LSM (Linux Security Modules) BPF hook support for security policies
LSM (Linux Security Modules) BPF hook support for security policies
(attach-lsm-program prog-fd & {:keys [target-btf-id] :or {target-btf-id 0}})Attach an LSM BPF program to a hook point.
Parameters:
Returns a map with :prog-fd and :link-fd for cleanup.
Example: (attach-lsm-program prog-fd 0)
Attach an LSM BPF program to a hook point. Parameters: - prog-fd: LSM program file descriptor - target-btf-id: BTF ID of the LSM hook (optional, default 0 for auto-detect) Returns a map with :prog-fd and :link-fd for cleanup. Example: (attach-lsm-program prog-fd 0)
(close-lsm-link link-fd)Close an LSM BPF link.
Parameters:
Example: (close-lsm-link link-fd)
Close an LSM BPF link. Parameters: - link-fd: Link file descriptor Example: (close-lsm-link link-fd)
(create-lsm-link prog-fd target-btf-id)Create a BPF link for LSM program attachment.
Parameters:
Returns the link file descriptor.
Note: Requires kernel 5.7+ with LSM BPF enabled.
Example: (create-lsm-link prog-fd 0)
Create a BPF link for LSM program attachment. Parameters: - prog-fd: LSM program file descriptor - target-btf-id: BTF ID of the LSM hook (0 for auto-detection) Returns the link file descriptor. Note: Requires kernel 5.7+ with LSM BPF enabled. Example: (create-lsm-link prog-fd 0)
(detach-lsm-program {:keys [link-fd]})Detach an LSM BPF program.
Parameters:
Example: (detach-lsm-program link-info)
Detach an LSM BPF program. Parameters: - link-info: Map with :link-fd from attach-lsm-program Example: (detach-lsm-program link-info)
(get-hook-category hook)Get the category for an LSM hook.
Parameters:
Returns the category keyword or nil if not found.
Example: (get-hook-category :file-open) => :file-system
Get the category for an LSM hook. Parameters: - hook: Hook keyword Returns the category keyword or nil if not found. Example: (get-hook-category :file-open) => :file-system
(get-lsm-hook-name hook)Get the LSM hook function name for a hook keyword.
Parameters:
Returns the LSM hook function name (e.g., "file_open")
Example: (get-lsm-hook-name :file-open) => "file_open"
Get the LSM hook function name for a hook keyword. Parameters: - hook: Hook keyword (e.g., :file-open) Returns the LSM hook function name (e.g., "file_open") Example: (get-lsm-hook-name :file-open) => "file_open"
(list-hooks-by-category category)List LSM hooks by category.
Parameters:
Returns a vector of hook keywords in that category.
Example: (list-hooks-by-category :file-system) => [:file-open :file-permission ...]
List LSM hooks by category. Parameters: - category: Category keyword (:file-system, :process, :network, etc.) Returns a vector of hook keywords in that category. Example: (list-hooks-by-category :file-system) => [:file-open :file-permission ...]
(list-lsm-hooks)List all available LSM hook points.
Returns a vector of hook keywords.
Example: (list-lsm-hooks) => [:file-open :file-permission :bprm-check-security ...]
List all available LSM hook points. Returns a vector of hook keywords. Example: (list-lsm-hooks) => [:file-open :file-permission :bprm-check-security ...]
(load-lsm-program
bytecode
hook
&
{:keys [prog-name license log-level log-size expected-attach-type]
:or {license "GPL" log-level 0 log-size 0 expected-attach-type :lsm-mac}})Load an LSM BPF program.
Parameters:
Returns program file descriptor.
Example: (load-lsm-program bytecode :file-open :prog-name "file_open_filter" :license "GPL")
Load an LSM BPF program.
Parameters:
- bytecode: BPF bytecode (byte array)
- hook: LSM hook point keyword (e.g., :file-open, :bprm-check-security)
- options: Map of options:
- :prog-name - Program name (default: hook name)
- :license - License string (default "GPL")
- :log-level - Verifier log level (default 0)
- :log-size - Log buffer size (default 0)
- :expected-attach-type - Override attach type (default :lsm-mac)
Returns program file descriptor.
Example:
(load-lsm-program bytecode :file-open
:prog-name "file_open_filter"
:license "GPL")(lsm-available?)Check if LSM BPF is available on this system.
Returns true if LSM BPF is supported, false otherwise.
Example: (lsm-available?) => true
Check if LSM BPF is available on this system. Returns true if LSM BPF is supported, false otherwise. Example: (lsm-available?) => true
(setup-lsm-hook
bytecode
hook
&
{:keys [prog-name target-btf-id] :or {target-btf-id 0} :as options})Setup LSM hook (load program and attach).
Convenience function that:
Parameters:
Returns a map with :prog-fd and :link-fd for cleanup.
Example: (def setup (setup-lsm-hook bytecode :file-open :prog-name "file_filter")) ;; ... later ... (teardown-lsm-hook setup)
Setup LSM hook (load program and attach).
Convenience function that:
1. Loads the BPF program
2. Attaches it to the LSM hook
Parameters:
- bytecode: BPF bytecode
- hook: LSM hook point keyword
- options: Program load and attach options
Returns a map with :prog-fd and :link-fd for cleanup.
Example:
(def setup (setup-lsm-hook bytecode :file-open
:prog-name "file_filter"))
;; ... later ...
(teardown-lsm-hook setup)(teardown-lsm-hook {:keys [prog-fd link-fd]})Teardown LSM hook setup.
Parameters:
Example: (teardown-lsm-hook setup)
Teardown LSM hook setup. Parameters: - setup: Map returned by setup-lsm-hook with :prog-fd and :link-fd Example: (teardown-lsm-hook setup)
(with-lsm-hook [binding setup-expr] & body)Load and attach LSM hook, ensure cleanup.
Example: (with-lsm-hook [setup (setup-lsm-hook bytecode :file-open)] ;; LSM hook is active (do-work))
Load and attach LSM hook, ensure cleanup.
Example:
(with-lsm-hook [setup (setup-lsm-hook bytecode :file-open)]
;; LSM hook is active
(do-work))(with-lsm-program [binding attach-expr] & body)Attach LSM program and ensure detachment after use.
Example: (with-lsm-program [info (attach-lsm-program prog-fd)] ;; LSM program is active (do-work))
Attach LSM program and ensure detachment after use.
Example:
(with-lsm-program [info (attach-lsm-program prog-fd)]
;; LSM program is active
(do-work))cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |