Re: [PATCH] lsm,selinux: Add LSM blob support for BPF objects

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Song Liu <song@kernel.org>
Cc: "Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Stephen Smalley" <stephen.smalley.work@gmail.com>,
	"Ondrej Mosnacek" <omosnace@redhat.com>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"John Johansen" <john.johansen@canonical.com>,
	"Christian Göttsche" <cgzones@googlemail.com>,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, selinux@vger.kernel.org,
	bpf@vger.kernel.org
Subject: Re: [PATCH] lsm,selinux: Add LSM blob support for BPF objects
Date: Fri, 18 Jul 2025 08:32:20 -0700	[thread overview]
Message-ID: <878qkl4irf.fsf@microsoft.com> (raw)
In-Reply-To: <CAPhsuW6K95bnGvRVOKj-qBJT7DX8JsaO6WZMNauMi1GEqVT1FA@mail.gmail.com>

Song Liu <song@kernel.org> writes:

> On Tue, Jul 15, 2025 at 3:27 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
> [...]
>> +/**
>> + * lsm_bpf_map_alloc - allocate a composite bpf_map blob
>> + * @map: the bpf_map that needs a blob
>> + *
>> + * Allocate the bpf_map blob for all the modules
>> + *
>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>> + */
>> +static int lsm_bpf_map_alloc(struct bpf_map *map)
>> +{
>> +       if (blob_sizes.lbs_bpf_map == 0) {
>> +               map->security = NULL;
>> +               return 0;
>> +       }
>> +
>> +       map->security = kzalloc(blob_sizes.lbs_bpf_map, GFP_KERNEL);
>> +       if (!map->security)
>> +               return -ENOMEM;
>> +
>> +       return 0;
>> +}
>> +
>> +/**
>> + * lsm_bpf_prog_alloc - allocate a composite bpf_prog blob
>> + * @prog: the bpf_prog that needs a blob
>> + *
>> + * Allocate the bpf_prog blob for all the modules
>> + *
>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>> + */
>> +static int lsm_bpf_prog_alloc(struct bpf_prog *prog)
>> +{
>> +       if (blob_sizes.lbs_bpf_prog == 0) {
>> +               prog->aux->security = NULL;
>> +               return 0;
>> +       }
>> +
>> +       prog->aux->security = kzalloc(blob_sizes.lbs_bpf_prog, GFP_KERNEL);
>> +       if (!prog->aux->security)
>> +               return -ENOMEM;
>> +
>> +       return 0;
>> +}
>> +
>> +/**
>> + * lsm_bpf_token_alloc - allocate a composite bpf_token blob
>> + * @token: the bpf_token that needs a blob
>> + *
>> + * Allocate the bpf_token blob for all the modules
>> + *
>> + * Returns 0, or -ENOMEM if memory can't be allocated.
>> + */
>> +static int lsm_bpf_token_alloc(struct bpf_token *token)
>> +{
>> +       if (blob_sizes.lbs_bpf_token == 0) {
>> +               token->security = NULL;
>> +               return 0;
>> +       }
>> +
>> +       token->security = kzalloc(blob_sizes.lbs_bpf_token, GFP_KERNEL);
>> +       if (!token->security)
>> +               return -ENOMEM;
>> +
>> +       return 0;
>> +}
>
> We need the above 3 functions inside #ifdef CONFIG_BPF_SYSCALL.
>
> Also, can we use lsm_blob_alloc() in these functions?
>
> Thanks,
> Song

Sure, I'll get that fixed in V2. Thanks

-blaise

>
> [...]

next prev parent reply	other threads:[~2025-07-18 15:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-15 22:25 [PATCH] lsm,selinux: Add LSM blob support for BPF objects Blaise Boscaccy
2025-07-16 12:14 ` kernel test robot
2025-07-16 17:44 ` Casey Schaufler
2025-07-18 15:32   ` Blaise Boscaccy
2025-07-16 20:48 ` Song Liu
2025-07-18 15:32   ` Blaise Boscaccy [this message]
2025-07-17  2:11 ` Paul Moore
2025-07-18 15:35   ` Blaise Boscaccy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878qkl4irf.fsf@microsoft.com \
    --to=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=cgzones@googlemail.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=song@kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.