Create release

.vscode/settings.json

@@ -31,26 +31,34 @@
         "argjson",
         "batcat",
         "bindgen",
+        "binprm",
         "BPFFS",
         "bpftool",
+        "bprm",
         "distro",
         "Dockerfiles",
         "Doxygen",
         "ebpf",
         "EOPNOTSUPP",
         "FIPS",
         "fontawesome",
+        "iattr",
+        "IDMAP",
         "journalctl",
         "karmor",
+        "kexec",
         "keylist",
         "kmod",
         "kubearmor",
         "libbpf",
         "libtest",
+        "lockdown",
         "mkdocs",
         "nationalsecurityagency",
+        "newsk",
         "NLMSG",
         "nlmsghdr",
+        "pathbuf",
         "Pkey",
         "prctl",
         "printk",
@@ -69,8 +77,13 @@
         "syscall",
         "syscalls",
         "tempdir",
+        "tracee",
+        "traceme",
+        "Unlabel",
         "uprobe",
+        "userns",
         "userspace",
+        "vfsmount",
         "vmlinux",
         "walkdir"
     ],

Cargo.toml

@@ -24,4 +24,7 @@ edition = "2021"
 license = "Apache-2.0"
 readme = "README.md"
 rust-version = "1.79"
-version = "1.1.0"
+version = "1.2.0"
+repository = "https://github.com/NationalSecurityAgency/seabee"
+homepage = "https://code.nsa.gov/seabee/"
+description = "Hardens eBPF tools against privileged attackers via policy-based access controls"

README.md

@@ -13,7 +13,7 @@ or subvert security controls implemented in eBPF.
 
 For an overview, see our [presentation about SeaBee](https://www.youtube.com/watch?v=4bWpTKK7Mlw) from the 2025 Linux Security Summit NA
 
-To try out SeaBee, see [Getting Started with SeaBee](./docs/docs/getting_started.md). Then try our [tutorial](./docs/docs/tutorial.md).
+To try out SeaBee, see [Getting Started with SeaBee](https://code.nsa.gov/seabee/getting_started/). Then try our [tutorial](https://code.nsa.gov/seabee/tutorial/).
 
 Don't hesitate to create an issue or a PR. See [CONTRIBUTING.md](./CONTRIBUTING.md)
 
@@ -28,9 +28,9 @@ The different elements of SeaBee are highlighted in blue.
 The other elements show how users interact with SeaBee and
 how other processes interact with SeaBee.
 
-- `seabeectl` is a command line interface for SeaBee. See [`seabeectl` docs](./docs/docs/seabeectl.md)
-- The SeaBee userspace manages loading eBPF, tracking [policy](./docs/docs/policy.md) updates,
-and [logging](./docs/docs/logging.md).
+- `seabeectl` is a command line interface for SeaBee. See [`seabeectl` docs](https://code.nsa.gov/seabee/seabeectl/)
+- The SeaBee userspace manages loading eBPF, tracking [policy](https://code.nsa.gov/seabee/policy/) updates,
+and [logging](https://code.nsa.gov/seabee/logging/).
 - eBPF maps are used to store SeaBee policy in the kernel
 - eBPF LSM programs are used to enforce SeaBee policies on processes
 when they take a particular action that SeaBee cares about.
@@ -44,14 +44,12 @@ Examples include accessing eBPF maps or files associated with a SeaBee policy.
 
 ## Documentation
 
-Documentation is found under `docs/docs/`
+Documentation is found under `docs/docs/` and is hosted at [code.nsa.gov/seabee](https://code.nsa.gov/seabee).
 
-- To build the documentation:
-  - Reload the shell `source ~/.bashrc`
-  - `make docs` and then `make -C docs build`
-- To view the documentation in a browser: `make -C docs serve-build`
+To build and view the documentation locally in a browser:
 
-TODO: move docs to github pages
+- `make update`
+- `make -C docs serve-build`
 
 ## Disclaimer of Endorsement
 

bpf/Cargo.toml

@@ -5,6 +5,9 @@ license.workspace = true
 readme.workspace = true
 rust-version.workspace = true
 version.workspace = true
+description.workspace = true
+repository.workspace = true
+homepage.workspace = true
 
 [dependencies]
 anyhow.workspace = true

bpf/src/seabee/seabee.bpf.c

@@ -484,9 +484,10 @@ int BPF_PROG(seabee_kernel_module_request, char *kmod_name)
 		log_kernel_module_request(LOG_LEVEL_WARN, LOG_REASON_DENY,
 		                          (const unsigned char *)kmod_name);
 		return DENY;
+	} else if (kmod_modification == (u32)SECURITY_AUDIT) {
+		log_kernel_module_request(LOG_LEVEL_INFO, LOG_REASON_AUDIT,
+		                          (const unsigned char *)kmod_name);
 	}
-	log_kernel_module_request(LOG_LEVEL_INFO, LOG_REASON_ALLOW,
-	                          (const unsigned char *)kmod_name);
 	return ALLOW;
 }
 
@@ -495,7 +496,7 @@ int BPF_PROG(seabee_kernel_module_request, char *kmod_name)
  *
  * lsm/kernel_read_file is invoked when the kernel is about to directly read
  * from a file or the file system specified by userspace for some purpose
- * including but not limited to kernel modules laoded via finit_module()
+ * including but not limited to kernel modules loaded via finit_module()
  *
  * enum kernel_load_data_id is the same as __kernel_read_file_id defined in
  * https://elixir.bootlin.com/linux/latest/source/include/linux/kernel_read_file.h#L9
@@ -514,13 +515,14 @@ SEC("lsm/kernel_read_file")
 int BPF_PROG(seabee_kernel_read_file, struct file *file,
              enum kernel_read_file_id id, bool contents)
 {
-	if (id == READING_MODULE) {
+	if (id == READING_MODULE && kmod_modification == (u32)SECURITY_BLOCK) {
 		log_kernel_read_file(LOG_LEVEL_WARN, LOG_REASON_DENY, id,
 		                     file->f_path.dentry->d_name.name);
 		return DENY;
+	} else if (kmod_modification == (u32)SECURITY_AUDIT) {
+		log_kernel_read_file(LOG_LEVEL_INFO, LOG_REASON_AUDIT, id,
+		                     file->f_path.dentry->d_name.name);
 	}
-	log_kernel_read_file(LOG_LEVEL_INFO, LOG_REASON_ALLOW, id,
-	                     file->f_path.dentry->d_name.name);
 	return ALLOW;
 }
 
@@ -547,11 +549,12 @@ SEC("lsm/kernel_load_data")
 int BPF_PROG(seabee_kernel_load_data, enum kernel_load_data_id id,
              bool contents)
 {
-	if (id == LOADING_MODULE) {
+	if (id == LOADING_MODULE && kmod_modification == (u32)SECURITY_BLOCK) {
 		log_kernel_load_data(LOG_LEVEL_WARN, LOG_REASON_DENY, id);
 		return DENY;
+	} else if (kmod_modification == (u32)SECURITY_AUDIT) {
+		log_kernel_load_data(LOG_LEVEL_INFO, LOG_REASON_AUDIT, id);
 	}
-	log_kernel_load_data(LOG_LEVEL_INFO, LOG_REASON_ALLOW, id);
 	return ALLOW;
 }
 
@@ -821,9 +824,9 @@ int BPF_PROG(seabee_start_pin, int cmd, union bpf_attr *attr, unsigned int size,
 }
 
 /**
- * @brief Label an inode associted with a bpf pin
+ * @brief Label an inode associated with a bpf pin
  *
- * This hook is called when a dentry becomes associted with an inode.
+ * This hook is called when a dentry becomes associated with an inode.
  */
 SEC("lsm/d_instantiate")
 int BPF_PROG(seabee_label_pin, struct dentry *dentry, struct inode *inode)