bpftrace
Add support for LSM hooks
Is your feature request related to a problem? Please describe.
For mocking and testing LSM programs, it would be highly useful to be able to mock logic in bpftrace. In addition, LSM hooks are strategically placed in the kernel at key places which allow for good observability. Frequently the security_* functions are inlined, whereas obviously LSM hooks never are.
Describe the solution you'd like
Bpftrace having an "lsm:" option equivalent to "fentry:" or whatever.
Describe alternative solutions or features you've considered
Using fentry hooks. These are frequently inlined.
Hi Liam.
High level I'd say the project would prefer to not branch out into non-observability use cases too much. We've got limited development resources and would like to double down and serve our core use cases better (still so much more to do and improve).
That being said, LSM hooks used for observability seem like a natural idea. We already have override() which I bet could be used to implement LSM behavior. If we could somehow repurpose kprobe/fentry probes to handle LSM security_* hooks, I am personally pretty amenable to that. It'd depend on the implementation, though. I'm not very familiar with LSM so maybe that's a bad idea. Other folks might have differing opinions.
Perhaps this is another use case for C interop - LSM probes will get loaded by libbpf which keeps core bpftrace clear of maintenance burden but still lets you interact with maps defined in the C program.
Using fentry hooks. These are frequently inlined.
Do you have some examples? I'm looking through the security_* hooks in the kernel most are exported (which would prevent inlining) but some are not but defined in security/security.c (out of line), so I'm assuming LTO inlines them? Would like to double check.
We've also got inline tracing in the pipeline (https://lore.kernel.org/bpf/[email protected]/), so that ought to shore up the security_* hooks. In fact, that would be a great class of functions to ensure are traceable with the inline work