Tag - Ebpf - Dawid Macek

eBPF offers unparalleled observability into the Linux kernel. Mechanisms such as LSM probes, bpf_override_return and bpf_send_signal extend it beyond just a visibility provider, giving it the power to act as a policy enforcer. However, building sophisticated policies in eBPF is challenging due to constraints imposed by the verifier, making it difficult to implement complex matching logic. In this post, I’ll explore a generic approach to bridging that gap by bringing the Rust regex library directly into the eBPF context.

LSM (Linux Security Modules) hooks offer a way to synchronously hook certain actions taking place in a Linux kernel. This capability is widely adopted by various security products. Since Linux 5.7, these hooks became available as eBPF probes. Let’s explore a simple use-case scenario of blocking execution of pre-configured executables stored on the filesystem.