helpers: add example for bpf_ima_[inode/file]_hash

AliGhaffarian · dylandreimerink · commit f526dddbdcf0 · 2026-02-13T14:49:39.000+01:00
diff --git a/docs/linux/helper-function/bpf_ima_file_hash.md b/docs/linux/helper-function/bpf_ima_file_hash.md
@@ -38,6 +38,57 @@ This helper call can be used in the following program types:
 <!-- [/HELPER_FUNC_PROG_REF] -->
 
 ### Example
+The following program prints hash of files just before they are being executed.
+Kernel command line is `ima_policy=tcb ima_hash=sha256`.
 
-!!! example "Docs could be improved"
-    This part of the docs is incomplete, contributions are very welcome
+```c
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+static void print_sha256(__u8 *buf) {
+    bpf_printk("IMA Hash Part 1: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7], buf[8], buf[9], buf[10], buf[11]);
+    bpf_printk("IMA Hash Part 2: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[12], buf[13], buf[14], buf[15], buf[16], buf[17], buf[18], buf[19], buf[20], buf[21], buf[22], buf[23]);
+    bpf_printk("IMA Hash Part 3: %02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[24], buf[25], buf[26], buf[27], buf[28], buf[29], buf[30], buf[31]);
+}
+
+SEC("lsm.s/bprm_creds_for_exec")
+int BPF_PROG(test_func, struct linux_binprm *b)
+{
+    // We are expecting SHA-256
+    __u8 buf[32 / sizeof(__u8)] = {0};
+    enum hash_algo algo = 0;
+
+    algo = bpf_ima_file_hash(b->file, buf, sizeof(buf));
+
+    if(algo < 0)
+        return 0;
+    /*just to showcase enum hash_algo*/
+    if(algo != HASH_ALGO_SHA256){
+        bpf_printk("algo mismatch");
+        return 0;
+    }
+
+    bpf_printk("%s", b->filename);
+    print_sha256(buf);
+
+    return 0;
+}
+
+char __license[] SEC("license") = "GPL";
+```
+
+Output should be something like this:
+```
+<...>-18169   [004] ...11  8969.860732: bpf_trace_printk: /usr/bin/cat
+<...>-18169   [004] ...11  8969.860738: bpf_trace_printk: IMA Hash Part 1: 8a5c20c3400a4058a487cd80
+<...>-18169   [004] ...11  8969.860739: bpf_trace_printk: IMA Hash Part 2: 6111cc5138ef4d0fbc6714ff
+<...>-18169   [004] ...11  8969.860739: bpf_trace_printk: IMA Hash Part 3: 67c9432e38c2705a
+<...>-18171   [011] ...11  8969.861704: bpf_trace_printk: /usr/bin/glow
+<...>-18171   [011] ...11  8969.861708: bpf_trace_printk: IMA Hash Part 1: aed777d7f19376fefe2d0f3d
+<...>-18171   [011] ...11  8969.861709: bpf_trace_printk: IMA Hash Part 2: cd52d2f981d08c579b598b6d
+<...>-18171   [011] ...11  8969.861709: bpf_trace_printk: IMA Hash Part 3: 9cb6af4c3234e5ff
+```
diff --git a/docs/linux/helper-function/bpf_ima_inode_hash.md b/docs/linux/helper-function/bpf_ima_inode_hash.md
@@ -38,6 +38,53 @@ This helper call can be used in the following program types:
 <!-- [/HELPER_FUNC_PROG_REF] -->
 
 ### Example
+The following program prints hash of files just before they are being executed.
+Kernel command line is `ima_policy=tcb ima_hash=sha256`.
 
-!!! example "Docs could be improved"
-    This part of the docs is incomplete, contributions are very welcome
+```c
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+static void print_sha256(__u8 *buf) {
+    bpf_printk("IMA Hash Part 1: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[0], buf[1], buf[2], buf[3], buf[4], buf[5], buf[6], buf[7], buf[8], buf[9], buf[10], buf[11]);
+    bpf_printk("IMA Hash Part 2: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[12], buf[13], buf[14], buf[15], buf[16], buf[17], buf[18], buf[19], buf[20], buf[21], buf[22], buf[23]);
+    bpf_printk("IMA Hash Part 3: %02x%02x%02x%02x%02x%02x%02x%02x",
+               buf[24], buf[25], buf[26], buf[27], buf[28], buf[29], buf[30], buf[31]);
+}
+SEC("lsm.s/bprm_creds_for_exec")
+int BPF_PROG(test_func, struct linux_binprm *b)
+{
+    // We are expecting SHA-256
+    __u8 buf[32 / sizeof(__u8)] = {0};
+    enum hash_algo algo = 0;
+
+    algo = bpf_ima_inode_hash(b->file->f_inode, buf, sizeof(buf));
+    if (algo < 0)
+        return 0;
+    /*just to showcase enum hash_algo*/
+    if(algo != HASH_ALGO_SHA256){
+        bpf_printk("algo mismatch");
+        return 0;
+    }
+    bpf_printk("%s", b->filename);
+    print_sha256(buf);
+    return 0;
+}
+
+char __license[] SEC("license") = "GPL";
+```
+
+Output should be something like this:
+```
+<...>-20230   [008] ...11  9707.708954: bpf_trace_printk: /usr/bin/figlet
+<...>-20230   [008] ...11  9707.708957: bpf_trace_printk: IMA Hash Part 1: 1748eeb53c9479fb923fb772
+<...>-20230   [008] ...11  9707.708957: bpf_trace_printk: IMA Hash Part 2: c21bd9c9f5c27aa4e81c66cd
+<...>-20230   [008] ...11  9707.708957: bpf_trace_printk: IMA Hash Part 3: 59886d7b339e70d0
+<...>-20231   [000] ...11  9707.709873: bpf_trace_printk: /usr/bin/python3
+<...>-20231   [000] ...11  9707.709876: bpf_trace_printk: IMA Hash Part 1: e59d0124ff06c248546876e0
+<...>-20231   [000] ...11  9707.709876: bpf_trace_printk: IMA Hash Part 2: 1fcfb1ea3cda63534949f94a
+<...>-20231   [000] ...11  9707.709877: bpf_trace_printk: IMA Hash Part 3: 9372bfcfe3bfc3f5
+```
