From cd7c095054adab0b718b995418f75944a6c97a03 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Thu, 30 Oct 2025 14:52:29 +0000 Subject: [PATCH 1/9] docs: update README with links to github pages Signed-off-by: Alan Wandke --- README.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index bf5a4177..0840449d 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ or subvert security controls implemented in eBPF. For an overview, see our [presentation about SeaBee](https://www.youtube.com/watch?v=4bWpTKK7Mlw) from the 2025 Linux Security Summit NA -To try out SeaBee, see [Getting Started with SeaBee](./docs/docs/getting_started.md). Then try our [tutorial](./docs/docs/tutorial.md). +To try out SeaBee, see [Getting Started with SeaBee](https://code.nsa.gov/seabee/getting_started/). Then try our [tutorial](https://code.nsa.gov/seabee/tutorial/). Don't hesitate to create an issue or a PR. See [CONTRIBUTING.md](./CONTRIBUTING.md) @@ -28,9 +28,9 @@ The different elements of SeaBee are highlighted in blue. The other elements show how users interact with SeaBee and how other processes interact with SeaBee. -- `seabeectl` is a command line interface for SeaBee. See [`seabeectl` docs](./docs/docs/seabeectl.md) -- The SeaBee userspace manages loading eBPF, tracking [policy](./docs/docs/policy.md) updates, -and [logging](./docs/docs/logging.md). +- `seabeectl` is a command line interface for SeaBee. See [`seabeectl` docs](https://code.nsa.gov/seabee/seabeectl/) +- The SeaBee userspace manages loading eBPF, tracking [policy](https://code.nsa.gov/seabee/policy/) updates, +and [logging](https://code.nsa.gov/seabee/logging/). - eBPF maps are used to store SeaBee policy in the kernel - eBPF LSM programs are used to enforce SeaBee policies on processes when they take a particular action that SeaBee cares about. @@ -44,14 +44,12 @@ Examples include accessing eBPF maps or files associated with a SeaBee policy. ## Documentation -Documentation is found under `docs/docs/` +Documentation is found under `docs/docs/` and is hosted at [code.nsa.gov/seabee](https://code.nsa.gov/seabee). -- To build the documentation: - - Reload the shell `source ~/.bashrc` - - `make docs` and then `make -C docs build` -- To view the documentation in a browser: `make -C docs serve-build` +To build and view the documentation locally in a browser: -TODO: move docs to github pages +- `make update` +- `make -C docs serve-build` ## Disclaimer of Endorsement From 72e575281bb719a3edce868adeb2c6e051a8ee4e Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Thu, 30 Oct 2025 15:22:04 +0000 Subject: [PATCH 2/9] docs: add metadata to Cargo.toml Signed-off-by: Alan Wandke --- Cargo.toml | 3 +++ bpf/Cargo.toml | 3 +++ seabee/Cargo.toml | 3 +++ tests/Cargo.toml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/Cargo.toml b/Cargo.toml index a63883a5..b5d3f54b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,3 +25,6 @@ license = "Apache-2.0" readme = "README.md" rust-version = "1.79" version = "1.1.0" +repository = "https://github.com/NationalSecurityAgency/seabee" +homepage = "https://code.nsa.gov/seabee/" +description = "Hardens eBPF tools against privileged attackers via policy-based access controls" diff --git a/bpf/Cargo.toml b/bpf/Cargo.toml index 90cf402a..384def29 100644 --- a/bpf/Cargo.toml +++ b/bpf/Cargo.toml @@ -5,6 +5,9 @@ license.workspace = true readme.workspace = true rust-version.workspace = true version.workspace = true +description.workspace = true +repository.workspace = true +homepage.workspace = true [dependencies] anyhow.workspace = true diff --git a/seabee/Cargo.toml b/seabee/Cargo.toml index f7000c7d..18f95268 100644 --- a/seabee/Cargo.toml +++ b/seabee/Cargo.toml @@ -5,6 +5,9 @@ license.workspace = true readme.workspace = true rust-version.workspace = true version.workspace = true +description.workspace = true +repository.workspace = true +homepage.workspace = true [dependencies] anyhow.workspace = true diff --git a/tests/Cargo.toml b/tests/Cargo.toml index 48b2345e..5d2683b9 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -5,6 +5,9 @@ license.workspace = true readme.workspace = true rust-version.workspace = true version.workspace = true +description.workspace = true +repository.workspace = true +homepage.workspace = true [dependencies] anyhow.workspace = true From 54c044b9dadc969defaea125a75696350b9bd0eb Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Thu, 30 Oct 2025 19:00:14 +0000 Subject: [PATCH 3/9] release version 1.2.0 Signed-off-by: Alan Wandke --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0563392b..d675321b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -122,7 +122,7 @@ checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd" [[package]] name = "bpf" -version = "1.1.0" +version = "1.2.0" dependencies = [ "anyhow", "bindgen", @@ -1071,7 +1071,7 @@ dependencies = [ [[package]] name = "seabee" -version = "1.1.0" +version = "1.2.0" dependencies = [ "anyhow", "bpf", @@ -1294,7 +1294,7 @@ dependencies = [ [[package]] name = "tests" -version = "1.1.0" +version = "1.2.0" dependencies = [ "anyhow", "bpf", diff --git a/Cargo.toml b/Cargo.toml index b5d3f54b..1b3234b7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,7 @@ edition = "2021" license = "Apache-2.0" readme = "README.md" rust-version = "1.79" -version = "1.1.0" +version = "1.2.0" repository = "https://github.com/NationalSecurityAgency/seabee" homepage = "https://code.nsa.gov/seabee/" description = "Hardens eBPF tools against privileged attackers via policy-based access controls" From d37f9819d16722c7fcf28e7c2667bed6415d3140 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Thu, 30 Oct 2025 21:03:10 +0000 Subject: [PATCH 4/9] install: add install scripts for seabee releases Signed-off-by: Alan Wandke --- install/install.sh | 43 ++++++++++++++++++++++++++++++++++++++++ install/journald.service | 2 +- install/stdout.service | 2 +- install/uninstall.sh | 9 +++++++++ 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100755 install/install.sh create mode 100755 install/uninstall.sh diff --git a/install/install.sh b/install/install.sh new file mode 100755 index 00000000..a68a374c --- /dev/null +++ b/install/install.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +set -euo pipefail + +REPO="nationalsecurityagency/seabee" +BIN_DIR="/usr/sbin" +SERVICE_PATH="/etc/systemd/system/seabee.service" +TAG="v1.2.0" #TODO: update when the new version is released + +# Check if exactly one argument is provided +if [ "$#" -ne 1 ]; then + echo "Usage: $0 {ubuntu-24|fedora-43|rocky-9}" + exit 1 +fi + +# Allowed values +ARG="$1" +case "$ARG" in + ubuntu-24|fedora-43|rocky-9) + ;; + *) + echo "Invalid argument: $ARG" + echo "Allowed values: ubuntu-24, fedora-43, rocky-9" + exit 1 + ;; +esac + +# Get SeaBee file +echo "Downloading release assets for SeaBee $TAG..." +curl -fsSL "https://github.com/$REPO/releases/download/$TAG/seabee-$ARG" -o seabee_binary +curl -fsSLO "https://github.com/$REPO/releases/download/$TAG/seabeectl" +curl -fsSLO "https://github.com/$REPO/releases/download/$TAG/seabee.service" + +echo "Installing binaries..." +install -m 0755 seabee_binary "$BIN_DIR/seabee" +install -m 0755 seabeectl "$BIN_DIR/seabeectl" + +echo "Installing systemd service..." +install -m 0644 seabee.service "$SERVICE_PATH" +systemctl daemon-reload + +echo "Seabee has been installed." +echo "Before running SeaBee, you will need to create and install a SeaBee Root Key." +echo "See https://code.nsa.gov/seabee/getting_started/ for more information." diff --git a/install/journald.service b/install/journald.service index f618767f..aea69cfe 100644 --- a/install/journald.service +++ b/install/journald.service @@ -5,7 +5,7 @@ After=sysinit.target [Service] Type=exec -ExecStart=/usr/bin/seabee +ExecStart=/usr/sbin/seabee StandardOutput=null [Install] diff --git a/install/stdout.service b/install/stdout.service index 001f8886..715fb8e3 100644 --- a/install/stdout.service +++ b/install/stdout.service @@ -5,7 +5,7 @@ After=sysinit.target [Service] Type=exec -ExecStart=/usr/bin/seabee +ExecStart=/usr/sbin/seabee [Install] WantedBy=basic.target diff --git a/install/uninstall.sh b/install/uninstall.sh new file mode 100755 index 00000000..8d01c5df --- /dev/null +++ b/install/uninstall.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +set -euo pipefail + +seabeectl clean all +rm /usr/sbin/seabeectl +rm /usr/sbin/seabee +rm /etc/systemd/system/seabee.service +systemctl daemon-reload +echo "Seabee has been uninstalled." From 88fcb0099aba66629d22868c8e27a6dffaf639a4 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Thu, 30 Oct 2025 22:34:14 +0000 Subject: [PATCH 5/9] docs: explain how to install seabee binaries Signed-off-by: Alan Wandke --- docs/docs/getting_started.md | 143 +++++++++++++++++++++++++---------- docs/docs/requirements.md | 4 +- 2 files changed, 106 insertions(+), 41 deletions(-) diff --git a/docs/docs/getting_started.md b/docs/docs/getting_started.md index af9ac764..8cc2d762 100644 --- a/docs/docs/getting_started.md +++ b/docs/docs/getting_started.md @@ -6,38 +6,38 @@ Do all of the following steps in order to make sure SeaBee is correctly installe See the [system requirements](./requirements.md) to check if SeaBee will run in your environment. -## Installing SeaBee +## Installing SeaBee from Source -Since SeaBee is not distributed as a binary, you will have to build it from source. +### Clone the Repository and Install Dependencies On a new system, you may need to install `git` and `make` manually with your package manager -* Clone this repository with `git` -* Change into the directory `cd seabee` -* Install the dependencies with `make update` - * This should take a few minutes to run -* Reload shell `source ~/.bashrc` +- Clone this repository with `git` +- Change into the directory `cd seabee` +- Install the dependencies with `make update` + - This should take a few minutes to run +- Reload shell `source ~/.bashrc` -## Compile SeaBee +### Compile SeaBee -* To compile the debug version: `make all` -* To compile the release version: `make release` +- To compile the debug version: `make all` +- To compile the release version: `make release` Troubleshooting -* `make: cargo: No such file or directory` - * you forgot to `source ~/.bashrc` -* Build errors or missing dependencies - * something probably went wrong in the install script. Try re-running the install script -* [Full Troubleshooting Docs](./troubleshooting.md) +- `make: cargo: No such file or directory` + - you forgot to `source ~/.bashrc` +- Build errors or missing dependencies + - something probably went wrong in the install script. Try re-running the install script +- [Full Troubleshooting Docs](./troubleshooting.md) If errors persist, make an issue on our GitHub. -## Install binaries +### Install binaries -* Use `make install` to install compiled binaries to `/usr/sbin` +Use `make install` to install compiled binaries to `/usr/sbin` -## Create a SeaBee Root Key +### Create a SeaBee Root Key SeaBee requires a root key in order to run. If no root key is installed, SeaBee will fail to run. @@ -47,49 +47,114 @@ Read more here: [Cryptography in SeaBee](./crypto.md) The following commands require openssl installed on the system, the best way to do that is with your package manager (`apt` or `dnf`) -* Use `make gen-root-key` to generate an encrypted RSA key pair for SeaBee - * In production, it would be better to store the root private key on a separate secure system - * if you are only using SeaBee experimentally, use `make gen-root-key-ci` to generate an unencrypted root key -* Use `make install-root-key` to copy the resulting public key to `/etc/seabee/seabee_root_key.pem` +- Use `make gen-root-key` to generate an encrypted RSA key pair for SeaBee + - In production, it would be better to store the root private key on a separate secure system + - if you are only using SeaBee experimentally, use `make gen-root-key-ci` to generate an unencrypted root key +- Use `make install-root-key` to copy the resulting public key to `/etc/seabee/seabee_root_key.pem` -## Run SeaBee Test Cases to Verify Functionality +### Run SeaBee Test Cases to Verify Functionality Before running tests make you completed -* running `make install` -* creating a root key +- running `make install` +- creating a root key run full test suite: `make test` If the tests fail, see if there is an open GitHub issue regarding that error message. If not, please create one! -## Run SeaBee in Terminal +### Run SeaBee in Terminal -* make sure you've compiled: `make all` -* `sudo target/debug/seabee -s allow` -* You should get an `Error reading from keylist` since you haven't added any keys yet! +- make sure you've compiled: `make all` +- `sudo target/debug/seabee -s allow` +- You should get an `Error reading from keylist` since you haven't added any keys yet! we highly recommend running with options during testing/experimentation to prevent needing to reboot the machine in order to stop the program. This may occur because the program is designed to be difficult to remove, even in the presence of a malicious superuser. -* `-s allow` allow killing the program with ctrl+c (sigint) -* `-p allow` allows removing the pinned programs from the bpf filesystem which effectively stops the program. - * remove pins with `sudo rm -r /sys/fs/bpf/seabee` +- `-s allow` allow killing the program with ctrl+c (sigint) +- `-p allow` allows removing the pinned programs from the bpf filesystem which effectively stops the program. + - remove pins with `sudo rm -r /sys/fs/bpf/seabee` -## Run SeaBee as a Daemon +### Run SeaBee as a Daemon -* To launch the daemon with release version: `make run` -* To install the daemon to run on next boot: `make enable` -* can currently be reversed with `sudo systemctl disable seabee.service` +- To launch the daemon with release version: `make run` +- To install the daemon to run on next boot: `make enable` +- can currently be reversed with `sudo systemctl disable seabee.service` To turn off Seabee, see [seabeectl shutdown](./seabeectl.md#seabeectl-shutdown) NOTE: after running the test cases, you can use the `test_seabee` daemon: -* `sudo systemctl start test_seabee` -* `sudo systemctl status test_seabee` -* `sudo systemctl stop test_seabee` +- `sudo systemctl start test_seabee` +- `sudo systemctl status test_seabee` +- `sudo systemctl stop test_seabee` + +## Installing SeaBee from Binary + +### Choose which kernel + +Currently there are 3 precompiled versions of SeaBee. + +- ubuntu 24.04 with kernel `6.8.0-86-generic` +- Rocky 9 with kernel `5.14.0-570.55.1.el9_6.x86_64` +- fedora 43 with kernel `6.17.5-300.fc43.x86_64` + +If you have a similar kernel, for example, RHEL 9, the rocky build may work for you. +Or for fedora 42, the fedora 43 build may work for you. + +Otherwise you should jump to [installing SeaBee from source](#installing-seabee-from-source) + +### Run install script + +Use the install script to download and install the appropriate binary for your system: + +```bash +wget https://raw.githubusercontent.com/nationalsecurityagency/seabee/main/install/install.sh +chmod +x install.sh +sudo ./install.sh # needs an agrument: one of "ubuntu-24", "rocky-9", "fedora-43" +``` + +### Install a root key + +SeaBee needs a root key to run. +See [crypto docs](./crypto.md) for more. + +create private rsa key: `openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out rsa-private-key.pem` + +create corresponding public rsa key: `openssl pkey -in rsa-private-key.pem -out rsa-public-key.pem -pubout` + +Install the public key: + +```shell +sudo mkdir /etc/seabee +sudo cp rsa-public-key.pem /etc/seabee/seabee_root_key.pem +``` + +### Install a SeaBee config + +SeaBee has a secure default configuration, +but for testing we are going to enable ctrl+c to easily +kill seabee. +See [config docs](./config.md) for more about seabee configuration. + +Create a config to enable ctrl+c for testing: `echo "sigint: true" > config.yaml` + +Install config: `sudo seabeectl config update config.yaml` + +### Test installation + +start up seabee: `systemctl start seabee` + +check the logs to see if seabee is working: `journalctl -u seabee --since "5 minutes ago"` + +We should not see any errors. +There should be a line reading `INFO Sucessfully loaded eBPF LSM` + +Now you can turn off SeaBee" `systemctl stop seabee` and proceed to the tutorial. + +If you encounter errors, try building from source or open an [issue on github](https://github.com/NationalSecurityAgency/seabee/issues). ## SeaBee Tutorial diff --git a/docs/docs/requirements.md b/docs/docs/requirements.md index 35f23b0e..52370040 100644 --- a/docs/docs/requirements.md +++ b/docs/docs/requirements.md @@ -6,13 +6,13 @@ SeaBee needs root or 'sudo' or run. We specifically run tests to ensure support on the following distributions: -* Fedora 41, 42 +* Fedora 41, 42, 43 * RHEL/Rocky 9 * Ubuntu 22.04, 24.04 However, in theory, SeaBee should work on any Linux kernel 5.14+ since we do not rely on any features added after 5.14. -## Fedora 41, 42 +## Fedora 41, 42, 43 Should work out of the box From 6df5431ab453265f15fe347d42c8a1d8eb01fb86 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Fri, 31 Oct 2025 14:15:52 +0000 Subject: [PATCH 6/9] fix: correctly audit kernel module loading Signed-off-by: Alan Wandke --- .vscode/settings.json | 13 +++++++++++++ bpf/src/seabee/seabee.bpf.c | 23 +++++++++++++---------- seabee/src/enforce.rs | 2 +- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 96a38107..23cfdf65 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -31,8 +31,10 @@ "argjson", "batcat", "bindgen", + "binprm", "BPFFS", "bpftool", + "bprm", "distro", "Dockerfiles", "Doxygen", @@ -40,17 +42,23 @@ "EOPNOTSUPP", "FIPS", "fontawesome", + "iattr", + "IDMAP", "journalctl", "karmor", + "kexec", "keylist", "kmod", "kubearmor", "libbpf", "libtest", + "lockdown", "mkdocs", "nationalsecurityagency", + "newsk", "NLMSG", "nlmsghdr", + "pathbuf", "Pkey", "prctl", "printk", @@ -69,8 +77,13 @@ "syscall", "syscalls", "tempdir", + "tracee", + "traceme", + "Unlabel", "uprobe", + "userns", "userspace", + "vfsmount", "vmlinux", "walkdir" ], diff --git a/bpf/src/seabee/seabee.bpf.c b/bpf/src/seabee/seabee.bpf.c index c72ef76e..4d641f33 100644 --- a/bpf/src/seabee/seabee.bpf.c +++ b/bpf/src/seabee/seabee.bpf.c @@ -484,9 +484,10 @@ int BPF_PROG(seabee_kernel_module_request, char *kmod_name) log_kernel_module_request(LOG_LEVEL_WARN, LOG_REASON_DENY, (const unsigned char *)kmod_name); return DENY; + } else if (kmod_modification == (u32)SECURITY_BLOCK) { + log_kernel_module_request(LOG_LEVEL_INFO, LOG_REASON_AUDIT, + (const unsigned char *)kmod_name); } - log_kernel_module_request(LOG_LEVEL_INFO, LOG_REASON_ALLOW, - (const unsigned char *)kmod_name); return ALLOW; } @@ -495,7 +496,7 @@ int BPF_PROG(seabee_kernel_module_request, char *kmod_name) * * lsm/kernel_read_file is invoked when the kernel is about to directly read * from a file or the file system specified by userspace for some purpose - * including but not limited to kernel modules laoded via finit_module() + * including but not limited to kernel modules loaded via finit_module() * * enum kernel_load_data_id is the same as __kernel_read_file_id defined in * https://elixir.bootlin.com/linux/latest/source/include/linux/kernel_read_file.h#L9 @@ -514,13 +515,14 @@ SEC("lsm/kernel_read_file") int BPF_PROG(seabee_kernel_read_file, struct file *file, enum kernel_read_file_id id, bool contents) { - if (id == READING_MODULE) { + if (id == READING_MODULE && kmod_modification == (u32)SECURITY_BLOCK) { log_kernel_read_file(LOG_LEVEL_WARN, LOG_REASON_DENY, id, file->f_path.dentry->d_name.name); return DENY; + } else if (kmod_modification == (u32)SECURITY_AUDIT) { + log_kernel_read_file(LOG_LEVEL_INFO, LOG_REASON_AUDIT, id, + file->f_path.dentry->d_name.name); } - log_kernel_read_file(LOG_LEVEL_INFO, LOG_REASON_ALLOW, id, - file->f_path.dentry->d_name.name); return ALLOW; } @@ -547,11 +549,12 @@ SEC("lsm/kernel_load_data") int BPF_PROG(seabee_kernel_load_data, enum kernel_load_data_id id, bool contents) { - if (id == LOADING_MODULE) { + if (id == LOADING_MODULE && kmod_modification == (u32)SECURITY_BLOCK) { log_kernel_load_data(LOG_LEVEL_WARN, LOG_REASON_DENY, id); return DENY; + } else if (kmod_modification == (u32)SECURITY_AUDIT) { + log_kernel_load_data(LOG_LEVEL_INFO, LOG_REASON_AUDIT, id); } - log_kernel_load_data(LOG_LEVEL_INFO, LOG_REASON_ALLOW, id); return ALLOW; } @@ -821,9 +824,9 @@ int BPF_PROG(seabee_start_pin, int cmd, union bpf_attr *attr, unsigned int size, } /** - * @brief Label an inode associted with a bpf pin + * @brief Label an inode associated with a bpf pin * - * This hook is called when a dentry becomes associted with an inode. + * This hook is called when a dentry becomes associated with an inode. */ SEC("lsm/d_instantiate") int BPF_PROG(seabee_label_pin, struct dentry *dentry, struct inode *inode) diff --git a/seabee/src/enforce.rs b/seabee/src/enforce.rs index 55a58512..baba2cab 100644 --- a/seabee/src/enforce.rs +++ b/seabee/src/enforce.rs @@ -78,7 +78,7 @@ pub fn load_ebpf( )?; kernel_api::label_files_for_policy(&sb.policy.base_policy, &sb.maps)?; - info!("Sucessfully loaded eBPF LSM"); + info!("Successfully loaded eBPF LSM"); Ok(sb) } From 127030b13282557f0a3a49d71727e7ce16728c76 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Fri, 31 Oct 2025 15:16:45 +0000 Subject: [PATCH 7/9] fix: set service file kill signal to sigint Signed-off-by: Alan Wandke --- install/install.sh | 17 ++++++++--------- install/journald.service | 1 + install/stdout.service | 1 + seabee/src/lib.rs | 2 +- tests/src/policy/mod.rs | 1 - 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/install/install.sh b/install/install.sh index a68a374c..927afffa 100755 --- a/install/install.sh +++ b/install/install.sh @@ -8,20 +8,19 @@ TAG="v1.2.0" #TODO: update when the new version is released # Check if exactly one argument is provided if [ "$#" -ne 1 ]; then - echo "Usage: $0 {ubuntu-24|fedora-43|rocky-9}" - exit 1 + echo "Usage: $0 {ubuntu-24|fedora-43|rocky-9}" + exit 1 fi # Allowed values ARG="$1" case "$ARG" in - ubuntu-24|fedora-43|rocky-9) - ;; - *) - echo "Invalid argument: $ARG" - echo "Allowed values: ubuntu-24, fedora-43, rocky-9" - exit 1 - ;; +ubuntu-24 | fedora-43 | rocky-9) ;; +*) + echo "Invalid argument: $ARG" + echo "Allowed values: ubuntu-24, fedora-43, rocky-9" + exit 1 + ;; esac # Get SeaBee file diff --git a/install/journald.service b/install/journald.service index aea69cfe..4b368423 100644 --- a/install/journald.service +++ b/install/journald.service @@ -7,6 +7,7 @@ After=sysinit.target Type=exec ExecStart=/usr/sbin/seabee StandardOutput=null +KillSignal=SIGINT [Install] WantedBy=basic.target diff --git a/install/stdout.service b/install/stdout.service index 715fb8e3..1e1a8567 100644 --- a/install/stdout.service +++ b/install/stdout.service @@ -6,6 +6,7 @@ After=sysinit.target [Service] Type=exec ExecStart=/usr/sbin/seabee +KillSignal=SIGINT [Install] WantedBy=basic.target diff --git a/seabee/src/lib.rs b/seabee/src/lib.rs index 04733892..f971bb99 100644 --- a/seabee/src/lib.rs +++ b/seabee/src/lib.rs @@ -119,5 +119,5 @@ fn print_debug_info(config: &Config) { } info!("See daemon output with `journalctl -u seabee -f`"); info!("If cannot remove seabee another way, you will have to 'sudo reboot'"); - debug!("{:#?}", config); + info!("{:#?}", config); } diff --git a/tests/src/policy/mod.rs b/tests/src/policy/mod.rs index 0addb06b..ead38292 100644 --- a/tests/src/policy/mod.rs +++ b/tests/src/policy/mod.rs @@ -79,7 +79,6 @@ fn stop_daemon() -> Result<()> { SHUTDOWN_REQUEST_SIG, ]) .stdout(Stdio::null()) - .stderr(Stdio::null()) .status()?; if !status.success() { return Err(anyhow!("Failed to shutdown SeaBee.\nstatus: {}", status)); From 8c57c96cc64fcfb0003e87e68d77987ca6697414 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Mon, 3 Nov 2025 19:39:01 +0000 Subject: [PATCH 8/9] docs: add uninstall instructions Signed-off-by: Alan Wandke --- docs/docs/getting_started.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/docs/getting_started.md b/docs/docs/getting_started.md index 8cc2d762..c03a28bd 100644 --- a/docs/docs/getting_started.md +++ b/docs/docs/getting_started.md @@ -156,6 +156,12 @@ Now you can turn off SeaBee" `systemctl stop seabee` and proceed to the tutorial If you encounter errors, try building from source or open an [issue on github](https://github.com/NationalSecurityAgency/seabee/issues). +### Uninstall + +```bash +wget -qO- https://raw.githubusercontent.com/nationalsecurityagency/seabee/main/install/uninstall.sh | sudo bash +``` + ## SeaBee Tutorial Great! You're all ready to go. From eb42240ef22d96cd49ab7f6e68a996e41fb78909 Mon Sep 17 00:00:00 2001 From: Alan Wandke Date: Mon, 3 Nov 2025 19:45:03 +0000 Subject: [PATCH 9/9] fix: audit kernel_module_request hook Signed-off-by: Alan Wandke --- bpf/src/seabee/seabee.bpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bpf/src/seabee/seabee.bpf.c b/bpf/src/seabee/seabee.bpf.c index 4d641f33..176dea3f 100644 --- a/bpf/src/seabee/seabee.bpf.c +++ b/bpf/src/seabee/seabee.bpf.c @@ -484,7 +484,7 @@ int BPF_PROG(seabee_kernel_module_request, char *kmod_name) log_kernel_module_request(LOG_LEVEL_WARN, LOG_REASON_DENY, (const unsigned char *)kmod_name); return DENY; - } else if (kmod_modification == (u32)SECURITY_BLOCK) { + } else if (kmod_modification == (u32)SECURITY_AUDIT) { log_kernel_module_request(LOG_LEVEL_INFO, LOG_REASON_AUDIT, (const unsigned char *)kmod_name); }