[PATCH bpf-next] bpf: add security_file_mprotect() to sleepable_lsm_hooks BTF set

[PATCH bpf-next] bpf: add security_file_mprotect() to sleepable_lsm_hooks BTF set

[Matt Bobrowski]

security_file_mprotect() is missing from the sleepable_lsm_hooks BTF
set. Add it so that operations performed by a BPF program which may
result in the thread being put to sleep are permitted.

Building a kernel with the DEBUG_ATOMIC_SLEEP confiuration option
enabled and running reasonable workloads stimulating a BPF program
attached to security_file_mprotect() which could end up performing an
operation that could sleep resulted in no splats.

Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
---
 kernel/bpf/bpf_lsm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 68240c3c6e7d..da52c955f3ca 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -277,10 +277,13 @@ BTF_ID(func, bpf_lsm_bprm_creds_from_file)
 BTF_ID(func, bpf_lsm_capget)
 BTF_ID(func, bpf_lsm_capset)
 BTF_ID(func, bpf_lsm_cred_prepare)
+
 BTF_ID(func, bpf_lsm_file_ioctl)
 BTF_ID(func, bpf_lsm_file_lock)
 BTF_ID(func, bpf_lsm_file_open)
 BTF_ID(func, bpf_lsm_file_receive)
+BTF_ID(func, bpf_lsm_mmap_file)
+BTF_ID(func, bpf_lsm_file_mprotect)
 
 BTF_ID(func, bpf_lsm_inode_create)
 BTF_ID(func, bpf_lsm_inode_free_security)
@@ -316,7 +319,6 @@ BTF_ID(func, bpf_lsm_path_chown)
 BTF_ID(func, bpf_lsm_key_free)
 #endif /* CONFIG_KEYS */
 
-BTF_ID(func, bpf_lsm_mmap_file)
 BTF_ID(func, bpf_lsm_netlink_send)
 BTF_ID(func, bpf_lsm_path_notify)
 BTF_ID(func, bpf_lsm_release_secctx)
-- 
2.43.0.429.g432eaa2c6b-goog

/M

Re: [PATCH bpf-next] bpf: add security_file_mprotect() to sleepable_lsm_hooks BTF set

[Matt Bobrowski]

On Thu, Feb 01, 2024 at 10:43:52AM +0000, Matt Bobrowski wrote:
> security_file_mprotect() is missing from the sleepable_lsm_hooks BTF
> set. Add it so that operations performed by a BPF program which may
> result in the thread being put to sleep are permitted.
> 
> Building a kernel with the DEBUG_ATOMIC_SLEEP confiuration option
> enabled and running reasonable workloads stimulating a BPF program
> attached to security_file_mprotect() which could end up performing an
> operation that could sleep resulted in no splats.

Actually, no, please disregard this patch. It was only a matter of
timing before something had popped up.

This was sent out far too prematurely and I failed to realize that
__bpf_prog_enter_sleepable() calls might_fault() and
security_file_mprotect() is being called from a context whereby a
mmap_lock is already being held. In essence, this also means that it's
not possible to run sleepable BPF programs in contexts where a
mmap_lock is already held as the page fault handler also attempts to
take the mmap_lock, and well all know what happens when you have the
same thread attempting to acquire the same lock whilst already holding
that lock.

> Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
> ---
>  kernel/bpf/bpf_lsm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index 68240c3c6e7d..da52c955f3ca 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -277,10 +277,13 @@ BTF_ID(func, bpf_lsm_bprm_creds_from_file)
>  BTF_ID(func, bpf_lsm_capget)
>  BTF_ID(func, bpf_lsm_capset)
>  BTF_ID(func, bpf_lsm_cred_prepare)
> +
>  BTF_ID(func, bpf_lsm_file_ioctl)
>  BTF_ID(func, bpf_lsm_file_lock)
>  BTF_ID(func, bpf_lsm_file_open)
>  BTF_ID(func, bpf_lsm_file_receive)
> +BTF_ID(func, bpf_lsm_mmap_file)
> +BTF_ID(func, bpf_lsm_file_mprotect)
>  
>  BTF_ID(func, bpf_lsm_inode_create)
>  BTF_ID(func, bpf_lsm_inode_free_security)
> @@ -316,7 +319,6 @@ BTF_ID(func, bpf_lsm_path_chown)
>  BTF_ID(func, bpf_lsm_key_free)
>  #endif /* CONFIG_KEYS */
>  
> -BTF_ID(func, bpf_lsm_mmap_file)
>  BTF_ID(func, bpf_lsm_netlink_send)
>  BTF_ID(func, bpf_lsm_path_notify)
>  BTF_ID(func, bpf_lsm_release_secctx)
> -- 
> 2.43.0.429.g432eaa2c6b-goog

/M