[PATCH bpf-next 12/13] ipe: gate post-integrity BPF program loads

All of lore.kernel.org
 help / color / mirror / Atom feed

From: KP Singh <kpsingh@kernel.org>
To: linux-security-module@vger.kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, memxor@gmail.com,
	James.Bottomley@HansenPartnership.com, paul@paul-moore.com,
	KP Singh <kpsingh@kernel.org>
Subject: [PATCH bpf-next 12/13] ipe: gate post-integrity BPF program loads
Date: Fri, 22 May 2026 04:32:32 +0200	[thread overview]
Message-ID: <20260522023234.3778588-13-kpsingh@kernel.org> (raw)
In-Reply-To: <20260522023234.3778588-1-kpsingh@kernel.org>

Register on security_bpf_prog_load_post_integrity and expose a new
IPE op BPF_PROG_LOAD_POST_INTEGRITY. Kept distinct from
BPF_PROG_LOAD so policies need not reason about the same rule
firing at two timings with different verdict states.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 security/ipe/audit.c         | 2 ++
 security/ipe/hooks.c         | 6 ++++++
 security/ipe/hooks.h         | 2 ++
 security/ipe/ipe.c           | 1 +
 security/ipe/policy.h        | 1 +
 security/ipe/policy_parser.c | 1 +
 6 files changed, 13 insertions(+)

diff --git a/security/ipe/audit.c b/security/ipe/audit.c
index fec98c396d49..bcb3e6c0a310 100644
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@@ -42,6 +42,7 @@ static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
 	"POLICY",
 	"X509_CERT",
 	"BPF_PROG_LOAD",
+	"BPF_PROG_LOAD_POST_INTEGRITY",
 	"UNKNOWN",
 };
 
@@ -53,6 +54,7 @@ static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
 	"KERNEL_READ",
 	"KERNEL_LOAD",
 	"BPF_PROG_LOAD",
+	"BPF_PROG_LOAD_POST_INTEGRITY",
 };
 
 static const char *const audit_prop_names[__IPE_PROP_MAX] = {
diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
index bdc1b634bb08..3f6e260a8787 100644
--- a/security/ipe/hooks.c
+++ b/security/ipe/hooks.c
@@ -335,6 +335,12 @@ int ipe_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
 	return ipe_evaluate_event(&ctx);
 }
 
+/**
+ * ipe_bpf_prog_load_post_integrity() - IPE hook for post-integrity verdict.
+ * @prog: The loader BPF program.
+ *
+ * Return: %0 on success, %-EACCES if denied by policy.
+ */
 int ipe_bpf_prog_load_post_integrity(struct bpf_prog *prog)
 {
 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
index abdedd436aa8..bd24067705ea 100644
--- a/security/ipe/hooks.h
+++ b/security/ipe/hooks.h
@@ -20,6 +20,7 @@ enum ipe_hook_type {
 	IPE_HOOK_KERNEL_READ,
 	IPE_HOOK_KERNEL_LOAD,
 	IPE_HOOK_BPF_PROG_LOAD,
+	IPE_HOOK_BPF_PROG_LOAD_POST_INTEGRITY,
 	__IPE_HOOK_MAX
 };
 
@@ -57,6 +58,7 @@ int ipe_inode_setintegrity(const struct inode *inode, enum lsm_integrity_type ty
 #ifdef CONFIG_IPE_PROP_BPF_SIGNATURE
 int ipe_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
 		      struct bpf_token *token, bool kernel);
+int ipe_bpf_prog_load_post_integrity(struct bpf_prog *prog);
 #endif /* CONFIG_IPE_PROP_BPF_SIGNATURE */
 
 #endif /* _IPE_HOOKS_H */
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 17ace9236253..d5e6f339639a 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -62,6 +62,7 @@ static struct security_hook_list ipe_hooks[] __ro_after_init = {
 #endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
 #ifdef CONFIG_IPE_PROP_BPF_SIGNATURE
 	LSM_HOOK_INIT(bpf_prog_load, ipe_bpf_prog_load),
+	LSM_HOOK_INIT(bpf_prog_load_post_integrity, ipe_bpf_prog_load_post_integrity),
 #endif /* CONFIG_IPE_PROP_BPF_SIGNATURE */
 };
 
diff --git a/security/ipe/policy.h b/security/ipe/policy.h
index eb066750a48b..84b3e69e618d 100644
--- a/security/ipe/policy.h
+++ b/security/ipe/policy.h
@@ -18,6 +18,7 @@ enum ipe_op_type {
 	IPE_OP_POLICY,
 	IPE_OP_X509,
 	IPE_OP_BPF_PROG_LOAD,
+	IPE_OP_BPF_PROG_LOAD_POST_INTEGRITY,
 	__IPE_OP_MAX,
 };
 
diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c
index c1e374d2ec34..350cc93a1af1 100644
--- a/security/ipe/policy_parser.c
+++ b/security/ipe/policy_parser.c
@@ -238,6 +238,7 @@ static const match_table_t operation_tokens = {
 	{IPE_OP_POLICY,			"op=POLICY"},
 	{IPE_OP_X509,			"op=X509_CERT"},
 	{IPE_OP_BPF_PROG_LOAD,		"op=BPF_PROG_LOAD"},
+	{IPE_OP_BPF_PROG_LOAD_POST_INTEGRITY, "op=BPF_PROG_LOAD_POST_INTEGRITY"},
 	{IPE_OP_INVALID,		NULL}
 };
 
-- 
2.53.0

next prev parent reply	other threads:[~2026-05-22  2:33 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-22  2:32 [PATCH bpf-next 00/13] Signed BPF + IPE Policies KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 01/13] bpf: expose signature verdict to LSMs via bpf_prog_aux KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 02/13] bpf: include prog BTF in the signed loader signature scope KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 03/13] bpf, libbpf: load prog BTF in the skel_internal loader KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 04/13] bpf: add bpf_loader_verify_metadata kfunc KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 05/13] bpf: compute prog->digest at BPF_PROG_LOAD entry KP Singh
2026-05-23 16:49   ` Alexei Starovoitov
2026-05-22  2:32 ` [PATCH bpf-next 06/13] bpf: resolve loader-style kfunc CALLs against prog BTF KP Singh
2026-05-23 17:01   ` Alexei Starovoitov
2026-05-22  2:32 ` [PATCH bpf-next 07/13] libbpf: generate prog BTF for loader programs KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 08/13] bpftool gen: embed loader prog BTF in the lskel header KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 09/13] lsm: add bpf_prog_load_post_integrity hook KP Singh
2026-05-24  0:55   ` Paul Moore
2026-05-22  2:32 ` [PATCH bpf-next 10/13] bpf: invoke security_bpf_prog_load_post_integrity from the metadata kfunc KP Singh
2026-05-22  2:32 ` [PATCH bpf-next 11/13] ipe: add BPF program signature properties KP Singh
2026-05-22  2:32 ` KP Singh [this message]
2026-05-22  2:32 ` [PATCH bpf-next 13/13] selftests/bpf: add IPE BPF policy integration tests KP Singh
2026-05-22 18:56 ` [PATCH bpf-next 00/13] Signed BPF + IPE Policies Paul Moore
2026-05-22 20:46   ` KP Singh
2026-05-23  4:07     ` Paul Moore
2026-05-23  8:40   ` Alexei Starovoitov
2026-05-23 12:40     ` Paul Moore
2026-05-23 12:44       ` Paul Moore
2026-05-23 15:43         ` Blaise Boscaccy
2026-05-23 14:34       ` Alexei Starovoitov
2026-05-23 16:34 ` Blaise Boscaccy
2026-05-26 16:23   ` KP Singh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fec98c396d4 dfblob:bcb3e6c0a31 dfblob:bdc1b634bb0
dfblob:3f6e260a878 dfblob:abdedd436aa dfblob:bd24067705e
dfblob:17ace923625 dfblob:d5e6f339639 dfblob:eb066750a48
dfblob:84b3e69e618 dfblob:c1e374d2ec3 dfblob:350cc93a1af )
 OR (
bs:"[PATCH bpf-next 12/13] ipe: gate post-integrity BPF program loads" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260522023234.3778588-13-kpsingh@kernel.org \
    --to=kpsingh@kernel.org \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=linux-security-module@vger.kernel.org \
    --cc=memxor@gmail.com \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.