From: Roberto Sassu <roberto.sassu@huawei.com>
To: "zohar@linux.ibm.com" <zohar@linux.ibm.com>,
"shuah@kernel.org" <shuah@kernel.org>,
"ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"andrii@kernel.org" <andrii@kernel.org>,
"kpsingh@kernel.org" <kpsingh@kernel.org>,
"revest@chromium.org" <revest@chromium.org>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA
Date: Fri, 18 Feb 2022 15:01:57 +0000 [thread overview]
Message-ID: <4513acbef98840199ff62124601cf455@huawei.com> (raw)
In-Reply-To: <20220215124042.186506-1-roberto.sassu@huawei.com>
> From: Roberto Sassu
> Sent: Tuesday, February 15, 2022 1:41 PM
> Extend the interoperability with IMA, to give wider flexibility for the
> implementation of integrity-focused LSMs based on eBPF.
>
> Patch 1 fixes some style issues.
>
> Patches 2-4 gives the ability to eBPF-based LSMs to take advantage of the
> measurement capability of IMA without needing to setup a policy in IMA
> (those LSMs might implement the policy capability themselves).
>
> Patches 5-6 allows eBPF-based LSMs to evaluate files read by the kernel.
Hi everyone
I published the new DIGLIM eBPF, that takes advantage of
the new features introduced with this patch set:
https://github.com/robertosassu/diglim-ebpf
the eBPF program is in ebpf/diglim_kern.c
If you could have a look and give me some comments
or suggestions, it would be very appreciated!
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Zhong Ronghua
> Changelog
>
> v1:
> - Modify ima_file_hash() only and allow the usage of the function with the
> modified behavior by eBPF-based LSMs through the new function
> bpf_ima_file_hash() (suggested by Mimi)
> - Make bpf_lsm_kernel_read_file() sleepable so that bpf_ima_inode_hash()
> and bpf_ima_file_hash() can be called inside the implementation of
> eBPF-based LSMs for this hook
>
> Roberto Sassu (6):
> ima: Fix documentation-related warnings in ima_main.c
> ima: Always return a file measurement in ima_file_hash()
> bpf-lsm: Introduce new helper bpf_ima_file_hash()
> selftests/bpf: Add test for bpf_ima_file_hash()
> bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable
> selftests/bpf: Add test for bpf_lsm_kernel_read_file()
>
> include/uapi/linux/bpf.h | 11 +++++
> kernel/bpf/bpf_lsm.c | 21 +++++++++
> security/integrity/ima/ima_main.c | 47 ++++++++++++-------
> tools/include/uapi/linux/bpf.h | 11 +++++
> tools/testing/selftests/bpf/ima_setup.sh | 2 +
> .../selftests/bpf/prog_tests/test_ima.c | 30 ++++++++++--
> tools/testing/selftests/bpf/progs/ima.c | 34 ++++++++++++--
> 7 files changed, 132 insertions(+), 24 deletions(-)
>
> --
> 2.32.0
next prev parent reply other threads:[~2022-02-18 15:02 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-15 12:40 [PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA Roberto Sassu
2022-02-15 12:40 ` [PATCH v2 1/6] ima: Fix documentation-related warnings in ima_main.c Roberto Sassu
2022-02-15 15:46 ` Shuah Khan
2022-02-15 15:58 ` Roberto Sassu
2022-02-15 12:40 ` [PATCH v2 2/6] ima: Always return a file measurement in ima_file_hash() Roberto Sassu
2022-02-15 12:40 ` [PATCH v2 3/6] bpf-lsm: Introduce new helper bpf_ima_file_hash() Roberto Sassu
2022-02-15 17:02 ` Yonghong Song
2022-02-15 17:04 ` Roberto Sassu
2022-02-15 12:40 ` [PATCH v2 4/6] selftests/bpf: Add test for bpf_ima_file_hash() Roberto Sassu
2022-02-15 16:00 ` Shuah Khan
2022-02-15 12:40 ` [PATCH v2 5/6] bpf-lsm: Make bpf_lsm_kernel_read_file() as sleepable Roberto Sassu
2022-02-15 12:40 ` [PATCH v2 6/6] selftests/bpf: Add test for bpf_lsm_kernel_read_file() Roberto Sassu
2022-02-15 16:11 ` Shuah Khan
2022-02-15 16:20 ` Roberto Sassu
2022-02-18 15:01 ` Roberto Sassu [this message]
2022-02-25 0:22 ` [PATCH v2 0/6] bpf-lsm: Extend interoperability with IMA Mimi Zohar
2022-02-25 8:41 ` Roberto Sassu
2022-02-25 19:11 ` Mimi Zohar
2022-02-26 8:07 ` Greg Kroah-Hartman
2022-02-27 17:46 ` Mimi Zohar
2022-02-28 9:07 ` Roberto Sassu
2022-02-28 9:12 ` Roberto Sassu
2022-02-28 10:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4513acbef98840199ff62124601cf455@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=shuah@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.