High-level LSM (Linux Security Module) DSL for BPF programs.
LSM BPF programs can be attached to security hooks to enforce custom security policies. They run alongside the kernel's LSM infrastructure (SELinux, AppArmor, etc.).
Return values:
LSM programs use BTF for typed argument access.
Example: (deflsm-instructions block-exec {:hook "bprm_check_security" :args [:bprm]} ;; Block execution of specific programs [])
High-level LSM (Linux Security Module) DSL for BPF programs.
LSM BPF programs can be attached to security hooks to enforce
custom security policies. They run alongside the kernel's LSM
infrastructure (SELinux, AppArmor, etc.).
Return values:
- 0: Allow the operation
- <0: Deny with error code (e.g., -EPERM, -EACCES)
LSM programs use BTF for typed argument access.
Example:
(deflsm-instructions block-exec
{:hook "bprm_check_security"
:args [:bprm]}
;; Block execution of specific programs
[])(build-lsm-program {:keys [arg-saves body default-action]
:or {arg-saves [] default-action :allow}})Build a complete LSM program with standard structure.
Parameters:
Returns assembled program bytes.
Build a complete LSM program with standard structure. Parameters: - opts: Map with: :arg-saves - Vector of [arg-index dest-reg] pairs (optional) :body - Vector of body instructions :default-action - :allow or :eperm (default :allow) Returns assembled program bytes.
Common LSM hook points.
These are frequently used security hooks that LSM BPF can attach to.
Common LSM hook points. These are frequently used security hooks that LSM BPF can attach to.
(deflsm-instructions fn-name options & body)Define an LSM program as a function returning instructions.
Parameters:
Example: (deflsm-instructions check-exec {:hook "bprm_check_security" :args [:bprm] :arg-saves [[0 :r6]] :default-action :allow} [])
Define an LSM program as a function returning instructions.
Parameters:
- fn-name: Name for the defined function
- options: Map with:
:hook - LSM hook name
:args - Vector of argument names (for documentation)
:arg-saves - Vector of [arg-index dest-reg] pairs (optional)
:default-action - :allow or error code (default :allow)
- body: Body expressions (should return vectors of instructions)
Example:
(deflsm-instructions check-exec
{:hook "bprm_check_security"
:args [:bprm]
:arg-saves [[0 :r6]]
:default-action :allow}
[])(describe-lsm-hook hook-name)Return information about an LSM hook.
Parameters:
Returns map with hook information.
Return information about an LSM hook. Parameters: - hook-name: Hook name (keyword or string) Returns map with hook information.
(lsm-action action)Get LSM action return value.
Parameters:
Returns integer value.
Example: (lsm-action :allow) ;; => 0 (lsm-action :eperm) ;; => -1
Get LSM action return value. Parameters: - action: Action keyword (:allow, :eperm, :eacces, etc.) Returns integer value. Example: (lsm-action :allow) ;; => 0 (lsm-action :eperm) ;; => -1
(lsm-allow)Generate instructions to allow the operation.
Returns vector of [mov r0, 0] and exit.
Generate instructions to allow the operation. Returns vector of [mov r0, 0] and exit.
(lsm-deny)(lsm-deny errno)Generate instructions to deny the operation.
Parameters:
Returns vector of instructions.
Generate instructions to deny the operation. Parameters: - errno: Error code (default :eperm = -1) Returns vector of instructions.
(lsm-filter-by-pid target-pid skip-offset)Generate instructions to filter by PID.
Parameters:
Returns vector of instructions.
Generate instructions to filter by PID. Parameters: - target-pid: PID to match - skip-offset: Instructions to skip if no match Returns vector of instructions.
(lsm-filter-by-uid target-uid skip-offset)Generate instructions to filter by UID.
Parameters:
Returns vector of instructions.
Generate instructions to filter by UID. Parameters: - target-uid: UID to match - skip-offset: Instructions to skip if no match Returns vector of instructions.
(lsm-get-current-comm buf-reg)Generate instructions to get current task comm.
Parameters:
Returns vector of instructions.
Generate instructions to get current task comm. Parameters: - buf-reg: Register pointing to 16-byte buffer Returns vector of instructions.
(lsm-get-current-gid)Generate instructions to get current GID.
Returns vector of instructions with GID in r0.
Generate instructions to get current GID. Returns vector of instructions with GID in r0.
(lsm-get-current-pid)Generate instructions to get current PID.
Returns vector of instructions with PID in r0.
Generate instructions to get current PID. Returns vector of instructions with PID in r0.
(lsm-get-current-uid)Generate instructions to get current UID.
Returns vector of instructions with UID in r0.
Generate instructions to get current UID. Returns vector of instructions with UID in r0.
(lsm-prologue arg-saves)Generate standard LSM program prologue.
Saves hook arguments to callee-saved registers.
Parameters:
Returns vector of instructions.
Example: (lsm-prologue [[0 :r6] [1 :r7]]) ;; Saves first arg to r6, second to r7
Generate standard LSM program prologue. Saves hook arguments to callee-saved registers. Parameters: - arg-saves: Vector of [arg-index dest-reg] pairs Returns vector of instructions. Example: (lsm-prologue [[0 :r6] [1 :r7]]) ;; Saves first arg to r6, second to r7
(lsm-return value)Generate instructions to return a specific value.
Parameters:
Returns vector of instructions.
Generate instructions to return a specific value. Parameters: - value: Return value Returns vector of instructions.
(lsm-save-args arg-count)Generate instructions to save LSM hook arguments.
Parameters:
Returns vector of mov instructions.
Generate instructions to save LSM hook arguments. Parameters: - arg-count: Number of arguments to save (1-5) Returns vector of mov instructions.
(lsm-section-name hook-name)Generate ELF section name for LSM program.
Parameters:
Returns section name like "lsm/bprm_check_security"
Example: (lsm-section-name "bprm_check_security") ;; => "lsm/bprm_check_security"
Generate ELF section name for LSM program. Parameters: - hook-name: LSM hook name Returns section name like "lsm/bprm_check_security" Example: (lsm-section-name "bprm_check_security") ;; => "lsm/bprm_check_security"
(make-lsm-program-info program-name hook-name instructions)Create program metadata for an LSM program.
Parameters:
Returns map with program metadata.
Create program metadata for an LSM program. Parameters: - program-name: Name for the BPF program - hook-name: LSM hook to attach to - instructions: Program instructions Returns map with program metadata.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |