[PATCH v4 bpf-next 0/2] security: Propagate caller information in bpf hooks

[PATCH v4 bpf-next 0/2] security: Propagate caller information in bpf hooks

[Blaise Boscaccy]

Hello,

While trying to implement an eBPF gatekeeper program, we ran into an
issue whereas the LSM hooks are missing some relevant data.

Certain subcommands passed to the bpf() syscall can be invoked from
either the kernel or userspace. Additionally, some fields in the
bpf_attr struct contain pointers, and depending on where the
subcommand was invoked, they could point to either user or kernel
memory. One example of this is the bpf_prog_load subcommand and its
fd_array. This data is made available and used by the verifier but not
made available to the LSM subsystem. This patchset simply exposes that
information to applicable LSM hooks.

Change list:
- v3 -> v4
  - split out selftest changes into a separate patch
- v2 -> v3
  - reorder params so that the new boolean flag is the last param
  - fixup function signatures in bpf selftests
- v1 -> v2
  - Pass a boolean flag in lieu of bpfptr_t

Revisions:
- v3
  https://lore.kernel.org/bpf/20250303222416.3909228-1-bboscaccy@linux.microsoft.com/
- v2
  https://lore.kernel.org/bpf/20250228165322.3121535-1-bboscaccy@linux.microsoft.com/
- v1
  https://lore.kernel.org/bpf/20250226003055.1654837-1-bboscaccy@linux.microsoft.com/


Blaise Boscaccy (2):
  security: Propagate caller information in bpf hooks
  selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

 include/linux/lsm_hook_defs.h                     |  6 +++---
 include/linux/security.h                          | 12 ++++++------
 kernel/bpf/syscall.c                              | 10 +++++-----
 security/security.c                               | 15 +++++++++------
 security/selinux/hooks.c                          |  6 +++---
 tools/testing/selftests/bpf/progs/rcu_read_lock.c |  3 ++-
 .../selftests/bpf/progs/test_cgroup1_hierarchy.c  |  4 ++--
 .../selftests/bpf/progs/test_kfunc_dynptr_param.c |  6 +++---
 .../testing/selftests/bpf/progs/test_lookup_key.c |  2 +-
 .../selftests/bpf/progs/test_ptr_untrusted.c      |  2 +-
 .../selftests/bpf/progs/test_task_under_cgroup.c  |  2 +-
 .../selftests/bpf/progs/test_verify_pkcs7_sig.c   |  2 +-
 12 files changed, 37 insertions(+), 33 deletions(-)

-- 
2.48.1

[PATCH v4 bpf-next 1/2] security: Propagate caller information in bpf hooks

[Blaise Boscaccy]

Certain bpf syscall subcommands are available for usage from both
userspace and the kernel. LSM modules or eBPF gatekeeper programs may
need to take a different course of action depending on whether or not
a BPF syscall originated from the kernel or userspace.

Additionally, some of the bpf_attr struct fields contain pointers to
arbitrary memory. Currently the functionality to determine whether or
not a pointer refers to kernel memory or userspace memory is exposed
to the bpf verifier, but that information is missing from various LSM
hooks.

Here we augment the LSM hooks to provide this data, by simply passing
a boolean flag indicating whether or not the call originated in the
kernel, in any hook that contains a bpf_attr struct that corresponds
to a subcommand that may be called from the kernel.

Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
Acked-by: Song Liu <song@kernel.org>
---
 include/linux/lsm_hook_defs.h |  6 +++---
 include/linux/security.h      | 12 ++++++------
 kernel/bpf/syscall.c          | 10 +++++-----
 security/security.c           | 15 +++++++++------
 security/selinux/hooks.c      |  6 +++---
 5 files changed, 26 insertions(+), 23 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index e2f1ce37c41ef..c5f045019456f 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -426,14 +426,14 @@ LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
 #endif /* CONFIG_AUDIT */
 
 #ifdef CONFIG_BPF_SYSCALL
-LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size)
+LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 LSM_HOOK(int, 0, bpf_map, struct bpf_map *map, fmode_t fmode)
 LSM_HOOK(int, 0, bpf_prog, struct bpf_prog *prog)
 LSM_HOOK(int, 0, bpf_map_create, struct bpf_map *map, union bpf_attr *attr,
-	 struct bpf_token *token)
+	 struct bpf_token *token, bool is_kernel)
 LSM_HOOK(void, LSM_RET_VOID, bpf_map_free, struct bpf_map *map)
 LSM_HOOK(int, 0, bpf_prog_load, struct bpf_prog *prog, union bpf_attr *attr,
-	 struct bpf_token *token)
+	 struct bpf_token *token, bool is_kernel)
 LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free, struct bpf_prog *prog)
 LSM_HOOK(int, 0, bpf_token_create, struct bpf_token *token, union bpf_attr *attr,
 	 const struct path *path)
diff --git a/include/linux/security.h b/include/linux/security.h
index 980b6c207cade..7e3e58030777c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2249,14 +2249,14 @@ struct bpf_map;
 struct bpf_prog;
 struct bpf_token;
 #ifdef CONFIG_SECURITY
-extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
+extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel);
 extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
 extern int security_bpf_prog(struct bpf_prog *prog);
 extern int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
-				   struct bpf_token *token);
+				   struct bpf_token *token, bool is_kernel);
 extern void security_bpf_map_free(struct bpf_map *map);
 extern int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
-				  struct bpf_token *token);
+				  struct bpf_token *token, bool is_kernel);
 extern void security_bpf_prog_free(struct bpf_prog *prog);
 extern int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
 				     const struct path *path);
@@ -2265,7 +2265,7 @@ extern int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cm
 extern int security_bpf_token_capable(const struct bpf_token *token, int cap);
 #else
 static inline int security_bpf(int cmd, union bpf_attr *attr,
-					     unsigned int size)
+			       unsigned int size, bool is_kernel)
 {
 	return 0;
 }
@@ -2281,7 +2281,7 @@ static inline int security_bpf_prog(struct bpf_prog *prog)
 }
 
 static inline int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
-					  struct bpf_token *token)
+					  struct bpf_token *token, bool is_kernel)
 {
 	return 0;
 }
@@ -2290,7 +2290,7 @@ static inline void security_bpf_map_free(struct bpf_map *map)
 { }
 
 static inline int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
-					 struct bpf_token *token)
+					 struct bpf_token *token, bool is_kernel)
 {
 	return 0;
 }
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 694a675769a60..fc51737b9e3dc 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1306,7 +1306,7 @@ static bool bpf_net_capable(void)
 
 #define BPF_MAP_CREATE_LAST_FIELD map_token_fd
 /* called via syscall */
-static int map_create(union bpf_attr *attr)
+static int map_create(union bpf_attr *attr, bool is_kernel)
 {
 	const struct bpf_map_ops *ops;
 	struct bpf_token *token = NULL;
@@ -1498,7 +1498,7 @@ static int map_create(union bpf_attr *attr)
 			attr->btf_vmlinux_value_type_id;
 	}
 
-	err = security_bpf_map_create(map, attr, token);
+	err = security_bpf_map_create(map, attr, token, is_kernel);
 	if (err)
 		goto free_map_sec;
 
@@ -2947,7 +2947,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
 	if (err < 0)
 		goto free_prog;
 
-	err = security_bpf_prog_load(prog, attr, token);
+	err = security_bpf_prog_load(prog, attr, token, uattr.is_kernel);
 	if (err)
 		goto free_prog_sec;
 
@@ -5776,13 +5776,13 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size)
 	if (copy_from_bpfptr(&attr, uattr, size) != 0)
 		return -EFAULT;
 
-	err = security_bpf(cmd, &attr, size);
+	err = security_bpf(cmd, &attr, size, uattr.is_kernel);
 	if (err < 0)
 		return err;
 
 	switch (cmd) {
 	case BPF_MAP_CREATE:
-		err = map_create(&attr);
+		err = map_create(&attr, uattr.is_kernel);
 		break;
 	case BPF_MAP_LOOKUP_ELEM:
 		err = map_lookup_elem(&attr);
diff --git a/security/security.c b/security/security.c
index 143561ebc3e89..38c977091a7fd 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5627,6 +5627,7 @@ int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
  * @cmd: command
  * @attr: bpf attribute
  * @size: size
+ * @is_kernel: whether or not call originated from kernel
  *
  * Do a initial check for all bpf syscalls after the attribute is copied into
  * the kernel. The actual security module can implement their own rules to
@@ -5634,9 +5635,9 @@ int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
  *
  * Return: Returns 0 if permission is granted.
  */
-int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
+int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
-	return call_int_hook(bpf, cmd, attr, size);
+	return call_int_hook(bpf, cmd, attr, size, is_kernel);
 }
 
 /**
@@ -5673,6 +5674,7 @@ int security_bpf_prog(struct bpf_prog *prog)
  * @map: BPF map object
  * @attr: BPF syscall attributes used to create BPF map
  * @token: BPF token used to grant user access
+ * @is_kernel: whether or not call originated from kernel
  *
  * Do a check when the kernel creates a new BPF map. This is also the
  * point where LSM blob is allocated for LSMs that need them.
@@ -5680,9 +5682,9 @@ int security_bpf_prog(struct bpf_prog *prog)
  * Return: Returns 0 on success, error on failure.
  */
 int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
-			    struct bpf_token *token)
+			    struct bpf_token *token, bool is_kernel)
 {
-	return call_int_hook(bpf_map_create, map, attr, token);
+	return call_int_hook(bpf_map_create, map, attr, token, is_kernel);
 }
 
 /**
@@ -5690,6 +5692,7 @@ int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
  * @prog: BPF program object
  * @attr: BPF syscall attributes used to create BPF program
  * @token: BPF token used to grant user access to BPF subsystem
+ * @is_kernel: whether or not call originated from kernel
  *
  * Perform an access control check when the kernel loads a BPF program and
  * allocates associated BPF program object. This hook is also responsible for
@@ -5698,9 +5701,9 @@ int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
  * Return: Returns 0 on success, error on failure.
  */
 int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
-			   struct bpf_token *token)
+			   struct bpf_token *token, bool is_kernel)
 {
-	return call_int_hook(bpf_prog_load, prog, attr, token);
+	return call_int_hook(bpf_prog_load, prog, attr, token, is_kernel);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7b867dfec88ba..5a5ce26c51900 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6866,7 +6866,7 @@ static int selinux_ib_alloc_security(void *ib_sec)
 
 #ifdef CONFIG_BPF_SYSCALL
 static int selinux_bpf(int cmd, union bpf_attr *attr,
-				     unsigned int size)
+		       unsigned int size, bool is_kernel)
 {
 	u32 sid = current_sid();
 	int ret;
@@ -6953,7 +6953,7 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
 }
 
 static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
-				  struct bpf_token *token)
+				  struct bpf_token *token, bool is_kernel)
 {
 	struct bpf_security_struct *bpfsec;
 
@@ -6976,7 +6976,7 @@ static void selinux_bpf_map_free(struct bpf_map *map)
 }
 
 static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
-				 struct bpf_token *token)
+				 struct bpf_token *token, bool is_kernel)
 {
 	struct bpf_security_struct *bpfsec;
 
-- 
2.48.1

[PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Blaise Boscaccy]

The security_bpf LSM hook now contains a boolean parameter specifying
whether an invocation of the bpf syscall originated from within the
kernel. Here, we update the function signature of relevant test
programs to include that new parameter.

Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
---
 tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
 tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
 tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
 tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
 tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
 tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
 7 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/rcu_read_lock.c b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
index ab3a532b7dd6d..f85d0e282f2ae 100644
--- a/tools/testing/selftests/bpf/progs/rcu_read_lock.c
+++ b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
@@ -242,7 +242,8 @@ int inproper_sleepable_helper(void *ctx)
 }
 
 SEC("?lsm.s/bpf")
-int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size,
+	     bool is_kernel)
 {
 	struct bpf_key *bkey;
 
diff --git a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
index 44628865fe1d4..0e741262138f2 100644
--- a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
+++ b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
@@ -51,13 +51,13 @@ static int bpf_link_create_verify(int cmd)
 }
 
 SEC("lsm/bpf")
-int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	return bpf_link_create_verify(cmd);
 }
 
 SEC("lsm.s/bpf")
-int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	return bpf_link_create_verify(cmd);
 }
diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
index cd4d752bd089c..ce36a55ba5b8b 100644
--- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
+++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
@@ -36,7 +36,7 @@ char _license[] SEC("license") = "GPL";
 
 SEC("?lsm.s/bpf")
 __failure __msg("cannot pass in dynptr at an offset=-8")
-int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	unsigned long val;
 
@@ -46,7 +46,7 @@ int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
 
 SEC("?lsm.s/bpf")
 __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
-int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	unsigned long val = 0;
 
@@ -55,7 +55,7 @@ int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
 }
 
 SEC("lsm.s/bpf")
-int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	struct bpf_key *trusted_keyring;
 	struct bpf_dynptr ptr;
diff --git a/tools/testing/selftests/bpf/progs/test_lookup_key.c b/tools/testing/selftests/bpf/progs/test_lookup_key.c
index c73776990ae30..c46077e01a4ca 100644
--- a/tools/testing/selftests/bpf/progs/test_lookup_key.c
+++ b/tools/testing/selftests/bpf/progs/test_lookup_key.c
@@ -23,7 +23,7 @@ extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym;
 extern void bpf_key_put(struct bpf_key *key) __ksym;
 
 SEC("lsm.s/bpf")
-int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	struct bpf_key *bkey;
 	__u32 pid;
diff --git a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
index 2fdc44e766248..21fce1108a21d 100644
--- a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
+++ b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
@@ -7,7 +7,7 @@
 char tp_name[128];
 
 SEC("lsm.s/bpf")
-int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	switch (cmd) {
 	case BPF_RAW_TRACEPOINT_OPEN:
diff --git a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
index 7e750309ce274..18ad24a851c6c 100644
--- a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
+++ b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
@@ -49,7 +49,7 @@ int BPF_PROG(tp_btf_run, struct task_struct *task, u64 clone_flags)
 }
 
 SEC("lsm.s/bpf")
-int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	struct cgroup *cgrp = NULL;
 	struct task_struct *task;
diff --git a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
index 12034a73ee2d2..135665f011c7e 100644
--- a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
+++ b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
@@ -37,7 +37,7 @@ struct {
 char _license[] SEC("license") = "GPL";
 
 SEC("lsm.s/bpf")
-int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
+int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
 {
 	struct bpf_dynptr data_ptr, sig_ptr;
 	struct data *data_val;
-- 
2.48.1

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Song Liu]

On Tue, Mar 4, 2025 at 12:31 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> The security_bpf LSM hook now contains a boolean parameter specifying
> whether an invocation of the bpf syscall originated from within the
> kernel. Here, we update the function signature of relevant test
> programs to include that new parameter.
>
> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
^^^ The email address is broken.

> ---
>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
>  7 files changed, 11 insertions(+), 10 deletions(-)

It appears you missed a few of these?

tools/testing/selftests/bpf/progs/rcu_read_lock.c:SEC("?lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm/bpf")
tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c:SEC("lsm/bpf_map")
tools/testing/selftests/bpf/progs/test_lookup_key.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_ptr_untrusted.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_task_under_cgroup.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_capable")
tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_cmd")
tools/testing/selftests/bpf/progs/verifier_global_subprogs.c:SEC("?lsm/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")

>
> diff --git a/tools/testing/selftests/bpf/progs/rcu_read_lock.c b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
> index ab3a532b7dd6d..f85d0e282f2ae 100644
> --- a/tools/testing/selftests/bpf/progs/rcu_read_lock.c
> +++ b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
> @@ -242,7 +242,8 @@ int inproper_sleepable_helper(void *ctx)
>  }
>
>  SEC("?lsm.s/bpf")
> -int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size,
> +            bool is_kernel)
>  {
>         struct bpf_key *bkey;
>
> diff --git a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
> index 44628865fe1d4..0e741262138f2 100644
> --- a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
> +++ b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
> @@ -51,13 +51,13 @@ static int bpf_link_create_verify(int cmd)
>  }
>
>  SEC("lsm/bpf")
> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         return bpf_link_create_verify(cmd);
>  }
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         return bpf_link_create_verify(cmd);
>  }
> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> index cd4d752bd089c..ce36a55ba5b8b 100644
> --- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
> @@ -36,7 +36,7 @@ char _license[] SEC("license") = "GPL";
>
>  SEC("?lsm.s/bpf")
>  __failure __msg("cannot pass in dynptr at an offset=-8")
> -int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         unsigned long val;
>
> @@ -46,7 +46,7 @@ int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
>
>  SEC("?lsm.s/bpf")
>  __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
> -int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         unsigned long val = 0;
>
> @@ -55,7 +55,7 @@ int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
>  }
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         struct bpf_key *trusted_keyring;
>         struct bpf_dynptr ptr;
> diff --git a/tools/testing/selftests/bpf/progs/test_lookup_key.c b/tools/testing/selftests/bpf/progs/test_lookup_key.c
> index c73776990ae30..c46077e01a4ca 100644
> --- a/tools/testing/selftests/bpf/progs/test_lookup_key.c
> +++ b/tools/testing/selftests/bpf/progs/test_lookup_key.c
> @@ -23,7 +23,7 @@ extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym;
>  extern void bpf_key_put(struct bpf_key *key) __ksym;
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         struct bpf_key *bkey;
>         __u32 pid;
> diff --git a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
> index 2fdc44e766248..21fce1108a21d 100644
> --- a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
> +++ b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
> @@ -7,7 +7,7 @@
>  char tp_name[128];
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         switch (cmd) {
>         case BPF_RAW_TRACEPOINT_OPEN:
> diff --git a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
> index 7e750309ce274..18ad24a851c6c 100644
> --- a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
> +++ b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
> @@ -49,7 +49,7 @@ int BPF_PROG(tp_btf_run, struct task_struct *task, u64 clone_flags)
>  }
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         struct cgroup *cgrp = NULL;
>         struct task_struct *task;
> diff --git a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
> index 12034a73ee2d2..135665f011c7e 100644
> --- a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
> +++ b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
> @@ -37,7 +37,7 @@ struct {
>  char _license[] SEC("license") = "GPL";
>
>  SEC("lsm.s/bpf")
> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>  {
>         struct bpf_dynptr data_ptr, sig_ptr;
>         struct data *data_val;
> --
> 2.48.1
>

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Blaise Boscaccy]

Song Liu <song@kernel.org> writes:

> On Tue, Mar 4, 2025 at 12:31 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> The security_bpf LSM hook now contains a boolean parameter specifying
>> whether an invocation of the bpf syscall originated from within the
>> kernel. Here, we update the function signature of relevant test
>> programs to include that new parameter.
>>
>> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> ^^^ The email address is broken.
>

Whoops, appologies, will get that fixed. 

>> ---
>>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
>>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
>>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
>>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
>>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
>>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
>>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
>>  7 files changed, 11 insertions(+), 10 deletions(-)
>
> It appears you missed a few of these?
>

Some of these don't require any changes. I ran into this as well while doing a
search. 

These are all accounted for in the patch. 
> tools/testing/selftests/bpf/progs/rcu_read_lock.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm/bpf")
> tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("lsm.s/bpf")

security_bpf_map wasn't altered, it can't be called from the kernel. No
changes needed.
> tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c:SEC("lsm/bpf_map")

These are also all accounted for in the patch. 
> tools/testing/selftests/bpf/progs/test_lookup_key.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_ptr_untrusted.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_task_under_cgroup.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c:SEC("lsm.s/bpf")

bpf_token_cmd and bpf_token_capabable aren't callable from the kernel,
no changes to that hook either currently.

> tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_capable")
> tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_cmd")


This program doesn't take any parameters currently.
> tools/testing/selftests/bpf/progs/verifier_global_subprogs.c:SEC("?lsm/bpf")

These are all naked calls that don't take any explicit parameters.
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
>

-blaise

>>
>> diff --git a/tools/testing/selftests/bpf/progs/rcu_read_lock.c b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> index ab3a532b7dd6d..f85d0e282f2ae 100644
>> --- a/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> +++ b/tools/testing/selftests/bpf/progs/rcu_read_lock.c
>> @@ -242,7 +242,8 @@ int inproper_sleepable_helper(void *ctx)
>>  }
>>
>>  SEC("?lsm.s/bpf")
>> -int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(inproper_sleepable_kfunc, int cmd, union bpf_attr *attr, unsigned int size,
>> +            bool is_kernel)
>>  {
>>         struct bpf_key *bkey;
>>
>> diff --git a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> index 44628865fe1d4..0e741262138f2 100644
>> --- a/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> +++ b/tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c
>> @@ -51,13 +51,13 @@ static int bpf_link_create_verify(int cmd)
>>  }
>>
>>  SEC("lsm/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         return bpf_link_create_verify(cmd);
>>  }
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_s_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         return bpf_link_create_verify(cmd);
>>  }
>> diff --git a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> index cd4d752bd089c..ce36a55ba5b8b 100644
>> --- a/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> +++ b/tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c
>> @@ -36,7 +36,7 @@ char _license[] SEC("license") = "GPL";
>>
>>  SEC("?lsm.s/bpf")
>>  __failure __msg("cannot pass in dynptr at an offset=-8")
>> -int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         unsigned long val;
>>
>> @@ -46,7 +46,7 @@ int BPF_PROG(not_valid_dynptr, int cmd, union bpf_attr *attr, unsigned int size)
>>
>>  SEC("?lsm.s/bpf")
>>  __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
>> -int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         unsigned long val = 0;
>>
>> @@ -55,7 +55,7 @@ int BPF_PROG(not_ptr_to_stack, int cmd, union bpf_attr *attr, unsigned int size)
>>  }
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(dynptr_data_null, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         struct bpf_key *trusted_keyring;
>>         struct bpf_dynptr ptr;
>> diff --git a/tools/testing/selftests/bpf/progs/test_lookup_key.c b/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> index c73776990ae30..c46077e01a4ca 100644
>> --- a/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> +++ b/tools/testing/selftests/bpf/progs/test_lookup_key.c
>> @@ -23,7 +23,7 @@ extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym;
>>  extern void bpf_key_put(struct bpf_key *key) __ksym;
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         struct bpf_key *bkey;
>>         __u32 pid;
>> diff --git a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> index 2fdc44e766248..21fce1108a21d 100644
>> --- a/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> +++ b/tools/testing/selftests/bpf/progs/test_ptr_untrusted.c
>> @@ -7,7 +7,7 @@
>>  char tp_name[128];
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         switch (cmd) {
>>         case BPF_RAW_TRACEPOINT_OPEN:
>> diff --git a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> index 7e750309ce274..18ad24a851c6c 100644
>> --- a/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> +++ b/tools/testing/selftests/bpf/progs/test_task_under_cgroup.c
>> @@ -49,7 +49,7 @@ int BPF_PROG(tp_btf_run, struct task_struct *task, u64 clone_flags)
>>  }
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(lsm_run, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         struct cgroup *cgrp = NULL;
>>         struct task_struct *task;
>> diff --git a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> index 12034a73ee2d2..135665f011c7e 100644
>> --- a/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> +++ b/tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c
>> @@ -37,7 +37,7 @@ struct {
>>  char _license[] SEC("license") = "GPL";
>>
>>  SEC("lsm.s/bpf")
>> -int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size)
>> +int BPF_PROG(bpf, int cmd, union bpf_attr *attr, unsigned int size, bool is_kernel)
>>  {
>>         struct bpf_dynptr data_ptr, sig_ptr;
>>         struct data *data_val;
>> --
>> 2.48.1
>>

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Paul Moore]

On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> The security_bpf LSM hook now contains a boolean parameter specifying
> whether an invocation of the bpf syscall originated from within the
> kernel. Here, we update the function signature of relevant test
> programs to include that new parameter.
>
> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> ---
>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
>  7 files changed, 11 insertions(+), 10 deletions(-)

I see that Song requested that the changes in this patch be split out
back in the v3 revision, will that cause git bisect issues if patch
1/2 is applied but patch 2/2 is not, or is there some BPF magic that
ensures that the selftests will still run properly?

-- 
paul-moore.com

Re: [PATCH v4 bpf-next 1/2] security: Propagate caller information in bpf hooks

[Paul Moore]

On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> Certain bpf syscall subcommands are available for usage from both
> userspace and the kernel. LSM modules or eBPF gatekeeper programs may
> need to take a different course of action depending on whether or not
> a BPF syscall originated from the kernel or userspace.
>
> Additionally, some of the bpf_attr struct fields contain pointers to
> arbitrary memory. Currently the functionality to determine whether or
> not a pointer refers to kernel memory or userspace memory is exposed
> to the bpf verifier, but that information is missing from various LSM
> hooks.
>
> Here we augment the LSM hooks to provide this data, by simply passing
> a boolean flag indicating whether or not the call originated in the
> kernel, in any hook that contains a bpf_attr struct that corresponds
> to a subcommand that may be called from the kernel.
>
> Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
> Acked-by: Song Liu <song@kernel.org>
> ---
>  include/linux/lsm_hook_defs.h |  6 +++---
>  include/linux/security.h      | 12 ++++++------
>  kernel/bpf/syscall.c          | 10 +++++-----
>  security/security.c           | 15 +++++++++------
>  security/selinux/hooks.c      |  6 +++---
>  5 files changed, 26 insertions(+), 23 deletions(-)

...

> diff --git a/security/security.c b/security/security.c
> index 143561ebc3e89..38c977091a7fd 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5627,6 +5627,7 @@ int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
>   * @cmd: command
>   * @attr: bpf attribute
>   * @size: size
> + * @is_kernel: whether or not call originated from kernel

This is really nitpicky so please only make this change if you are
respinning the patchset for another reason (it looks like you may need
to do so for other reasons, so I mentioning it), but please change
"is_kernel" to just "kernel" in all the LSM hooks you're updating so
it is more consistent with the other LSM hook boolean parameter flags.

Regardless of the above, this looks good to me.  My ACK is below in
case the BPF folks want to merge this, but I'm also happy to take this
via the LSM tree once the selftest changes are resolved and ACK'd.

Acked-by: Paul Moore <paul@paul-moore.com>

-- 
paul-moore.com

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Blaise Boscaccy]

Paul Moore <paul@paul-moore.com> writes:

> On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> The security_bpf LSM hook now contains a boolean parameter specifying
>> whether an invocation of the bpf syscall originated from within the
>> kernel. Here, we update the function signature of relevant test
>> programs to include that new parameter.
>>
>> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
>> ---
>>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
>>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
>>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
>>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
>>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
>>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
>>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
>>  7 files changed, 11 insertions(+), 10 deletions(-)
>
> I see that Song requested that the changes in this patch be split out
> back in the v3 revision, will that cause git bisect issues if patch
> 1/2 is applied but patch 2/2 is not, or is there some BPF magic that
> ensures that the selftests will still run properly?
>

So there isn't any type checking in the bpf program's function
arguments against the LSM hook definitions, so it shouldn't cause any
build issues. To the best of my knowledge, the new is_kernel boolean
flag will end up living in r3. None of the current tests reference
that parameter, so if we bisected and ended up on the previous commit,
the bpf test programs would in a worst-case scenario simply clobber that
register, which shouldn't effect any test outcomes unless a test program
was somehow dependent on an uninitialized value in a scratch register. 

-blaise

> -- 
> paul-moore.com

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Paul Moore]

On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
> Paul Moore <paul@paul-moore.com> writes:
> > On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> > <bboscaccy@linux.microsoft.com> wrote:
> >>
> >> The security_bpf LSM hook now contains a boolean parameter specifying
> >> whether an invocation of the bpf syscall originated from within the
> >> kernel. Here, we update the function signature of relevant test
> >> programs to include that new parameter.
> >>
> >> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> >> ---
> >>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
> >>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
> >>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
> >>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
> >>  7 files changed, 11 insertions(+), 10 deletions(-)
> >
> > I see that Song requested that the changes in this patch be split out
> > back in the v3 revision, will that cause git bisect issues if patch
> > 1/2 is applied but patch 2/2 is not, or is there some BPF magic that
> > ensures that the selftests will still run properly?
> >
>
> So there isn't any type checking in the bpf program's function
> arguments against the LSM hook definitions, so it shouldn't cause any
> build issues. To the best of my knowledge, the new is_kernel boolean
> flag will end up living in r3. None of the current tests reference
> that parameter, so if we bisected and ended up on the previous commit,
> the bpf test programs would in a worst-case scenario simply clobber that
> register, which shouldn't effect any test outcomes unless a test program
> was somehow dependent on an uninitialized value in a scratch register.

Esh.  With that in mind, I'd argue that the two patches really should
just be one patch as you did before.  The patches are both pretty
small and obviously related so it really shouldn't be an issue.

However, since we need this patchset in order to properly implement
BPF signature verification I'm not going to make a fuss if Song feels
strongly that the selftest changes should be split into their own
patch.

-- 
paul-moore.com

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Song Liu]

On Tue, Mar 4, 2025 at 4:36 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> Song Liu <song@kernel.org> writes:
>
> > On Tue, Mar 4, 2025 at 12:31 PM Blaise Boscaccy
> > <bboscaccy@linux.microsoft.com> wrote:
> >>
> >> The security_bpf LSM hook now contains a boolean parameter specifying
> >> whether an invocation of the bpf syscall originated from within the
> >> kernel. Here, we update the function signature of relevant test
> >> programs to include that new parameter.
> >>
> >> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> > ^^^ The email address is broken.
> >
>
> Whoops, appologies, will get that fixed.
>
> >> ---
> >>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
> >>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
> >>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
> >>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
> >>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
> >>  7 files changed, 11 insertions(+), 10 deletions(-)
> >
> > It appears you missed a few of these?
> >
>
> Some of these don't require any changes. I ran into this as well while doing a
> search.
>
> These are all accounted for in the patch.
> > tools/testing/selftests/bpf/progs/rcu_read_lock.c:SEC("?lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm/bpf")
> > tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("?lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c:SEC("lsm.s/bpf")
>
> security_bpf_map wasn't altered, it can't be called from the kernel. No
> changes needed.
> > tools/testing/selftests/bpf/progs/test_libbpf_get_fd_by_id_opts.c:SEC("lsm/bpf_map")
>
> These are also all accounted for in the patch.
> > tools/testing/selftests/bpf/progs/test_lookup_key.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_ptr_untrusted.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_task_under_cgroup.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c:SEC("lsm.s/bpf")
>
> bpf_token_cmd and bpf_token_capabable aren't callable from the kernel,
> no changes to that hook either currently.
>
> > tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_capable")
> > tools/testing/selftests/bpf/progs/token_lsm.c:SEC("lsm/bpf_token_cmd")
>
>
> This program doesn't take any parameters currently.
> > tools/testing/selftests/bpf/progs/verifier_global_subprogs.c:SEC("?lsm/bpf")
>
> These are all naked calls that don't take any explicit parameters.
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")
> > tools/testing/selftests/bpf/progs/verifier_ref_tracking.c:SEC("lsm.s/bpf")

Thanks for the explanation. I think we can keep this part as-is.

Song

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Song Liu]

On Tue, Mar 4, 2025 at 6:14 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
> > Paul Moore <paul@paul-moore.com> writes:
> > > On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> > > <bboscaccy@linux.microsoft.com> wrote:
> > >>
> > >> The security_bpf LSM hook now contains a boolean parameter specifying
> > >> whether an invocation of the bpf syscall originated from within the
> > >> kernel. Here, we update the function signature of relevant test
> > >> programs to include that new parameter.
> > >>
> > >> Signed-off-by: Blaise Boscaccy bboscaccy@linux.microsoft.com
> > >> ---
> > >>  tools/testing/selftests/bpf/progs/rcu_read_lock.c           | 3 ++-
> > >>  tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c  | 4 ++--
> > >>  tools/testing/selftests/bpf/progs/test_kfunc_dynptr_param.c | 6 +++---
> > >>  tools/testing/selftests/bpf/progs/test_lookup_key.c         | 2 +-
> > >>  tools/testing/selftests/bpf/progs/test_ptr_untrusted.c      | 2 +-
> > >>  tools/testing/selftests/bpf/progs/test_task_under_cgroup.c  | 2 +-
> > >>  tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c   | 2 +-
> > >>  7 files changed, 11 insertions(+), 10 deletions(-)
> > >
> > > I see that Song requested that the changes in this patch be split out
> > > back in the v3 revision, will that cause git bisect issues if patch
> > > 1/2 is applied but patch 2/2 is not, or is there some BPF magic that
> > > ensures that the selftests will still run properly?
> > >
> >
> > So there isn't any type checking in the bpf program's function
> > arguments against the LSM hook definitions, so it shouldn't cause any
> > build issues. To the best of my knowledge, the new is_kernel boolean
> > flag will end up living in r3. None of the current tests reference
> > that parameter, so if we bisected and ended up on the previous commit,
> > the bpf test programs would in a worst-case scenario simply clobber that
> > register, which shouldn't effect any test outcomes unless a test program
> > was somehow dependent on an uninitialized value in a scratch register.
>
> Esh.  With that in mind, I'd argue that the two patches really should
> just be one patch as you did before.  The patches are both pretty
> small and obviously related so it really shouldn't be an issue.
>
> However, since we need this patchset in order to properly implement
> BPF signature verification I'm not going to make a fuss if Song feels
> strongly that the selftest changes should be split into their own
> patch.

On second thought, I think it makes sense to merge the two patches.

Blasie, please update 1/2 based on Paul's comment, merge the two
patches, and resend. You can keep my Acked-by.

Do we need this in the LSM tree before the upcoming merge window?
If not, we would prefer to carry it in bpf-next.

Thanks,
Song

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Paul Moore]

On Tue, Mar 4, 2025 at 10:32 PM Song Liu <song@kernel.org> wrote:
> On Tue, Mar 4, 2025 at 6:14 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
> > <bboscaccy@linux.microsoft.com> wrote:
> > > Paul Moore <paul@paul-moore.com> writes:
> > > > On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> > > > <bboscaccy@linux.microsoft.com> wrote:

...

> Do we need this in the LSM tree before the upcoming merge window?
> If not, we would prefer to carry it in bpf-next.

As long as we can send this up to Linus during the upcoming merge
window I'll be happy; if you feel strongly and want to take it via the
BPF tree, that's fine by me.  I'm currently helping someone draft a
patchset to implement the LSM/SELinux access control LSM callbacks for
the BPF tokens and I'm also working on a fix for the LSM framework
initialization code, both efforts may land in a development tree
during the next dev cycle and may cause a merge conflict with Blaise's
changes.  Not that a merge conflict is a terrible thing that we can't
work around, but if we can avoid it I'd be much happier :)

Please do make the /is_kernel/kernel/ change I mentioned in patch 1/2,
and feel free to keep my ACK from this patchset revision.

Thanks everyone!

-- 
paul-moore.com

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Alexei Starovoitov]

On Wed, Mar 5, 2025 at 8:12 AM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, Mar 4, 2025 at 10:32 PM Song Liu <song@kernel.org> wrote:
> > On Tue, Mar 4, 2025 at 6:14 PM Paul Moore <paul@paul-moore.com> wrote:
> > > On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
> > > <bboscaccy@linux.microsoft.com> wrote:
> > > > Paul Moore <paul@paul-moore.com> writes:
> > > > > On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> > > > > <bboscaccy@linux.microsoft.com> wrote:
>
> ...
>
> > Do we need this in the LSM tree before the upcoming merge window?
> > If not, we would prefer to carry it in bpf-next.
>
> As long as we can send this up to Linus during the upcoming merge
> window I'll be happy; if you feel strongly and want to take it via the
> BPF tree, that's fine by me.  I'm currently helping someone draft a
> patchset to implement the LSM/SELinux access control LSM callbacks for
> the BPF tokens and I'm also working on a fix for the LSM framework
> initialization code, both efforts may land in a development tree
> during the next dev cycle and may cause a merge conflict with Blaise's
> changes.  Not that a merge conflict is a terrible thing that we can't
> work around, but if we can avoid it I'd be much happier :)
>
> Please do make the /is_kernel/kernel/ change I mentioned in patch 1/2,
> and feel free to keep my ACK from this patchset revision.

My preference is to go via bpf-next, since changes are bigger
on bpf side than on lsm side.

Re: selftest.

Why change them at all if 'bool kernel' attribute is unused ?
Addition of the attr should be backward compatible change,
so all tests should still pass as-is.

You probably should add a new test where 'kernel' arg is actually
used for something. That would be patch 2.

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Song Liu]

On Wed, Mar 5, 2025 at 9:08 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
[...]
> My preference is to go via bpf-next, since changes are bigger
> on bpf side than on lsm side.
>
> Re: selftest.
>
> Why change them at all if 'bool kernel' attribute is unused ?
> Addition of the attr should be backward compatible change,
> so all tests should still pass as-is.

I was thinking of keeping the argument list in the selftests up
to date, so that the users can use selftests as examples when
writing their BPF programs.

OTOH, with the "bool kernel" at the end of the argument list,
it is backward compatible.

> You probably should add a new test where 'kernel' arg is actually
> used for something. That would be patch 2.

+1. This is a great idea.

Thanks,
Song

Re: [PATCH v4 bpf-next 2/2] selftests/bpf: Add is_kernel parameter to LSM/bpf test programs

[Paul Moore]

On Wed, Mar 5, 2025 at 12:08 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> On Wed, Mar 5, 2025 at 8:12 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Mar 4, 2025 at 10:32 PM Song Liu <song@kernel.org> wrote:
> > > On Tue, Mar 4, 2025 at 6:14 PM Paul Moore <paul@paul-moore.com> wrote:
> > > > On Tue, Mar 4, 2025 at 8:26 PM Blaise Boscaccy
> > > > <bboscaccy@linux.microsoft.com> wrote:
> > > > > Paul Moore <paul@paul-moore.com> writes:
> > > > > > On Tue, Mar 4, 2025 at 3:31 PM Blaise Boscaccy
> > > > > > <bboscaccy@linux.microsoft.com> wrote:
> >
> > ...
> >
> > > Do we need this in the LSM tree before the upcoming merge window?
> > > If not, we would prefer to carry it in bpf-next.
> >
> > As long as we can send this up to Linus during the upcoming merge
> > window I'll be happy; if you feel strongly and want to take it via the
> > BPF tree, that's fine by me.  I'm currently helping someone draft a
> > patchset to implement the LSM/SELinux access control LSM callbacks for
> > the BPF tokens and I'm also working on a fix for the LSM framework
> > initialization code, both efforts may land in a development tree
> > during the next dev cycle and may cause a merge conflict with Blaise's
> > changes.  Not that a merge conflict is a terrible thing that we can't
> > work around, but if we can avoid it I'd be much happier :)
> >
> > Please do make the /is_kernel/kernel/ change I mentioned in patch 1/2,
> > and feel free to keep my ACK from this patchset revision.
>
> My preference is to go via bpf-next, since changes are bigger
> on bpf side than on lsm side.

Fine by me, the patch has my ACK already.

-- 
paul-moore.com