* [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list
@ 2023-12-08 15:32 Matt Bobrowski
2023-12-12 18:45 ` KP Singh
2023-12-14 1:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Matt Bobrowski @ 2023-12-08 15:32 UTC (permalink / raw)
To: kpsingh, ast, andrii
Cc: revest, jackmanb, yonghong.song, bpf, linux-security-module
security_path_* based LSM hooks appear to be generally missing from
the sleepable_lsm_hooks list. Initially add a small subset of them to
the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers
like bpf_d_path() can be used from sleepable BPF LSM based programs.
The security_path_* hooks added in this patch are similar to the
security_inode_* counterparts that already exist in the
sleepable_lsm_hooks list, and are called in roughly similar points and
contexts. Presumably, making them OK to be also annotated as
sleepable.
Building a kernel with DEBUG_ATOMIC_SLEEP options enabled and running
reasonable workloads stimulating activity that would be intercepted by
such security hooks didn't show any splats.
Notably, I haven't added all the security_path_* LSM hooks that are
available as I don't need them at this point in time.
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
---
kernel/bpf/bpf_lsm.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 7d2f96413a57..63b4dc495125 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -304,6 +304,18 @@ BTF_ID(func, bpf_lsm_kernel_module_request)
BTF_ID(func, bpf_lsm_kernel_read_file)
BTF_ID(func, bpf_lsm_kernfs_init_security)
+#ifdef CONFIG_SECURITY_PATH
+BTF_ID(func, bpf_lsm_path_unlink)
+BTF_ID(func, bpf_lsm_path_mkdir)
+BTF_ID(func, bpf_lsm_path_rmdir)
+BTF_ID(func, bpf_lsm_path_truncate)
+BTF_ID(func, bpf_lsm_path_symlink)
+BTF_ID(func, bpf_lsm_path_link)
+BTF_ID(func, bpf_lsm_path_rename)
+BTF_ID(func, bpf_lsm_path_chmod)
+BTF_ID(func, bpf_lsm_path_chown)
+#endif /* CONFIG_SECURITY_PATH */
+
#ifdef CONFIG_KEYS
BTF_ID(func, bpf_lsm_key_free)
#endif /* CONFIG_KEYS */
--
2.43.0.472.g3155946c3a-goog
/M
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list
2023-12-08 15:32 [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list Matt Bobrowski
@ 2023-12-12 18:45 ` KP Singh
2023-12-14 1:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: KP Singh @ 2023-12-12 18:45 UTC (permalink / raw)
To: Matt Bobrowski
Cc: ast, andrii, revest, jackmanb, yonghong.song, bpf,
linux-security-module
On Fri, Dec 8, 2023 at 4:32 PM Matt Bobrowski <mattbobrowski@google.com> wrote:
>
> security_path_* based LSM hooks appear to be generally missing from
> the sleepable_lsm_hooks list. Initially add a small subset of them to
> the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers
> like bpf_d_path() can be used from sleepable BPF LSM based programs.
>
> The security_path_* hooks added in this patch are similar to the
> security_inode_* counterparts that already exist in the
> sleepable_lsm_hooks list, and are called in roughly similar points and
> contexts. Presumably, making them OK to be also annotated as
> sleepable.
>
> Building a kernel with DEBUG_ATOMIC_SLEEP options enabled and running
> reasonable workloads stimulating activity that would be intercepted by
> such security hooks didn't show any splats.
>
> Notably, I haven't added all the security_path_* LSM hooks that are
> available as I don't need them at this point in time.
>
> Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: KP Singh <kpsingh@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list
2023-12-08 15:32 [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list Matt Bobrowski
2023-12-12 18:45 ` KP Singh
@ 2023-12-14 1:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-12-14 1:00 UTC (permalink / raw)
To: Matt Bobrowski
Cc: kpsingh, ast, andrii, revest, jackmanb, yonghong.song, bpf,
linux-security-module
Hello:
This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Fri, 8 Dec 2023 15:32:48 +0000 you wrote:
> security_path_* based LSM hooks appear to be generally missing from
> the sleepable_lsm_hooks list. Initially add a small subset of them to
> the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers
> like bpf_d_path() can be used from sleepable BPF LSM based programs.
>
> The security_path_* hooks added in this patch are similar to the
> security_inode_* counterparts that already exist in the
> sleepable_lsm_hooks list, and are called in roughly similar points and
> contexts. Presumably, making them OK to be also annotated as
> sleepable.
>
> [...]
Here is the summary with links:
- [bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list
https://git.kernel.org/bpf/bpf-next/c/b13cddf63356
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-12-14 1:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-08 15:32 [PATCH bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list Matt Bobrowski
2023-12-12 18:45 ` KP Singh
2023-12-14 1:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).