From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: KP Singh <kpsingh@chromium.org>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode
Date: Mon, 23 Nov 2020 20:02:20 -0800 [thread overview]
Message-ID: <20201124040220.oyajc7wqn7gqgyib@ast-mbp> (raw)
In-Reply-To: <20201120131708.3237864-2-kpsingh@chromium.org>
On Fri, Nov 20, 2020 at 01:17:07PM +0000, KP Singh wrote:
> +
> +static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
> +{
> + return bpf_lsm_is_sleepable_hook(prog->aux->attach_btf_id);
> +}
> +
> +BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)
> +
> +const static struct bpf_func_proto bpf_ima_inode_hash_proto = {
> + .func = bpf_ima_inode_hash,
> + .gpl_only = false,
> + .ret_type = RET_INTEGER,
> + .arg1_type = ARG_PTR_TO_BTF_ID,
> + .arg1_btf_id = &bpf_ima_inode_hash_btf_ids[0],
> + .arg2_type = ARG_PTR_TO_UNINIT_MEM,
> + .arg3_type = ARG_CONST_SIZE_OR_ZERO,
> + .allowed = bpf_ima_inode_hash_allowed,
> +};
> +
> static const struct bpf_func_proto *
> bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> {
> @@ -97,6 +121,8 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> return &bpf_task_storage_delete_proto;
> case BPF_FUNC_bprm_opts_set:
> return &bpf_bprm_opts_set_proto;
> + case BPF_FUNC_ima_inode_hash:
> + return &bpf_ima_inode_hash_proto;
That's not enough for correctness.
Not only hook has to sleepable, but the program has to be sleepable too.
The patch 3 should be causing all sort of kernel warnings
for calling mutex from preempt disabled.
There it calls bpf_ima_inode_hash() from SEC("lsm/file_mprotect") program.
"lsm/" is non-sleepable. "lsm.s/" is.
please enable CONFIG_DEBUG_ATOMIC_SLEEP=y in your config.
next prev parent reply other threads:[~2020-11-24 4:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-20 13:17 [PATCH bpf-next 1/3] ima: Implement ima_inode_hash KP Singh
2020-11-20 13:17 ` [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode KP Singh
2020-11-20 17:47 ` Yonghong Song
2020-11-21 0:14 ` KP Singh
2020-11-24 4:02 ` Alexei Starovoitov [this message]
2020-11-24 11:04 ` KP Singh
2020-11-24 15:01 ` KP Singh
2020-11-20 13:17 ` [PATCH bpf-next 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash KP Singh
2020-11-20 18:11 ` Yonghong Song
2020-11-21 0:20 ` KP Singh
2020-11-20 17:32 ` [PATCH bpf-next 1/3] ima: Implement ima_inode_hash Yonghong Song
2020-11-21 0:08 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201124040220.oyajc7wqn7gqgyib@ast-mbp \
--to=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=revest@chromium.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).