One way to block a malicious process is tracing its behavior in kernel space eBPF program and then just simply kill it in user space program, but there is latency before user space program receiving data from kernel space. I wonder if there is a way to kill a malicious process in kernel space eBPF program as it is more efficient.
The BPF helper function bpf_send_signal()
can be used to send a signal to the process of the monitored task, see its documentation:
long bpf_send_signal(u32 sig)
Description
Send signal sig to the process of the current task.
The signal may be delivered to any of this
process's threads.
Return
0 on success or successfully queued.
-EBUSY if work queue under nmi is full.
-EINVAL if sig is invalid.
-EPERM if no permission to send the sig.
-EAGAIN if bpf program can try again.
The signal to pass can be SIGKILL
, for example.
Some projects use it already: Tetragon, a tool based on eBPF for “security observability and runtime enforcement”, can call it to terminate processes.
This helper is available starting with Linux 5.3.