tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: lsm: Initialize the BPF LSM hooks

* The hooks are initialized using the definitions in
include/linux/lsm_hook_defs.h.
* The LSM can be enabled / disabled with CONFIG_BPF_LSM.

Signed-off-by: KP Singh <kpsingh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <revest@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Link: https://lore.kernel.org/bpf/20200329004356.27286-6-kpsingh@chromium.org

authored by

KP Singh and committed by
Daniel Borkmann 520b7aa0 9e4e01df

+38 -5
+5 -5
security/Kconfig
··· 277 277 278 278 config LSM 279 279 string "Ordered list of enabled LSMs" 280 - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK 281 - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR 282 - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO 283 - default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC 284 - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" 280 + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK 281 + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR 282 + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO 283 + default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC 284 + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" 285 285 help 286 286 A comma-separated list of LSMs, in initialization order. 287 287 Any LSMs left off this list will be ignored. This can be
+2
security/Makefile
··· 12 12 subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin 13 13 subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid 14 14 subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown 15 + subdir-$(CONFIG_BPF_LSM) += bpf 15 16 16 17 # always enable default capabilities 17 18 obj-y += commoncap.o ··· 31 30 obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ 32 31 obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ 33 32 obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 33 + obj-$(CONFIG_BPF_LSM) += bpf/ 34 34 35 35 # Object integrity file lists 36 36 subdir-$(CONFIG_INTEGRITY) += integrity
+5
security/bpf/Makefile
··· 1 + # SPDX-License-Identifier: GPL-2.0 2 + # 3 + # Copyright (C) 2020 Google LLC. 4 + 5 + obj-$(CONFIG_BPF_LSM) := hooks.o
+26
security/bpf/hooks.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + /* 4 + * Copyright (C) 2020 Google LLC. 5 + */ 6 + #include <linux/lsm_hooks.h> 7 + #include <linux/bpf_lsm.h> 8 + 9 + static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { 10 + #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 11 + LSM_HOOK_INIT(NAME, bpf_lsm_##NAME), 12 + #include <linux/lsm_hook_defs.h> 13 + #undef LSM_HOOK 14 + }; 15 + 16 + static int __init bpf_lsm_init(void) 17 + { 18 + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf"); 19 + pr_info("LSM support for eBPF active\n"); 20 + return 0; 21 + } 22 + 23 + DEFINE_LSM(bpf) = { 24 + .name = "bpf", 25 + .init = bpf_lsm_init, 26 + };