tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'lsm-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Pull lsm updates from Paul Moore:

- Move the management of the LSM BPF security blobs into the framework

In order to enable multiple LSMs we need to allocate and free the
various security blobs in the LSM framework and not the individual
LSMs as they would end up stepping all over each other.

- Leverage the lsm_bdev_alloc() helper in lsm_bdev_alloc()

Make better use of our existing helper functions to reduce some code
duplication.

- Update the Rust cred code to use 'sync::aref'

Part of a larger effort to move the Rust code over to the 'sync'
module.

- Make CONFIG_LSM dependent on CONFIG_SECURITY

As the CONFIG_LSM Kconfig setting is an ordered list of the LSMs to
enable a boot, it obviously doesn't make much sense to enable this
when CONFIG_SECURITY is disabled.

- Update the LSM and CREDENTIALS sections in MAINTAINERS with Rusty
bits

Add the Rust helper files to the associated LSM and CREDENTIALS
entries int the MAINTAINERS file. We're trying to improve the
communication between the two groups and making sure we're all aware
of what is going on via cross-posting to the relevant lists is a good
way to start.

* tag 'lsm-pr-20250926' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
lsm: CONFIG_LSM can depend on CONFIG_SECURITY
MAINTAINERS: add the associated Rust helper to the CREDENTIALS section
MAINTAINERS: add the associated Rust helper to the LSM section
rust,cred: update AlwaysRefCounted import to sync::aref
security: use umax() to improve code
lsm,selinux: Add LSM blob support for BPF objects
lsm: use lsm_blob_alloc() in lsm_bdev_alloc()

Linus Torvalds 76f01a4f 57bc6838

+124 -68
+2
MAINTAINERS
··· 6478 6478 T: git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git 6479 6479 F: include/linux/cred.h 6480 6480 F: kernel/cred.c 6481 + F: rust/kernel/cred.rs 6481 6482 F: Documentation/security/credentials.rst 6482 6483 6483 6484 INTEL CRPS COMMON REDUNDANT PSU DRIVER ··· 22825 22824 F: include/uapi/linux/lsm.h 22826 22825 F: security/ 22827 22826 F: tools/testing/selftests/lsm/ 22827 + F: rust/kernel/security.rs 22828 22828 X: security/selinux/ 22829 22829 K: \bsecurity_[a-z_0-9]\+\b 22830 22830
+3
include/linux/lsm_hooks.h
··· 116 116 int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ 117 117 int lbs_tun_dev; 118 118 int lbs_bdev; 119 + int lbs_bpf_map; 120 + int lbs_bpf_prog; 121 + int lbs_bpf_token; 119 122 }; 120 123 121 124 /*
+1 -5
rust/kernel/cred.rs
··· 8 8 //! 9 9 //! Reference: <https://www.kernel.org/doc/html/latest/security/credentials.html> 10 10 11 - use crate::{ 12 - bindings, 13 - task::Kuid, 14 - types::{AlwaysRefCounted, Opaque}, 15 - }; 11 + use crate::{bindings, sync::aref::AlwaysRefCounted, task::Kuid, types::Opaque}; 16 12 17 13 /// Wraps the kernel's `struct cred`. 18 14 ///
+1
security/Kconfig
··· 269 269 270 270 config LSM 271 271 string "Ordered list of enabled LSMs" 272 + depends on SECURITY 272 273 default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK 273 274 default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR 274 275 default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
+2 -4
security/min_addr.c
··· 3 3 #include <linux/mm.h> 4 4 #include <linux/security.h> 5 5 #include <linux/sysctl.h> 6 + #include <linux/minmax.h> 6 7 7 8 /* amount of vm to protect from userspace access by both DAC and the LSM*/ 8 9 unsigned long mmap_min_addr; ··· 17 16 static void update_mmap_min_addr(void) 18 17 { 19 18 #ifdef CONFIG_LSM_MMAP_MIN_ADDR 20 - if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR) 21 - mmap_min_addr = dac_mmap_min_addr; 22 - else 23 - mmap_min_addr = CONFIG_LSM_MMAP_MIN_ADDR; 19 + mmap_min_addr = umax(dac_mmap_min_addr, CONFIG_LSM_MMAP_MIN_ADDR); 24 20 #else 25 21 mmap_min_addr = dac_mmap_min_addr; 26 22 #endif
+85 -13
security/security.c
··· 283 283 lsm_set_blob_size(&needed->lbs_xattr_count, 284 284 &blob_sizes.lbs_xattr_count); 285 285 lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev); 286 + lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map); 287 + lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog); 288 + lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token); 286 289 } 287 290 288 291 /* Prepare LSM for initialization. */ ··· 483 480 init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); 484 481 init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); 485 482 init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev); 483 + init_debug("bpf map blob size = %d\n", blob_sizes.lbs_bpf_map); 484 + init_debug("bpf prog blob size = %d\n", blob_sizes.lbs_bpf_prog); 485 + init_debug("bpf token blob size = %d\n", blob_sizes.lbs_bpf_token); 486 486 487 487 /* 488 488 * Create any kmem_caches needed for blobs ··· 829 823 */ 830 824 static int lsm_bdev_alloc(struct block_device *bdev) 831 825 { 832 - if (blob_sizes.lbs_bdev == 0) { 833 - bdev->bd_security = NULL; 834 - return 0; 835 - } 836 - 837 - bdev->bd_security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL); 838 - if (!bdev->bd_security) 839 - return -ENOMEM; 840 - 841 - return 0; 826 + return lsm_blob_alloc(&bdev->bd_security, blob_sizes.lbs_bdev, 827 + GFP_KERNEL); 842 828 } 829 + 830 + #ifdef CONFIG_BPF_SYSCALL 831 + /** 832 + * lsm_bpf_map_alloc - allocate a composite bpf_map blob 833 + * @map: the bpf_map that needs a blob 834 + * 835 + * Allocate the bpf_map blob for all the modules 836 + * 837 + * Returns 0, or -ENOMEM if memory can't be allocated. 838 + */ 839 + static int lsm_bpf_map_alloc(struct bpf_map *map) 840 + { 841 + return lsm_blob_alloc(&map->security, blob_sizes.lbs_bpf_map, GFP_KERNEL); 842 + } 843 + 844 + /** 845 + * lsm_bpf_prog_alloc - allocate a composite bpf_prog blob 846 + * @prog: the bpf_prog that needs a blob 847 + * 848 + * Allocate the bpf_prog blob for all the modules 849 + * 850 + * Returns 0, or -ENOMEM if memory can't be allocated. 851 + */ 852 + static int lsm_bpf_prog_alloc(struct bpf_prog *prog) 853 + { 854 + return lsm_blob_alloc(&prog->aux->security, blob_sizes.lbs_bpf_prog, GFP_KERNEL); 855 + } 856 + 857 + /** 858 + * lsm_bpf_token_alloc - allocate a composite bpf_token blob 859 + * @token: the bpf_token that needs a blob 860 + * 861 + * Allocate the bpf_token blob for all the modules 862 + * 863 + * Returns 0, or -ENOMEM if memory can't be allocated. 864 + */ 865 + static int lsm_bpf_token_alloc(struct bpf_token *token) 866 + { 867 + return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL); 868 + } 869 + #endif /* CONFIG_BPF_SYSCALL */ 843 870 844 871 /** 845 872 * lsm_early_task - during initialization allocate a composite task blob ··· 5767 5728 int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr, 5768 5729 struct bpf_token *token, bool kernel) 5769 5730 { 5770 - return call_int_hook(bpf_map_create, map, attr, token, kernel); 5731 + int rc; 5732 + 5733 + rc = lsm_bpf_map_alloc(map); 5734 + if (unlikely(rc)) 5735 + return rc; 5736 + 5737 + rc = call_int_hook(bpf_map_create, map, attr, token, kernel); 5738 + if (unlikely(rc)) 5739 + security_bpf_map_free(map); 5740 + return rc; 5771 5741 } 5772 5742 5773 5743 /** ··· 5795 5747 int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, 5796 5748 struct bpf_token *token, bool kernel) 5797 5749 { 5798 - return call_int_hook(bpf_prog_load, prog, attr, token, kernel); 5750 + int rc; 5751 + 5752 + rc = lsm_bpf_prog_alloc(prog); 5753 + if (unlikely(rc)) 5754 + return rc; 5755 + 5756 + rc = call_int_hook(bpf_prog_load, prog, attr, token, kernel); 5757 + if (unlikely(rc)) 5758 + security_bpf_prog_free(prog); 5759 + return rc; 5799 5760 } 5800 5761 5801 5762 /** ··· 5821 5764 int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, 5822 5765 const struct path *path) 5823 5766 { 5824 - return call_int_hook(bpf_token_create, token, attr, path); 5767 + int rc; 5768 + 5769 + rc = lsm_bpf_token_alloc(token); 5770 + if (unlikely(rc)) 5771 + return rc; 5772 + 5773 + rc = call_int_hook(bpf_token_create, token, attr, path); 5774 + if (unlikely(rc)) 5775 + security_bpf_token_free(token); 5776 + return rc; 5825 5777 } 5826 5778 5827 5779 /** ··· 5874 5808 void security_bpf_map_free(struct bpf_map *map) 5875 5809 { 5876 5810 call_void_hook(bpf_map_free, map); 5811 + kfree(map->security); 5812 + map->security = NULL; 5877 5813 } 5878 5814 5879 5815 /** ··· 5887 5819 void security_bpf_prog_free(struct bpf_prog *prog) 5888 5820 { 5889 5821 call_void_hook(bpf_prog_free, prog); 5822 + kfree(prog->aux->security); 5823 + prog->aux->security = NULL; 5890 5824 } 5891 5825 5892 5826 /** ··· 5900 5830 void security_bpf_token_free(struct bpf_token *token) 5901 5831 { 5902 5832 call_void_hook(bpf_token_free, token); 5833 + kfree(token->security); 5834 + token->security = NULL; 5903 5835 } 5904 5836 #endif /* CONFIG_BPF_SYSCALL */ 5905 5837
+10 -46
security/selinux/hooks.c
··· 7066 7066 7067 7067 if (file->f_op == &bpf_map_fops) { 7068 7068 map = file->private_data; 7069 - bpfsec = map->security; 7069 + bpfsec = selinux_bpf_map_security(map); 7070 7070 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7071 7071 bpf_map_fmode_to_av(file->f_mode), NULL); 7072 7072 if (ret) 7073 7073 return ret; 7074 7074 } else if (file->f_op == &bpf_prog_fops) { 7075 7075 prog = file->private_data; 7076 - bpfsec = prog->aux->security; 7076 + bpfsec = selinux_bpf_prog_security(prog); 7077 7077 ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7078 7078 BPF__PROG_RUN, NULL); 7079 7079 if (ret) ··· 7087 7087 u32 sid = current_sid(); 7088 7088 struct bpf_security_struct *bpfsec; 7089 7089 7090 - bpfsec = map->security; 7090 + bpfsec = selinux_bpf_map_security(map); 7091 7091 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7092 7092 bpf_map_fmode_to_av(fmode), NULL); 7093 7093 } ··· 7097 7097 u32 sid = current_sid(); 7098 7098 struct bpf_security_struct *bpfsec; 7099 7099 7100 - bpfsec = prog->aux->security; 7100 + bpfsec = selinux_bpf_prog_security(prog); 7101 7101 return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF, 7102 7102 BPF__PROG_RUN, NULL); 7103 7103 } ··· 7107 7107 { 7108 7108 struct bpf_security_struct *bpfsec; 7109 7109 7110 - bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7111 - if (!bpfsec) 7112 - return -ENOMEM; 7113 - 7110 + bpfsec = selinux_bpf_map_security(map); 7114 7111 bpfsec->sid = current_sid(); 7115 - map->security = bpfsec; 7116 7112 7117 7113 return 0; 7118 - } 7119 - 7120 - static void selinux_bpf_map_free(struct bpf_map *map) 7121 - { 7122 - struct bpf_security_struct *bpfsec = map->security; 7123 - 7124 - map->security = NULL; 7125 - kfree(bpfsec); 7126 7114 } 7127 7115 7128 7116 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr, ··· 7118 7130 { 7119 7131 struct bpf_security_struct *bpfsec; 7120 7132 7121 - bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7122 - if (!bpfsec) 7123 - return -ENOMEM; 7124 - 7133 + bpfsec = selinux_bpf_prog_security(prog); 7125 7134 bpfsec->sid = current_sid(); 7126 - prog->aux->security = bpfsec; 7127 7135 7128 7136 return 0; 7129 - } 7130 - 7131 - static void selinux_bpf_prog_free(struct bpf_prog *prog) 7132 - { 7133 - struct bpf_security_struct *bpfsec = prog->aux->security; 7134 - 7135 - prog->aux->security = NULL; 7136 - kfree(bpfsec); 7137 7137 } 7138 7138 7139 7139 static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, ··· 7129 7153 { 7130 7154 struct bpf_security_struct *bpfsec; 7131 7155 7132 - bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); 7133 - if (!bpfsec) 7134 - return -ENOMEM; 7135 - 7156 + bpfsec = selinux_bpf_token_security(token); 7136 7157 bpfsec->sid = current_sid(); 7137 - token->security = bpfsec; 7138 7158 7139 7159 return 0; 7140 - } 7141 - 7142 - static void selinux_bpf_token_free(struct bpf_token *token) 7143 - { 7144 - struct bpf_security_struct *bpfsec = token->security; 7145 - 7146 - token->security = NULL; 7147 - kfree(bpfsec); 7148 7160 } 7149 7161 #endif 7150 7162 ··· 7151 7187 .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, 7152 7188 .lbs_tun_dev = sizeof(struct tun_security_struct), 7153 7189 .lbs_ib = sizeof(struct ib_security_struct), 7190 + .lbs_bpf_map = sizeof(struct bpf_security_struct), 7191 + .lbs_bpf_prog = sizeof(struct bpf_security_struct), 7192 + .lbs_bpf_token = sizeof(struct bpf_security_struct), 7154 7193 }; 7155 7194 7156 7195 #ifdef CONFIG_PERF_EVENTS ··· 7507 7540 LSM_HOOK_INIT(bpf, selinux_bpf), 7508 7541 LSM_HOOK_INIT(bpf_map, selinux_bpf_map), 7509 7542 LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), 7510 - LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), 7511 - LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), 7512 - LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), 7513 7543 #endif 7514 7544 7515 7545 #ifdef CONFIG_PERF_EVENTS
+20
security/selinux/include/objsec.h
··· 26 26 #include <linux/lsm_hooks.h> 27 27 #include <linux/msg.h> 28 28 #include <net/net_namespace.h> 29 + #include <linux/bpf.h> 29 30 #include "flask.h" 30 31 #include "avc.h" 31 32 ··· 246 245 return perf_event + selinux_blob_sizes.lbs_perf_event; 247 246 } 248 247 248 + #ifdef CONFIG_BPF_SYSCALL 249 + static inline struct bpf_security_struct * 250 + selinux_bpf_map_security(struct bpf_map *map) 251 + { 252 + return map->security + selinux_blob_sizes.lbs_bpf_map; 253 + } 254 + 255 + static inline struct bpf_security_struct * 256 + selinux_bpf_prog_security(struct bpf_prog *prog) 257 + { 258 + return prog->aux->security + selinux_blob_sizes.lbs_bpf_prog; 259 + } 260 + 261 + static inline struct bpf_security_struct * 262 + selinux_bpf_token_security(struct bpf_token *token) 263 + { 264 + return token->security + selinux_blob_sizes.lbs_bpf_token; 265 + } 266 + #endif /* CONFIG_BPF_SYSCALL */ 249 267 #endif /* _SELINUX_OBJSEC_H_ */