From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"David Howells" <dhowells@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Shuah Khan" <shuah@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Jan Stancek" <jstancek@redhat.com>,
"Neal Gompa" <neal@gompa.dev>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kbuild@vger.kernel.org, linux-kselftest@vger.kernel.org,
bpf@vger.kernel.org, llvm@lists.linux.dev, nkapron@google.com,
teknoraver@meta.com, roberto.sassu@huawei.com,
xiyou.wangcong@gmail.com
Subject: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
Date: Sat, 19 Apr 2025 14:43:05 -0400 [thread overview]
Message-ID: <64859c5c8fd969186c1997a340ed6307e2c70f06.camel@HansenPartnership.com> (raw)
In-Reply-To: <20250404215527.1563146-2-bboscaccy@linux.microsoft.com>
On Fri, 2025-04-04 at 14:54 -0700, Blaise Boscaccy wrote:
[...]
> diff --git a/include/linux/kernel_read_file.h
> b/include/linux/kernel_read_file.h
> index 90451e2e12bd..7ed9337be542 100644
> --- a/include/linux/kernel_read_file.h
> +++ b/include/linux/kernel_read_file.h
> @@ -14,6 +14,7 @@
> id(KEXEC_INITRAMFS, kexec-initramfs) \
> id(POLICY, security-policy) \
> id(X509_CERTIFICATE, x509-certificate) \
> + id(EBPF, ebpf) \
This causes a BUILD_BUG_ON for me in security/selinux/hooks.c with
CONFIG_SECURITY_SELINUX=y because READING_MAX_ID and LOADING_MAX_ID
become 8.
Below is what I had to do to get the compile to work.
Regards,
James
---
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e7a7dcab81db..9a7ed0b4b08d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4133,7 +4133,7 @@ static int selinux_kernel_read_file(struct file *file,
{
int rc = 0;
- BUILD_BUG_ON_MSG(READING_MAX_ID > 7,
+ BUILD_BUG_ON_MSG(READING_MAX_ID > 8,
"New kernel_read_file_id introduced; update SELinux!");
switch (id) {
@@ -4158,6 +4158,10 @@ static int selinux_kernel_read_file(struct file *file,
rc = selinux_kernel_load_from_file(file,
SYSTEM__X509_CERTIFICATE_LOAD);
break;
+ case READING_EBPF:
+ rc = selinux_kernel_load_from_file(file,
+ SYSTEM__EBPF_LOAD);
+ break;
default:
break;
}
@@ -4169,7 +4173,7 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
{
int rc = 0;
- BUILD_BUG_ON_MSG(LOADING_MAX_ID > 7,
+ BUILD_BUG_ON_MSG(LOADING_MAX_ID > 8,
"New kernel_load_data_id introduced; update SELinux!");
switch (id) {
@@ -4195,6 +4199,10 @@ static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
rc = selinux_kernel_load_from_file(NULL,
SYSTEM__X509_CERTIFICATE_LOAD);
break;
+ case LOADING_EBPF:
+ rc = selinux_kernel_load_from_file(NULL,
+ SYSTEM__EBPF_LOAD);
+ break;
default:
break;
}
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 04a9b480885e..671db23451df 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -65,7 +65,7 @@ const struct security_class_mapping secclass_map[] = {
{ "ipc_info", "syslog_read", "syslog_mod", "syslog_console",
"module_request", "module_load", "firmware_load",
"kexec_image_load", "kexec_initramfs_load", "policy_load",
- "x509_certificate_load", NULL } },
+ "x509_certificate_load", "ebpf_load", NULL } },
{ "capability", { COMMON_CAP_PERMS, NULL } },
{ "filesystem",
{ "mount", "remount", "unmount", "getattr", "relabelfrom",
next prev parent reply other threads:[~2025-04-19 18:43 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 21:54 [PATCH v2 security-next 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 1/4] security: " Blaise Boscaccy
2025-04-06 4:27 ` kernel test robot
2025-04-06 20:42 ` kernel test robot
2025-04-11 19:09 ` Tyler Hicks
2025-04-14 20:11 ` Blaise Boscaccy
2025-04-11 23:16 ` [PATCH v2 " Paul Moore
2025-04-14 20:46 ` Blaise Boscaccy
2025-04-15 1:37 ` Paul Moore
2025-04-12 0:09 ` [PATCH v2 security-next " Alexei Starovoitov
2025-04-12 0:29 ` Matteo Croce
2025-04-12 0:57 ` Alexei Starovoitov
2025-04-12 14:11 ` Blaise Boscaccy
2025-04-12 13:57 ` Blaise Boscaccy
2025-04-14 16:08 ` Paul Moore
2025-04-14 20:56 ` Alexei Starovoitov
2025-04-15 0:32 ` Blaise Boscaccy
2025-04-15 1:38 ` Alexei Starovoitov
2025-04-15 15:45 ` Blaise Boscaccy
2025-04-15 19:08 ` Blaise Boscaccy
2025-04-19 16:21 ` Paul Moore
2025-04-15 21:48 ` Alexei Starovoitov
2025-04-16 17:31 ` Blaise Boscaccy
2025-04-21 20:12 ` Alexei Starovoitov
2025-04-21 22:03 ` Paul Moore
2025-04-21 23:48 ` Alexei Starovoitov
2025-04-22 2:38 ` Paul Moore
2025-04-23 14:12 ` James Bottomley
2025-04-23 15:10 ` Paul Moore
2025-04-24 23:41 ` Alexei Starovoitov
2025-04-25 14:06 ` James Bottomley
2025-04-25 21:44 ` Blaise Boscaccy
2025-04-19 18:43 ` James Bottomley [this message]
2025-04-21 18:52 ` Paul Moore
2025-04-21 19:03 ` James Bottomley
2025-04-04 21:54 ` [PATCH v2 security-next 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64859c5c8fd969186c1997a340ed6307e2c70f06.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox