// objects (maps).
std::fs::create_dir_all(BPF_MAPS_PATH)?;
// Create a policy manager.
let mut policy_manager = PolicyManager::new(BPF_MAPS_PATH)?;
// Attach the policy manager to the mount LSM hook.
let mut sb_mount = policy_manager.attach_sb_mount()?;
// Get the receiver end of the alerts channel (for the `file_open` LSM
// hook).
let mut sb_mount_rx = sb_mount.alerts().await?;
// Define policies which deny mount operations for all processes (except
// for the specified subject, if defined).
sb_mount
.add_policy(SbMount {
subject: PolicySubject::All,
allow: false,
})
.await?;
if let Some(alert) = sb_mount_rx.recv().await {
info!(
"sb_mount alert: pid={} subject={}",
alert.pid, alert.subject
);
}
```
Imports and cargo file are available in [example source code](examples/readme_mount).
For more check out [examples doc](docs/gh/examples.md).
## Supported LSM hooks
LSM hooks supported by Ebpfguard are:
* [`bprm_check_security`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L62)
* [`file_open`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L620)
* [`sb_mount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L128)
* [`sb_remount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L147)
* [`sb_umount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L159)
* [`socket_bind`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L904)
* [`socket_connect`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L912)
* [`task_fix_setuid`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L709)
## Prerequisites
Check [prerequisites doc](docs/gh/prerequisites.md) to set up your environment.
## Development
Check [development doc](docs/gh/development.md) for compillation and testing commands.
## Get in touch
Thank you for using Ebpfguard. Please feel welcome to participate in the [Deepfence community](docs/gh/community.md).
* [Deepfence Community Website](https://community.deepfence.io)
* [
](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) Got a question, need some help? Find the Deepfence team on Slack
* [](https://github.com/deepfence/ebpfguard/issues) Got a feature request or found a bug? Raise an issue
* Find out more at [deepfence.io](https://deepfence.io/)
## License
Ebpfguard's userspace part is licensed under
[Apache License, version 2.0](https://github.com/deepfence/ebpfguard/blob/main/LICENSE).
eBPF programs inside ebpfguard-ebpf directory are licensed under
[GNU General Public License, version 2](https://github.com/deepfence/ebpfguard/blob/main/ebpfguard-ebpf/LICENSE).