"I will no longer ask."
This bpf program uses the lsm task_alloc hook to check if a particular executable is being invoked with a particular argument and denies that access.
Tested on el9.6/9.7 which fortunately has the features we need backported (bpf lsm hooks).
- CMake
- A kernel that supports bpf lsm hooks (el9+, or at least 9.6+ seems good)
- clang
- libbpf and libbfp-devel
- bpftool
- Clone the source
- Run
mkdir build && cd build - Run
cmake .. -DCMAKE_C_COMPILER=clang -DCMAKE_INSTALL_PREFIX=<where you want this installed> - Run
make install
Alternatively to make an rpm:
- Clone the source
- Run
mkdir build && cd build - Run
cmake .. -DCMAKE_C_COMPILER=clang -DCMAKE_INSTALL_PREFIX=/usr - Run
make package - Install resulting rpm file
There's a systemd unit vscode-killer.service that gets generated and dumped into the correct place in whatever prefix you supply if you install. It'll also be in the build/systemd directory if you don't install. The file assumes that vscode-killer will be located at $CMAKE_INSTALL_PREFIX/bin/vscode-killer so you may have to change that if you are relocating it from the install prefix. This is the preferred way to run as it will also clean up the pinned program when it is stopped and log into the system journal.
If you don't want to use systemd you can just run vscode-killer directly or use whatever init system you prefer.