2#ifndef SEABEE_ENFORCE_LOG_H_
3#define SEABEE_ENFORCE_LOG_H_
10#include "shared_rust_types.h"
13 unsigned long target_dev)
16 log = log_buf(level, reason, EVENT_TYPE_SB_UMOUNT,
sizeof(*log), NO_POL_ID);
19 bpf_ringbuf_submit(log, 0);
24 struct bpf_map *map,
unsigned int pol_id)
27 log = log_buf(level, reason, EVENT_TYPE_BPF_MAP,
sizeof(*log), pol_id);
30 BPF_CORE_READ_STR_INTO(&log->
name, map,
name);
31 bpf_ringbuf_submit(log, 0);
35static inline void log_kernel_module_request(
enum LogLevel level,
37 const unsigned char *kmod_name)
40 log = log_buf(level, reason, EVENT_TYPE_KERNEL_MODULE_REQUEST,
sizeof(*log),
44 bpf_ringbuf_submit(log, 0);
49 struct task_struct *t,
int signum,
53 log = log_buf(level, reason, EVENT_TYPE_TASK_KILL,
sizeof(*log), pol_id);
58 bpf_ringbuf_submit(log, 0);
62static inline void log_kernel_read_file(
enum LogLevel level,
64 const unsigned char *filename)
67 log = log_buf(level, reason, EVENT_TYPE_KERNEL_READ_FILE,
sizeof(*log),
72 bpf_ringbuf_submit(log, 0);
76static inline void log_kernel_load_data(
enum LogLevel level,
80 log = log_buf(level, reason, EVENT_TYPE_KERNEL_LOAD_DATA,
sizeof(*log),
84 bpf_ringbuf_submit(log, 0);
88static inline void log_ptrace_access_check(
enum LogLevel level,
90 struct task_struct *tracee, u32 mode,
94 log = log_buf(level, reason, EVENT_TYPE_PTRACE_ACCESS_CHECK,
sizeof(*log),
101 bpf_ringbuf_submit(log, 0);
107 const unsigned char *file_name,
111 log = log_buf(level, reason, EVENT_TYPE_FILE_ACCESS,
sizeof(*log), pol_id);
114 bpf_probe_read_str(log->
name,
sizeof(log->
name), file_name);
115 bpf_ringbuf_submit(log, 0);
LogReason
Standard reasons as to why a log is being output.
Definition logging_types.h:36
InodeAction
Identifies a type of action taken on an inode.
Definition logging_types.h:71
LogLevel
Standard log levels indicating the severity of the message.
Definition logging_types.h:21
Log for a eBPF map access via a bpf() syscall.
Definition logging_types.h:124
unsigned char name[MAX_STR_LEN]
the name of the map
Definition logging_types.h:128
unsigned int map_id
id number of eBPF map being accessed
Definition logging_types.h:130
Log for various events that access a dentry or and inode(file_open, inode_permission)
Definition logging_types.h:186
unsigned int action
the action being taken on the inode, alias for InodeAction
Definition logging_types.h:190
unsigned char name[MAX_STR_LEN]
the first 128 characters of file name, if known
Definition logging_types.h:192
Log for a kernel_load_data() LSM hook event.
Definition logging_types.h:165
unsigned int id
the type of data being loaded into the kernel
Definition logging_types.h:170
Log for a kernel_module_request() LSM hook event.
Definition logging_types.h:146
unsigned char kmod_name[MODULE_NAME_LEN]
the name of the kernel module being requested to load
Definition logging_types.h:150
Log for a kernel_read_file() LSM hook event.
Definition logging_types.h:154
unsigned int id
the type of data being loaded into the kernel
Definition logging_types.h:159
unsigned char filename[MAX_STR_LEN]
the name of the file being loaded
Definition logging_types.h:161
Log for a ptrace_access_check() LSM hook event.
Definition logging_types.h:174
unsigned char target_comm[COMM_LEN]
same as /proc/{pid}/comm for traced process
Definition logging_types.h:182
int target_pid
The process ID to be traced.
Definition logging_types.h:178
unsigned int mode
The ptrace mode used.
Definition logging_types.h:180
Log a sb_umount() syscall.
Definition logging_types.h:116
unsigned long target_dev
device number of the superblock being unmounted
Definition logging_types.h:120
Log a task_kill() LSM hook event.
Definition logging_types.h:134
int target_pid
process id of the PID receiving the signal
Definition logging_types.h:140
int signum
id of the signal being sent
Definition logging_types.h:142
unsigned char target_comm[COMM_LEN]
same as /proc/{pid}/comm
Definition logging_types.h:138
