linprov 0.2.13

eBPF mark-of-the-web for Linux: tag network-touched files and enforce who can exec them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

//! `linprov allow [--once] <token>` — permit a blocked exec by the token
//! from its `BLOCKED-EXEC` / `BLOCKED-SCRIPT` log line, by asking the
//! running daemon (over its control socket) to apply the rule that would
//! have permitted it and reseed the live BPF map.
//!
//! Without `--once` the rule is appended to the allowlist file (permanent).
//! With `--once` it's added to the daemon's in-memory transient set only:
//! active immediately and across SIGHUP reloads, never written to disk, and
//! gone when the daemon restarts.

use std::{
    io::{Read, Write},
    net::Shutdown,
    os::unix::net::UnixStream,
    path::PathBuf,
};

use anyhow::{anyhow, Context, Result};
use clap::Parser;

use crate::config::DEFAULT_CONTROL_SOCKET_PATH;

#[derive(Parser, Debug)]
pub struct AllowArgs {
    /// Token from the `[allow: <token>]` suffix of a `BLOCKED-EXEC` /
    /// `BLOCKED-SCRIPT` log line.
    token: String,

    /// Apply the rule in memory only — active immediately and across SIGHUP
    /// reloads, but NOT written to the allowlist file, so it's gone when the
    /// daemon restarts.
    #[arg(long)]
    once: bool,

    /// Daemon control socket to connect to.
    #[arg(long, default_value = DEFAULT_CONTROL_SOCKET_PATH)]
    socket: PathBuf,
}

pub fn run(args: AllowArgs) -> Result<()> {
    let mut stream = UnixStream::connect(&args.socket).with_context(|| {
        format!(
            "connecting to the linprov control socket at {} \
             (is the daemon running? are you root?)",
            args.socket.display()
        )
    })?;

    let verb = if args.once { "once" } else { "allow" };
    stream
        .write_all(format!("{verb} {}\n", args.token).as_bytes())
        .context("sending request")?;
    // Half-close the write side so the daemon's single read returns.
    stream.shutdown(Shutdown::Write).ok();

    let mut reply = String::new();
    stream
        .read_to_string(&mut reply)
        .context("reading reply from daemon")?;
    let reply = reply.trim();

    if let Some(rule) = reply.strip_prefix("OK ") {
        let how = if args.once {
            "in memory (transient — gone on daemon restart)"
        } else {
            "persisted to the allowlist"
        };
        println!("allowed, {how}:\n  {rule}");
        Ok(())
    } else if let Some(msg) = reply.strip_prefix("ERR ") {
        Err(anyhow!("daemon rejected the request: {msg}"))
    } else {
        Err(anyhow!("unexpected reply from daemon: {reply:?}"))
    }
}