From: Kees Cook <keescook@chromium.org>
To: KP Singh <kpsingh@chromium.org>
Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>, Paul Turner <pjt@google.com>,
Jann Horn <jannh@google.com>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks
Date: Mon, 23 Mar 2020 12:44:38 -0700 [thread overview]
Message-ID: <202003231237.F654B379@keescook> (raw)
In-Reply-To: <20200323164415.12943-6-kpsingh@chromium.org>
On Mon, Mar 23, 2020 at 05:44:13PM +0100, KP Singh wrote:
> From: KP Singh <kpsingh@google.com>
>
> The bpf_lsm_ nops are initialized into the LSM framework like any other
> LSM. Some LSM hooks do not have 0 as their default return value. The
> __weak symbol for these hooks is overridden by a corresponding
> definition in security/bpf/hooks.c
>
> The LSM can be enabled / disabled with CONFIG_LSM.
>
> Signed-off-by: KP Singh <kpsingh@google.com>
Nice! This is super clean on the LSM side of things. :)
One note below...
> Reviewed-by: Brendan Jackman <jackmanb@google.com>
> Reviewed-by: Florent Revest <revest@google.com>
> ---
> security/Kconfig | 10 ++++----
> security/Makefile | 2 ++
> security/bpf/Makefile | 5 ++++
> security/bpf/hooks.c | 55 +++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 67 insertions(+), 5 deletions(-)
> create mode 100644 security/bpf/Makefile
> create mode 100644 security/bpf/hooks.c
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 2a1a2d396228..cd3cc7da3a55 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -277,11 +277,11 @@ endchoice
>
> config LSM
> string "Ordered list of enabled LSMs"
> - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
> - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
> - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
> - default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
> - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> + default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
> + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
> help
> A comma-separated list of LSMs, in initialization order.
> Any LSMs left off this list will be ignored. This can be
> diff --git a/security/Makefile b/security/Makefile
> index 746438499029..22e73a3482bd 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -12,6 +12,7 @@ subdir-$(CONFIG_SECURITY_YAMA) += yama
> subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
> subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
> subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
> +subdir-$(CONFIG_BPF_LSM) += bpf
>
> # always enable default capabilities
> obj-y += commoncap.o
> @@ -30,6 +31,7 @@ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
> obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
> obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> +obj-$(CONFIG_BPF_LSM) += bpf/
>
> # Object integrity file lists
> subdir-$(CONFIG_INTEGRITY) += integrity
> diff --git a/security/bpf/Makefile b/security/bpf/Makefile
> new file mode 100644
> index 000000000000..c7a89a962084
> --- /dev/null
> +++ b/security/bpf/Makefile
> @@ -0,0 +1,5 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) 2020 Google LLC.
> +
> +obj-$(CONFIG_BPF_LSM) := hooks.o
> diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> new file mode 100644
> index 000000000000..68e5824868f9
> --- /dev/null
> +++ b/security/bpf/hooks.c
> @@ -0,0 +1,55 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright (C) 2020 Google LLC.
> + */
> +#include <linux/lsm_hooks.h>
> +#include <linux/bpf_lsm.h>
> +
> +/* Some LSM hooks do not have 0 as their default return values. Override the
> + * __weak definitons generated by default for these hooks
If you wanted to avoid this, couldn't you make the default return value
part of lsm_hooks.h?
e.g.:
LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct inode *inode,
const char *name, void **buffer, bool alloc)
...
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
LSM_HOOK_##RET(NAME, DEFAULT, __VA_ARGS__)
...
#define LSM_HOOK_int(NAME, DEFAULT, ...) \
noinline int bpf_lsm_##NAME(__VA_ARGS__) \
{ \
return (DEFAULT); \
}
Then all the __weak stuff is gone, and the following 4 functions don't
need to be written out, and the information is available to the macros
if anyone else might ever want it.
-Kees
> + */
> +noinline int bpf_lsm_inode_getsecurity(struct inode *inode, const char *name,
> + void **buffer, bool alloc)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +noinline int bpf_lsm_inode_setsecurity(struct inode *inode, const char *name,
> + const void *value, size_t size,
> + int flags)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +noinline int bpf_lsm_task_prctl(int option, unsigned long arg2,
> + unsigned long arg3, unsigned long arg4,
> + unsigned long arg5)
> +{
> + return -ENOSYS;
> +}
> +
> +noinline int bpf_lsm_xfrm_state_pol_flow_match(struct xfrm_state *x,
> + struct xfrm_policy *xp,
> + const struct flowi *fl)
> +{
> + return 1;
> +}
> +
> +static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> + #define LSM_HOOK(RET, NAME, ...) LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
> + #include <linux/lsm_hook_names.h>
> + #undef LSM_HOOK
> +};
> +
> +static int __init bpf_lsm_init(void)
> +{
> + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
> + pr_info("LSM support for eBPF active\n");
> + return 0;
> +}
> +
> +DEFINE_LSM(bpf) = {
> + .name = "bpf",
> + .init = bpf_lsm_init,
> +};
> --
> 2.20.1
>
--
Kees Cook
next prev parent reply other threads:[~2020-03-23 19:44 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-23 16:44 [PATCH bpf-next v5 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-03-23 19:02 ` Yonghong Song
2020-03-23 16:44 ` [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks KP Singh
2020-03-23 19:33 ` Kees Cook
2020-03-23 19:56 ` Andrii Nakryiko
2020-03-24 16:06 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-03-23 19:04 ` Yonghong Song
2020-03-23 19:33 ` Kees Cook
2020-03-23 19:59 ` Andrii Nakryiko
2020-03-24 10:39 ` KP Singh
2020-03-24 16:12 ` KP Singh
2020-03-24 21:26 ` Andrii Nakryiko
2020-03-24 22:39 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution KP Singh
2020-03-23 19:16 ` Yonghong Song
2020-03-23 19:44 ` KP Singh
2020-03-23 20:18 ` Andrii Nakryiko
2020-03-24 19:00 ` KP Singh
2020-03-24 14:35 ` Stephen Smalley
2020-03-24 14:50 ` KP Singh
2020-03-24 14:58 ` Stephen Smalley
2020-03-24 16:25 ` Casey Schaufler
2020-03-24 17:49 ` Stephen Smalley
2020-03-24 18:01 ` Kees Cook
2020-03-24 18:06 ` KP Singh
2020-03-24 18:21 ` Stephen Smalley
2020-03-24 18:27 ` KP Singh
2020-03-24 18:31 ` KP Singh
2020-03-24 18:34 ` Kees Cook
2020-03-24 18:33 ` Kees Cook
2020-03-23 16:44 ` [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks KP Singh
2020-03-23 19:44 ` Kees Cook [this message]
2020-03-23 19:47 ` KP Singh
2020-03-23 20:21 ` Andrii Nakryiko
2020-03-23 20:47 ` Casey Schaufler
2020-03-23 21:44 ` Kees Cook
2020-03-23 21:58 ` Casey Schaufler
2020-03-23 22:12 ` Kees Cook
2020-03-23 23:39 ` Casey Schaufler
2020-03-24 1:53 ` KP Singh
2020-03-25 14:35 ` KP Singh
2020-03-24 1:13 ` Casey Schaufler
2020-03-24 1:52 ` KP Singh
2020-03-24 14:37 ` Stephen Smalley
2020-03-24 14:42 ` KP Singh
2020-03-24 14:51 ` Stephen Smalley
2020-03-24 14:51 ` KP Singh
2020-03-24 17:57 ` Kees Cook
2020-03-23 16:44 ` [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-03-23 19:21 ` Yonghong Song
2020-03-23 20:25 ` Andrii Nakryiko
2020-03-24 1:57 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests " KP Singh
2020-03-23 20:04 ` Yonghong Song
2020-03-24 20:04 ` KP Singh
2020-03-24 23:54 ` Andrii Nakryiko
2020-03-25 0:36 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202003231237.F654B379@keescook \
--to=keescook@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jackmanb@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjt@google.com \
--cc=revest@chromium.org \
--cc=revest@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.