Skip to content

v0.0.4
Compare
Choose a tag to compare
@mrtc0 mrtc0 released this 12 Mar 09:55
· 77 commits to master since this release
v0.0.4
7418f4e
This commit was signed with the committer’s verified signature. The key has expired.
mrtc0 Kohei Morita
GPG key ID: 1AE1A50C170A00BE
Expired
Learn about vigilant mode.

Added

Support for restrictions by domain name #5

Restrictions by domain name are now possible.
Since it is difficult to hook domain name resolution in eBPF, we will resolve it in the userspace program.
Periodically perform name resolution in the userspace programs to update the eBPF Map.

This will support the following settings:

network:
  mode: block
  target: host
  cidr:
    allow:
      - 0.0.0.0/0
    deny: []
  domain:
    deny:
      # Connection to example.com will be blocked
      - example.com

This is an initiative by GMO Pepabo, Inc. through its internship program for students.
Thanks @n01e0

Support for file access restrictions #6

File open can now be restricted by attaching lsm/open.
For example, Access to /etc/passwd and /etc/test can be disabled with the following configuration:

network:
  mode: block
  target: host
  cidr:
    allow:
      - 0.0.0.0/0
files:
  mode: block
  target: container
  allow:
    - '/'
  deny:
    - '/etc/passwd'
    - '/etc/test'
log:
  format: json

Changed

update libbpfgo and static link #9

libbpfgo updated to v0.2.4-libbpf-0.6.1. With this change, libbpf is managed a a submodule.
Also, libbpf is now statically linked.

$ ldd bouheki
        linux-vdso.so.1 (0x00007fff9a8ae000)
        libelf.so.1 => /lib/x86_64-linux-gnu/libelf.so.1 (0x00007fc5e2761000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc5e2745000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc5e251d000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fc5e2788000)

Changelog

  • 5be4ad5 Add CHANGELOG.md
  • 8e3642e Add compose file for test
  • fd105c5 Add doc
  • c1c9783 Add monitor test
  • 4b569ac Fix test
  • 784382e Fixed a bug v6 addresses were not being restricted.
  • c677c97 I forgot about the common.h
  • 7ec3817 Make DNS Resolver stub-able for easy testing
  • ae7ad10 Merge branch 'master' into DNS_lookup
  • f72e94d Merge branch 'master' of ssh://github.com/mrtc0/bouheki
  • ffa2f34 Merge pull request #1 from n01e0/master
  • 87295bf Merge pull request #2 from mrtc0/IPv6_support
  • c42eacc Merge pull request #3 from mrtc0/replace-bpf_core_read
  • 71cccf5 Merge pull request #4 from mrtc0/install_gotestsum
  • 0df33ef Merge pull request #5 from mrtc0/DNS_lookup
  • 2143ab3 Merge pull request #6 from mrtc0/IPv6_support
  • b438b68 Merge pull request #7 from mrtc0/restrict-open
  • fa827b4 Merge pull request #8 from mrtc0/docs
  • 6dcba40 Merge pull request #9 from mrtc0/update-libbpfgo
  • 682f994 Replaced bpf_core_read with BPF_CORE_READ_INTO to reduce register consumption
  • ce7644d Resolve the domain and update the map
  • 23ebcf0 Run the BPF test only if it has an integration tag.
  • 4d10ed6 Setup docker ipv6 environment
  • ba7d06b TestAuditWithUpdate for domain update test
  • a506cc7 Trying to test IPv6...
  • 1d116d3 repoet_ipv6_event must set hdr.type to BLOCKED_IPV6
  • 5ad37a5 add Domain in config
  • dea3755 add clang-format config
  • 29f5323 add development document
  • 94e25c1 add doc
  • 13cc411 add release task
  • 278e9ed add testcase for domain update
  • 6a119f0 assign Mask
  • aa2885a cache needs update
  • 0e783e0 chore(CHANGELOG): #7
  • 4f91d5e chore(deps): add submodule libbpf
  • 6426d8a chore(deps): adjust arguments new API
  • cf7ef27 chore(deps): update libbpfgo
  • 8f289ee chore(fileaccess): build restricted-file.bpf
  • 75a8e40 chore: Dockerize
  • 2ea95f1 chore: bump up v0.0.4
  • 379040b chore: fix release scripts
  • cd285f8 chore: install docker for test
  • f8b28de chore: setup git user
  • 7418f4e chore: update sample
  • c8bf860 chore: use domain
  • 386d356 clang-format
  • 8fccdea create IPNet
  • 251c697 create update func
  • 4334e2d define DomainCache
  • ccde5ea define in defaultConfig()
  • 091975d define interval in config
  • 12995d3 do not ignore...
  • 915b4e4 draft
  • 51ed0de exec needs run
  • 1865878 feat(fileaccess): Change behavior based on mode
  • 0c32460 feat(fileaccess): Send audit events to user-space via perf buffer
  • 4f7c11b feat(fileaccess): Support only container mode
  • 0b25c3b feat(fileaccess): impl strlen and strcmp in ebpf program
  • 7c1e116 feat(fileaccess): impl userland for hooks to lsm/open
  • 673d460 feat(fileaccess): logging event
  • 6e7a732 feat(fileaccess): restricted open files
  • 082ba3b feat(fileaccess): support block / monitor mode
  • b0295b5 feat: fix test
  • 9197575 feat: refactor
  • fb259fd feat: skip compatibility check
  • 4f9ade5 fix
  • 2209a3c fix Vagrantfile use -y option
  • 6b6b269 fix config for test
  • b0fd285 fix enum format
  • 88b6b2b fix indent
  • 56b6650 fix multi-value
  • 20de261 fix sample.yaml
  • 6de4325 fix test
  • 5910acf fix test
  • ec7cc73 fix test
  • 7c6f009 fix test cases
  • d6b3fcc fix v6 integration test
  • 404f3ce fix: In ubuntu impish, the combination of landlock and bpf will cause a kernel panic
  • e42c0c7 go fmt
  • b8d7790 gofmt
  • 5607751 gofmt in CI
  • 0829fb6 impl IPv6 event parser
  • acd0a79 insert into cache
  • e90af96 install gcc-multilib for asm/errno.h
  • a85893b install gotestsum for test
  • ccbe172 ipv(4|6)ToKeyを実装
  • e09939f key is key
  • ddfa761 need call
  • 0096ac8 rebase
  • f86f9bb refactor
  • 58c5bab refactor
  • 038185d refactor test
  • 622312e refactor(network): for easy handling of logger
  • 4aab3ff refactor(network): remove dead code
  • 704b7e5 refactor: rename commands -> audit
  • be3cba2 refactor: rename config fileds
  • dcf06fd refactor: rename fileaccess ebpf map
  • 2d300d1 refactor: rename map and attach process
  • 318f110 refactor: rename methods
  • c1e2fe6 refactor: rename methods and move some methods to helpers
  • 34f0cda refactor: rename network-restrict ebpf map
  • ed8487c refactor: rename old methods name
  • e3cb716 refactor: rename structs files
  • 20fe419 remove "Not implemented" comment
  • c40bd62 remove files
  • bf8af62 revert because the deny rule cannot block
  • 6f39b8d set default allow ::/0
  • aaa7cf6 shouldn't use ping in test
  • 892fc82 style(network): format variable define
  • 79640f3 style: add test and refactor
  • cbc5244 style: format
  • db02cc2 style: rename
  • 05bcc36 style: rename
  • 2069419 style: rename variable names and bpf map names
  • b9d2ff6 test(fileaccess): e2e test for audit
  • 030ef15 test(fileaccess): e2e test for container mode
  • 086ed58 test(fileaccess): fix param
  • c5c9da4 test(fileaccess): unit test for manager
  • f1985f9 testing block by domain
  • 3c7e8cb testing monitor by domain
  • b28af81 unionを使わない実装。とりあえずv4は動いてる
  • 89c91d1 update
  • 4a453bd update LICENSE
  • 58bb8c4 update successful
  • fb6f115 update ubuntu
  • 87daf40 use BPF_CORE_READ
  • e70b1d9 use compose for test
  • 267bd8c とりあえずCの部分をそれっぽく書いたので一旦まとめる
  • a783146 ガバガバ判定を直した

Contributors

n01e0
Assets 4
Loading