Releases: mrtc0/bouheki
Releases · mrtc0/bouheki
v0.0.10
v0.0.9
ca3ccb9
This commit was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
Changelog
- 32e735a Merge pull request #24 from mrtc0/dnsproxy
- 8cc77f8 Merge pull request #25 from mrtc0/not-use-resolvconf
- 1a3d0e5 chore: add dns_proxy configuration to sample config
- 7c00480 chore: add launch message
- 99b4686 chore: bump up
- ca3ccb9 chore: change sample
- a337260 feat: Remove the responsibility to modify resolv.conf
- f510972 feat: [WIP] add DNS Proxy
- bccbef7 feat: [WIP] overwrite resolv.conf
- 7a2dd31 feat: impl dns cache and log
- c60fb3d feat: refactor
- 0d727fd feat: validate config
- 8df7930 fix: Iterate all DNS servers in case name resolution fails
- 23ea6fa fix: error handling
- 734e6a1 fix: error handling
- 33186bd fix: if DNS Proxy fails to start, terminated
- bb61b37 refactor: move name resolution methods
- 625a8ec refactor: remove debug log
v0.0.8
v0.0.7
b574bf3
This commit was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
[0.0.7] 2022-03-27
Added
Support for labels in log
Logs can contain arbitrary labels in key/value format.
For example:
log:
labels:
environment: produdction
role: app{
"Action": "BLOCKED",
"Addr": "52.219.1.53",
"Comm": "curl",
...
"environment": "production",
"role": "app",
"time": "2022-03-27T13:33:17Z"
}Fix
TTL-based name resolution instead of periodically #18
Workarounds for #17.
Context logger
Log context was not set correctly.
Changelog
v0.0.6
v0.0.5
cb4b5fa
This commit was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
[0.0.5] 2022-03-18
Added
Support for mount restrictions #10
Added new restriction for mount event. This prevents file mounts such as /var/run/docker.sock.
mount:
mode: block
target: host
deny:
- /var/run/docker.sockAdded option to disable restrictions
network:
enable: true
...
files:
enable: false # File access restrictions do not applyChangelog
- 872bab4 Merge pull request #10 from mrtc0/restrict-mount
- e58b90d chore(CI): add dependabot config
- 3129dff chore(CI): add scorecard-action
- 5303056 chore(CI): set permissions
- 1e2082e chore(CI): update permissions
- fec3499 chore(CI): update permissions
- c9f65a8 chore(config): update sample
- 3c63e25 chore: bump up v0.0.5
- 429bfdc chore: fix comment
- 4551fe8 chore: fix sample config
- cb4b5fa chore: update CHANGELOG
- fa1a11c chore: update TODO
- 2510d37 docs(mount): update
- 0510ce0 docs(mount): update
- 61028cf feat(config): Added option to disable restrictions
- 66fbb5a feat(mount): add mode and target config
- ecd236a feat(mount): add mode and target filter in ebpf program
- 3218bd8 feat(mount): audit mount
- fcbf33a feat(mount): mount event output to perf buffer
- a7f7c4e feat(mount): restrict mount worked
- d70ad29 fix(mount): remove redeclare variable
- c110548 test(fileaccess): fix
- 8addfa8 test(mount): restrict mount test
- d6e9124 test(mount): test for audit
v0.0.4
7418f4e
This commit was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
Added
Support for restrictions by domain name #5
Restrictions by domain name are now possible.
Since it is difficult to hook domain name resolution in eBPF, we will resolve it in the userspace program.
Periodically perform name resolution in the userspace programs to update the eBPF Map.
This will support the following settings:
network:
mode: block
target: host
cidr:
allow:
- 0.0.0.0/0
deny: []
domain:
deny:
# Connection to example.com will be blocked
- example.comThis is an initiative by GMO Pepabo, Inc. through its internship program for students.
Thanks @n01e0
Support for file access restrictions #6
File open can now be restricted by attaching lsm/open.
For example, Access to /etc/passwd and /etc/test can be disabled with the following configuration:
network:
mode: block
target: host
cidr:
allow:
- 0.0.0.0/0
files:
mode: block
target: container
allow:
- '/'
deny:
- '/etc/passwd'
- '/etc/test'
log:
format: jsonChanged
update libbpfgo and static link #9
libbpfgo updated to v0.2.4-libbpf-0.6.1. With this change, libbpf is managed a a submodule.
Also, libbpf is now statically linked.
$ ldd bouheki
linux-vdso.so.1 (0x00007fff9a8ae000)
libelf.so.1 => /lib/x86_64-linux-gnu/libelf.so.1 (0x00007fc5e2761000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc5e2745000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc5e251d000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc5e2788000)Changelog
- 5be4ad5 Add CHANGELOG.md
- 8e3642e Add compose file for test
- fd105c5 Add doc
- c1c9783 Add monitor test
- 4b569ac Fix test
- 784382e Fixed a bug v6 addresses were not being restricted.
- c677c97 I forgot about the common.h
- 7ec3817 Make DNS Resolver stub-able for easy testing
- ae7ad10 Merge branch 'master' into DNS_lookup
- f72e94d Merge branch 'master' of ssh://github.com/mrtc0/bouheki
- ffa2f34 Merge pull request #1 from n01e0/master
- 87295bf Merge pull request #2 from mrtc0/IPv6_support
- c42eacc Merge pull request #3 from mrtc0/replace-bpf_core_read
- 71cccf5 Merge pull request #4 from mrtc0/install_gotestsum
- 0df33ef Merge pull request #5 from mrtc0/DNS_lookup
- 2143ab3 Merge pull request #6 from mrtc0/IPv6_support
- b438b68 Merge pull request #7 from mrtc0/restrict-open
- fa827b4 Merge pull request #8 from mrtc0/docs
- 6dcba40 Merge pull request #9 from mrtc0/update-libbpfgo
- 682f994 Replaced bpf_core_read with BPF_CORE_READ_INTO to reduce register consumption
- ce7644d Resolve the domain and update the map
- 23ebcf0 Run the BPF test only if it has an integration tag.
- 4d10ed6 Setup docker ipv6 environment
- ba7d06b TestAuditWithUpdate for domain update test
- a506cc7 Trying to test IPv6...
- 1d116d3
repoet_ipv6_eventmust sethdr.typetoBLOCKED_IPV6 - 5ad37a5 add Domain in config
- dea3755 add clang-format config
- 29f5323 add development document
- 94e25c1 add doc
- 13cc411 add release task
- 278e9ed add testcase for domain update
- 6a119f0 assign Mask
- aa2885a cache needs update
- 0e783e0 chore(CHANGELOG): #7
- 4f91d5e chore(deps): add submodule libbpf
- 6426d8a chore(deps): adjust arguments new API
- cf7ef27 chore(deps): update libbpfgo
- 8f289ee chore(fileaccess): build restricted-file.bpf
- 75a8e40 chore: Dockerize
- 2ea95f1 chore: bump up v0.0.4
- 379040b chore: fix release scripts
- cd285f8 chore: install docker for test
- f8b28de chore: setup git user
- 7418f4e chore: update sample
- c8bf860 chore: use domain
- 386d356 clang-format
- 8fccdea create IPNet
- 251c697 create update func
- 4334e2d define DomainCache
- ccde5ea define in defaultConfig()
- 091975d define interval in config
- 12995d3 do not ignore...
- 915b4e4 draft
- 51ed0de exec needs run
- 1865878 feat(fileaccess): Change behavior based on mode
- 0c32460 feat(fileaccess): Send audit events to user-space via perf buffer
- 4f7c11b feat(fileaccess): Support only container mode
- 0b25c3b feat(fileaccess): impl strlen and strcmp in ebpf program
- 7c1e116 feat(fileaccess): impl userland for hooks to lsm/open
- 673d460 feat(fileaccess): logging event
- 6e7a732 feat(fileaccess): restricted open files
- 082ba3b feat(fileaccess): support block / monitor mode
- b0295b5 feat: fix test
- 9197575 feat: refactor
- fb259fd feat: skip compatibility check
- 4f9ade5 fix
- 2209a3c fix Vagrantfile use -y option
- 6b6b269 fix config for test
- b0fd285 fix enum format
- 88b6b2b fix indent
- 56b6650 fix multi-value
- 20de261 fix sample.yaml
- 6de4325 fix test
- 5910acf fix test
- ec7cc73 fix test
- 7c6f009 fix test cases
- d6b3fcc fix v6 integration test
- 404f3ce fix: In ubuntu impish, the combination of landlock and bpf will cause a kernel panic
- e42c0c7 go fmt
- b8d7790 gofmt
- 5607751 gofmt in CI
- 0829fb6 impl IPv6 event parser
- acd0a79 insert into cache
- e90af96 install gcc-multilib for asm/errno.h
- a85893b install gotestsum for test
- ccbe172 ipv(4|6)ToKeyを実装
- e09939f key is key
- ddfa761 need call
- 0096ac8 rebase
- f86f9bb refactor
- 58c5bab refactor
- 038185d refactor test
- 622312e refactor(network): for easy handling of logger
- 4aab3ff refactor(network): remove dead code
- 704b7e5 refactor: rename commands -> audit
- be3cba2 refactor: rename config fileds
- dcf06fd refactor: rename fileaccess ebpf map
- 2d300d1 refactor: rename map and attach process
- 318f110 refactor: rename methods
- c1e2fe6 refactor: rename methods and move some methods to helpers
- 34f0cda refactor: rename network-restrict ebpf map
- ed8487c refactor: rename old methods name
- e3cb716 refactor: rename structs files
- 20fe419 remove "Not implemented" comment
- c40bd62 remove files
- bf8af62 revert because the deny rule cannot block
- 6f39b8d set default allow ::/0
- aaa7cf6 shouldn't use ping in test
- 892fc82 style(network): format variable define
- 79640f3 style: add test and refactor
- cbc5244 style: format
- db02cc2 style: rename
- 05bcc36 style: rename
- 2069419 style: rename variable names and bpf map names
- b9d2ff6 test(fileaccess): e2e test for audit
- 030ef15 test(fileaccess): e2e test for container mode
- 086ed58 test(fileaccess): fix param
- c5c9da4 test(fileaccess): unit test for manager
- f1985f9 testing block by domain
- 3c7e8cb testing monitor by domain
- b28af81 unionを使わない実装。とりあえずv4は動いてる
- 89c91d1 update
- 4a453bd update LICENSE
- 58bb8c4 update successful
- fb6f115 update ubuntu
- 87daf40 use BPF_CORE_READ
- e70b1d9 use compose for test
- 267bd8c とりあえずCの部分をそれっぽく書いたので一旦まとめる
- a783146 ガバガバ判定を直した
Contributors
n01e0
Assets 4
v0.0.3
Features
Added support for IPv6. #2
It can monitor and block the communication of specified IPv6 address with the following settings:
network:
mode: block
target: host
cidr:
allow:
- 0.0.0.0/0
- ::/0
deny:
- 2001:3984:3989::3/128
log:
format: jsonThanks @n01e0
Changelog
- 8e3642e Add compose file for test
- b67ca28 Create codeql-analysis.yml
- ffa2f34 Merge pull request #1 from n01e0/master
- 87295bf Merge pull request #2 from mrtc0/IPv6_support
- 4d10ed6 Setup docker ipv6 environment
- a506cc7 Trying to test IPv6...
- 1d116d3
repoet_ipv6_eventmust sethdr.typetoBLOCKED_IPV6 - dea3755 add clang-format config
- 29f5323 add development document
- 13cc411 add release task
- cd285f8 chore: install docker for test
- c8bf860 chore: use domain
- 386d356 clang-format
- 12995d3 do not ignore...
- b0295b5 feat: fix test
- 9197575 feat: refactor
- 4f9ade5 fix
- 2209a3c fix Vagrantfile use -y option
- 01389f8 fix config
- b0fd285 fix enum format
- 404f3ce fix: In ubuntu impish, the combination of landlock and bpf will cause a kernel panic
- 931bfcb format
- b8d7790 gofmt
- 072fe80 ignore destination port 0
- 0829fb6 impl IPv6 event parser
- e90af96 install gcc-multilib for asm/errno.h
- ccbe172 ipv(4|6)ToKeyを実装
- ebd9e27 logging parent process
- cb68380 logging protocol
- ddfa761 need call
- 58c5bab refactor
- 20fe419 remove "Not implemented" comment
- 79640f3 style: add test and refactor
- cbc5244 style: format
- 05bcc36 style: rename
- db02cc2 style: rename
- 2069419 style: rename variable names and bpf map names
- b28af81 unionを使わない実装。とりあえずv4は動いてる
- fb6f115 update ubuntu
- 87daf40 use BPF_CORE_READ
- e70b1d9 use compose for test
- 267bd8c とりあえずCの部分をそれっぽく書いたので一旦まとめる
- a783146 ガバガバ判定を直した
Contributors
n01e0
Assets 4
v0.0.2
v0.0.1
v0.0.1
This tag was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
7ac985f
This commit was signed with the committer’s verified signature.
The key has expired.
mrtc0
Kohei Morita
Changelog
452a2ac Add test option
c3bb568 Add testify package
9a0a61b Add tests for BPF program
011aa87 Be useful to see in the log whether the connection was actually blocked.
005ce18 Store the size of some config in the map because it cannot be checked from the bpf program.
2aab2d8 Support UID based restriction
1cabbbc Support deny command
0bde187 Support json log format and log rotation
7ac985f add goreleaser
0840e2e change config format
031a47f check user permission before runnning.
903edea create license
6231275 fix test
1a044bd gid support
def3018 init
3a91cff remove dead code
49115ca rename restrict network policy function
b126538 support allowed_command
57acfb2 update
136db4d update
8ec5bbc update
a7cdf44 update examples