tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Introduce BPF_PROG_TYPE_LSM

Introduce types and configs for bpf programs that can be attached to
LSM hooks. The programs can be enabled by the config option
CONFIG_BPF_LSM.

Signed-off-by: KP Singh <kpsingh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <revest@google.com>
Reviewed-by: Thomas Garnier <thgarnie@google.com>
Acked-by: Yonghong Song <yhs@fb.com>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Link: https://lore.kernel.org/bpf/20200329004356.27286-2-kpsingh@chromium.org

authored by

KP Singh and committed by
Daniel Borkmann fc611f47 e5fb60ee

+49 -6
+1
MAINTAINERS
··· 3147 3147 R: Song Liu <songliubraving@fb.com> 3148 3148 R: Yonghong Song <yhs@fb.com> 3149 3149 R: Andrii Nakryiko <andriin@fb.com> 3150 + R: KP Singh <kpsingh@chromium.org> 3150 3151 L: netdev@vger.kernel.org 3151 3152 L: bpf@vger.kernel.org 3152 3153 T: git git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
+3
include/linux/bpf.h
··· 1515 1515 extern const struct bpf_func_proto bpf_jiffies64_proto; 1516 1516 extern const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto; 1517 1517 1518 + const struct bpf_func_proto *bpf_tracing_func_proto( 1519 + enum bpf_func_id func_id, const struct bpf_prog *prog); 1520 + 1518 1521 /* Shared helpers among cBPF and eBPF. */ 1519 1522 void bpf_user_rnd_init_once(void); 1520 1523 u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);
+4
include/linux/bpf_types.h
··· 70 70 void *, void *) 71 71 BPF_PROG_TYPE(BPF_PROG_TYPE_EXT, bpf_extension, 72 72 void *, void *) 73 + #ifdef CONFIG_BPF_LSM 74 + BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm, 75 + void *, void *) 76 + #endif /* CONFIG_BPF_LSM */ 73 77 #endif 74 78 75 79 BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)
+2
include/uapi/linux/bpf.h
··· 181 181 BPF_PROG_TYPE_TRACING, 182 182 BPF_PROG_TYPE_STRUCT_OPS, 183 183 BPF_PROG_TYPE_EXT, 184 + BPF_PROG_TYPE_LSM, 184 185 }; 185 186 186 187 enum bpf_attach_type { ··· 212 211 BPF_TRACE_FENTRY, 213 212 BPF_TRACE_FEXIT, 214 213 BPF_MODIFY_RETURN, 214 + BPF_LSM_MAC, 215 215 __MAX_BPF_ATTACH_TYPE 216 216 }; 217 217
+12
init/Kconfig
··· 1616 1616 # end of the "standard kernel features (expert users)" menu 1617 1617 1618 1618 # syscall, maps, verifier 1619 + 1620 + config BPF_LSM 1621 + bool "LSM Instrumentation with BPF" 1622 + depends on BPF_SYSCALL 1623 + depends on SECURITY 1624 + depends on BPF_JIT 1625 + help 1626 + Enables instrumentation of the security hooks with eBPF programs for 1627 + implementing dynamic MAC and Audit Policies. 1628 + 1629 + If you are unsure how to answer this question, answer N. 1630 + 1619 1631 config BPF_SYSCALL 1620 1632 bool "Enable bpf() system call" 1621 1633 select BPF
+1
kernel/bpf/Makefile
··· 29 29 endif 30 30 ifeq ($(CONFIG_BPF_JIT),y) 31 31 obj-$(CONFIG_BPF_SYSCALL) += bpf_struct_ops.o 32 + obj-${CONFIG_BPF_LSM} += bpf_lsm.o 32 33 endif
+17
kernel/bpf/bpf_lsm.c
··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + 3 + /* 4 + * Copyright (C) 2020 Google LLC. 5 + */ 6 + 7 + #include <linux/filter.h> 8 + #include <linux/bpf.h> 9 + #include <linux/btf.h> 10 + 11 + const struct bpf_prog_ops lsm_prog_ops = { 12 + }; 13 + 14 + const struct bpf_verifier_ops lsm_verifier_ops = { 15 + .get_func_proto = bpf_tracing_func_proto, 16 + .is_valid_access = btf_ctx_access, 17 + };
+6 -6
kernel/trace/bpf_trace.c
··· 779 779 .arg1_type = ARG_ANYTHING, 780 780 }; 781 781 782 - static const struct bpf_func_proto * 783 - tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 782 + const struct bpf_func_proto * 783 + bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 784 784 { 785 785 switch (func_id) { 786 786 case BPF_FUNC_map_lookup_elem: ··· 865 865 return &bpf_override_return_proto; 866 866 #endif 867 867 default: 868 - return tracing_func_proto(func_id, prog); 868 + return bpf_tracing_func_proto(func_id, prog); 869 869 } 870 870 } 871 871 ··· 975 975 case BPF_FUNC_get_stack: 976 976 return &bpf_get_stack_proto_tp; 977 977 default: 978 - return tracing_func_proto(func_id, prog); 978 + return bpf_tracing_func_proto(func_id, prog); 979 979 } 980 980 } 981 981 ··· 1082 1082 case BPF_FUNC_read_branch_records: 1083 1083 return &bpf_read_branch_records_proto; 1084 1084 default: 1085 - return tracing_func_proto(func_id, prog); 1085 + return bpf_tracing_func_proto(func_id, prog); 1086 1086 } 1087 1087 } 1088 1088 ··· 1210 1210 case BPF_FUNC_get_stack: 1211 1211 return &bpf_get_stack_proto_raw_tp; 1212 1212 default: 1213 - return tracing_func_proto(func_id, prog); 1213 + return bpf_tracing_func_proto(func_id, prog); 1214 1214 } 1215 1215 } 1216 1216
+2
tools/include/uapi/linux/bpf.h
··· 181 181 BPF_PROG_TYPE_TRACING, 182 182 BPF_PROG_TYPE_STRUCT_OPS, 183 183 BPF_PROG_TYPE_EXT, 184 + BPF_PROG_TYPE_LSM, 184 185 }; 185 186 186 187 enum bpf_attach_type { ··· 212 211 BPF_TRACE_FENTRY, 213 212 BPF_TRACE_FEXIT, 214 213 BPF_MODIFY_RETURN, 214 + BPF_LSM_MAC, 215 215 __MAX_BPF_ATTACH_TYPE 216 216 }; 217 217
+1
tools/lib/bpf/libbpf_probes.c
··· 108 108 case BPF_PROG_TYPE_TRACING: 109 109 case BPF_PROG_TYPE_STRUCT_OPS: 110 110 case BPF_PROG_TYPE_EXT: 111 + case BPF_PROG_TYPE_LSM: 111 112 default: 112 113 break; 113 114 }