Challenge 2: Seccomp ==================== You downloaded an executable named "malicious" from the internet. You suspect that it might be malicious, but you're not sure. You have heard very bad things about ransomware and you want to make sure that the executable can't encrypt your files. Therefore, you decide to develop an eBPF program that prevents the "malicious" executable from opening any file! Description ----------- The executable "malicious" indeed tries to write to a file in the current directory and replace its content with the string "I'm a malicious program!". Your objective is to develop an eBPF program that prevents any process whose name is "malicious" from opening any file. You will use the eunomia-bpf framework. This does not seem very hard at first, but preventing a process from opening a file is actually not something that can be done with eBPF by default. To achieve this, you will have to use the eBPF LSM (Linux Security Modules) mechanism. This challenge requires you to research by yourself how to use the eBPF LSM mechanism to prevent a process from opening a file. .. tip:: Check out the "Important Resources" section of tutorial 3 for some useful links. Setup ----- Download the files for this challenge using: .. code-block:: bash $ wget --no-check-certificate https://people.montefiore.uliege.be/~gain/courses/info0940/asset/seccomp.tar.gz $ tar -xzvf seccomp.tar.gz The malicious program is located in ``seccomp/malicious``. The file that is going to be overwritten is the "very_important_file" file. You can compile the malicious program using the Makefile provided (simply run ``make`` within the ``malicious`` directory). Then you can run it: .. code-block:: bash $ ./malicious The file "very_important_file" will be overwritten with the string "I'm a malicious program!". Inside ``seccomp/src``, you will find the same template as in tutorial 3. Use it to implement the eBPF program that prevents the "malicious" program from opening any file. What you need to do ------------------- You are expected to implement an eBPF program that detects when a process named “malicious” attempts to open a file. If detected, the eBPF program should block the operation, preventing the file from being opened by the process. Be careful, you should not **kill** the process, but simply deny the call to open the file (i.e., when executing ``FILE *file = fopen("malicious.txt", "w");``, the call to ``fopen`` should return ``NULL``). This is what it will look like when you run the "malicious" program with your eBPF program loaded: .. code-block:: none $ ./malicious Error opening file: Operation not permitted The solution to this challenge should be quite small as well, but it will be a little bit more complex than the first one. .. important:: The VM on which your code will be tested will have LSM enabled.