From: chenbofeng.kernel@gmail.com (Chenbo Feng)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 3/3] selinux: bpf: Implement the selinux checks for eBPF object
Date: Thu, 31 Aug 2017 13:56:35 -0700 [thread overview]
Message-ID: <20170831205635.80256-4-chenbofeng.kernel@gmail.com> (raw)
In-Reply-To: <20170831205635.80256-1-chenbofeng.kernel@gmail.com>
From: Chenbo Feng <fengc@google.com>
Introduce 5 new selinux checks for eBPF object related operations. The
check is based on the ownership information of eBPF maps and the
capability of creating eBPF object.
Signed-off-by: Chenbo Feng <fengc@google.com>
---
security/selinux/hooks.c | 54 +++++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 2 ++
security/selinux/include/objsec.h | 4 +++
3 files changed, 60 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061305c4..39ad7d9f335d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -85,6 +85,7 @@
#include <linux/export.h>
#include <linux/msg.h>
#include <linux/shm.h>
+#include <linux/bpf.h>
#include "avc.h"
#include "objsec.h"
@@ -6245,6 +6246,52 @@ static void selinux_ib_free_security(void *ib_sec)
}
#endif
+#ifdef CONFIG_BPF_SYSCALL
+static int selinux_bpf_map_create(void)
+{
+ u32 sid = current_sid();
+
+ return avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, NULL);
+}
+
+static int selinux_bpf_map_modify(struct bpf_map *map)
+{
+ struct bpf_security_struct *bpfsec = map->security;
+
+ return avc_has_perm(current_sid(), bpfsec->sid, SECCLASS_BPF,
+ BPF__MAP_MODIFY, NULL);
+}
+
+static int selinux_bpf_map_read(struct bpf_map *map)
+{
+ struct bpf_security_struct *bpfsec = map->security;
+
+ return avc_has_perm(current_sid(), bpfsec->sid, SECCLASS_BPF,
+ BPF__MAP_READ, NULL);
+}
+
+static int selinux_bpf_prog_load(void)
+{
+ u32 sid = current_sid();
+
+ return avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, NULL);
+}
+
+static int selinux_bpf_post_create(struct bpf_map *map)
+{
+ struct bpf_security_struct *bpfsec;
+
+ bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
+ if (!bpfsec)
+ return -ENOMEM;
+
+ bpfsec->sid = current_sid();
+ map->security = bpfsec;
+
+ return 0;
+}
+#endif
+
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6465,6 +6512,13 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
#endif
+#ifdef CONFIG_BPF_SYSCALL
+ LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
+ LSM_HOOK_INIT(bpf_map_modify, selinux_bpf_map_modify),
+ LSM_HOOK_INIT(bpf_map_read, selinux_bpf_map_read),
+ LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
+ LSM_HOOK_INIT(bpf_post_create, selinux_bpf_post_create),
+#endif
};
static __init int selinux_init(void)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index b9fe3434b036..83c880fb17b4 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -235,6 +235,8 @@ struct security_class_mapping secclass_map[] = {
{ "access", NULL } },
{ "infiniband_endport",
{ "manage_subnet", NULL } },
+ { "bpf",
+ {"map_create", "map_modify", "map_read", "prog_load" } },
{ NULL }
};
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 6ebc61e370ff..ba564f662b0d 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -150,6 +150,10 @@ struct pkey_security_struct {
u32 sid; /* SID of pkey */
};
+struct bpf_security_struct {
+ u32 sid; /*SID of bpf obj creater*/
+};
+
extern unsigned int selinux_checkreqprot;
#endif /* _SELINUX_OBJSEC_H_ */
--
2.14.1.581.gf28d330327-goog
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2017-08-31 20:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-31 20:56 [PATCH 0/3] Security: add lsm hooks for checking permissions on eBPF objects Chenbo Feng
2017-08-31 20:56 ` [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module Chenbo Feng
2017-09-01 12:50 ` Stephen Smalley
2017-09-05 22:24 ` Chenbo Feng
2017-09-07 12:32 ` Stephen Smalley
2017-08-31 20:56 ` [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map Chenbo Feng
2017-08-31 21:17 ` Mimi Zohar
2017-08-31 22:17 ` Chenbo Feng
2017-08-31 22:38 ` Daniel Borkmann
2017-09-01 0:29 ` Chenbo Feng
2017-09-01 2:05 ` Alexei Starovoitov
2017-09-01 5:50 ` Jeffrey Vander Stoep
2017-09-05 21:59 ` Chenbo Feng
2017-09-06 0:39 ` Alexei Starovoitov
2017-08-31 20:56 ` Chenbo Feng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170831205635.80256-4-chenbofeng.kernel@gmail.com \
--to=chenbofeng.kernel@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).