Add proposal for adding a listen hook #4761
Conversation
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
Alan-Jowett
requested review from
LakshK98,
dthaler,
matthewige,
mikeagun,
mtfriesen,
poornagmsft,
saxena-anurag and
shankarseal
as code owners
Signed-off-by: Alan Jowett <alan.jowett@microsoft.com>
|
I'll observe that this PR passed all checks but the check should have posted a warning in a comment. Specifically, |
| - **LSM hooks**: Linux Security Module hooks for socket operations | ||
|
|
||
| However, these approaches have limitations: | ||
| - Linux hooks operate at different abstraction levels than Windows WFP |
There was a problem hiding this comment.
Can you elaborate on this? Maybe just give an example?
| However, these approaches have limitations: | ||
| - Linux hooks operate at different abstraction levels than Windows WFP | ||
| - Different network stack architecture between Linux and Windows | ||
| - Linux cgroup model doesn't directly map to Windows process/session model |
There was a problem hiding this comment.
That didn't stop us from using BPF_PROG_TYPE_CGROUP_SOCK_ADDR or BPF_PROG_TYPE_CGROUP_SOCK_OPS.
|
|
||
| However, these approaches have limitations: | ||
| - Linux hooks operate at different abstraction levels than Windows WFP | ||
| - Different network stack architecture between Linux and Windows |
There was a problem hiding this comment.
As phrased this seems to be an internal implementation detail. Can you rephrase into something that is API-visible?
| - Linux hooks operate at different abstraction levels than Windows WFP | ||
| - Different network stack architecture between Linux and Windows | ||
| - Linux cgroup model doesn't directly map to Windows process/session model | ||
| - WFP provides more granular control and integration with Windows security model |
There was a problem hiding this comment.
This seems vague. Can you elaborate here on why you can't use the Linux progtype, say with additional helper functions? E.g., is the set of return values necessarily different from the program compared to what the Linux progtypes have?
3 participants
Description
This PR introduces a comprehensive design document for eBPF for Windows Listen Hook functionality, which enables intercepting and controlling socket listen operations through the Windows Filtering Platform (WFP) ALE Authorization Listen layers. The proposal defines a new BPF_PROG_TYPE_SOCK_LISTEN program type with IPv4 and IPv6 attach types (BPF_CGROUP_INET4_LISTEN and BPF_CGROUP_INET6_LISTEN), complete with unique GUID identifiers for Windows integration. The hook provides access to comprehensive socket and process information through a dedicated bpf_sock_addr_listen_t context structure and helper functions, enabling security solutions to implement port access control, process whitelisting, network monitoring, and resource management policies. The design integrates seamlessly with existing eBPF for Windows infrastructure while leveraging WFP's granular control capabilities, offering verdict-based control (reject, proceed soft/hard) over listen operations with minimal performance impact, making it suitable for enterprise security products and network monitoring solutions.
Testing
N/A
Documentation
Yes
Installation
N/A