base on Rust library for writing Linux security policies using eBPF 
[](https://github.com/deepfence/ebpfguard/blob/master/LICENSE)
[](https://github.com/deepfence/ebpfguard/stargazers)
[](https://github.com/deepfence/ebpfguard/actions?query=workflow)
[](https://github.com/deepfence/ebpfguard/issues)
[](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ)
<h3 align="center">
<a
href="https://runacap.com/ross-index/annual-2022/"
target="_blank"
rel="noopener"
>
<img
style="width: 260px; height: 56px"
src="https://runacap.com/wp-content/uploads/2023/02/Annual_ROSS_badge_black_2022.svg"
alt="ROSS Index - Fastest Growing Open-Source Startups | Runa Capital"
width="260"
height="56"
/>
</a>
</h3>
# Ebpfguard
**Ebpfguard** is a library for managing Linux security policies. It is based on
[LSM hooks](https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html),
but without necessity to write any kernel modules or eBPF programs directly.
It allows to write policies in Rust (or YAML) in user space.
It's based on eBPF and [Aya](https://aya-rs.dev) library, but takes away
the need to use them directly.
## Usage example
Deny mount operation for all users.
```rust
const BPF_MAPS_PATH: &str = "/sys/fs/bpf/example_sb_mount";
// Create a directory where ebpfguard policy manager can store its BPF
// objects (maps).
std::fs::create_dir_all(BPF_MAPS_PATH)?;
// Create a policy manager.
let mut policy_manager = PolicyManager::new(BPF_MAPS_PATH)?;
// Attach the policy manager to the mount LSM hook.
let mut sb_mount = policy_manager.attach_sb_mount()?;
// Get the receiver end of the alerts channel (for the `file_open` LSM
// hook).
let mut sb_mount_rx = sb_mount.alerts().await?;
// Define policies which deny mount operations for all processes (except
// for the specified subject, if defined).
sb_mount
.add_policy(SbMount {
subject: PolicySubject::All,
allow: false,
})
.await?;
if let Some(alert) = sb_mount_rx.recv().await {
info!(
"sb_mount alert: pid={} subject={}",
alert.pid, alert.subject
);
}
```
Imports and cargo file are available in [example source code](examples/readme_mount).
For more check out [examples doc](docs/gh/examples.md).
## Supported LSM hooks
LSM hooks supported by Ebpfguard are:
* [`bprm_check_security`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L62)
* [`file_open`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L620)
* [`sb_mount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L128)
* [`sb_remount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L147)
* [`sb_umount`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L159)
* [`socket_bind`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L904)
* [`socket_connect`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L912)
* [`task_fix_setuid`](https://elixir.bootlin.com/linux/v6.2.12/source/include/linux/lsm_hooks.h#L709)
## Prerequisites
Check [prerequisites doc](docs/gh/prerequisites.md) to set up your environment.
## Development
Check [development doc](docs/gh/development.md) for compillation and testing commands.
## Get in touch
Thank you for using Ebpfguard. Please feel welcome to participate in the [Deepfence community](docs/gh/community.md).
* [Deepfence Community Website](https://community.deepfence.io)
* [<img src="https://img.shields.io/badge/
[email protected]?logo=slack">](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) Got a question, need some help? Find the Deepfence team on Slack
* [](https://github.com/deepfence/ebpfguard/issues) Got a feature request or found a bug? Raise an issue
<!-- * [](https://community.deepfence.io/docs/gh/ebpfguard/) Read the documentation in the [Deepfence Ebpfguard Documentation](https://community.deepfence.io/docs/gh/ebpfguard/) -->
<!-- * [productsecurity at deepfence dot io](SECURITY.md): Found a security issue? Share it in confidence -->
* Find out more at [deepfence.io](https://deepfence.io/)
## License
Ebpfguard's userspace part is licensed under
[Apache License, version 2.0](https://github.com/deepfence/ebpfguard/blob/main/LICENSE).
eBPF programs inside ebpfguard-ebpf directory are licensed under
[GNU General Public License, version 2](https://github.com/deepfence/ebpfguard/blob/main/ebpfguard-ebpf/LICENSE).
", Assign "at most 3 tags" to the expected json: {"id":"715","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"