[Enhancement] Policy Engine Implementation #13
Description
Summary
Implement configurable policy engine for fine-grained access control.
Priority: Medium - Security hardening
Depends on: #8 (Design: Program Types) - must decide on types first
Milestone: v0.3.0 - Production-Ready
Background
Currently, polkit auth grants full access to all eBPF operations. A policy engine would allow:
- Restricting program types
- Limiting attach points
- Path-based restrictions
- Per-user policies
Deliverables
Policy File Format
# ~/.config/ebpf-assist/policy.toml
[defaults]
# What to do when no rule matches
action = "allow" # or "deny"
[program_types]
# Which program types are allowed
allow = ["kprobe", "kretprobe", "uprobe", "uretprobe", "tracepoint", "perf_event"]
warn = ["xdp", "tc", "socket_filter"]
deny = ["lsm", "struct_ops", "cgroup_*"]
[paths]
# Where programs can be loaded from
allow = ["~/.local/share/ebpf-assist/**", "/usr/share/ebpf/**"]
deny = ["/tmp/**"] # Dangerous to load from /tmp
[attach_points]
# What can be attached to
allow = ["*"] # All by default
deny = ["security_*"] # No LSM hooksCLI Commands
ebpf-assist policy show # Show current policy
ebpf-assist policy check <file> # Check if program would be allowed
ebpf-assist policy edit # Open policy in editorImplementation
- Policy file parser (TOML)
- Policy evaluation engine
- Integration with load/attach handlers
- Clear error messages on policy violations
- MCP tool:
ebpf_policy_check
Blocked By
- [Design] Default Allowed Program Types #8 must be resolved first to know what program types to allow/deny by default
Success Criteria
- Policy violations return clear, actionable errors
- Users can customize restrictions per their security requirements
- AI gets helpful feedback when policy blocks an operation