From: KP Singh <kpsingh@chromium.org>
To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"James Morris" <jmorris@namei.org>,
"Kees Cook" <keescook@chromium.org>,
"Thomas Garnier" <thgarnie@chromium.org>,
"Michael Halcrow" <mhalcrow@google.com>,
"Paul Turner" <pjt@google.com>,
"Brendan Gregg" <brendan.d.gregg@gmail.com>,
"Jann Horn" <jannh@google.com>,
"Matthew Garrett" <mjg59@google.com>,
"Christian Brauner" <christian@brauner.io>,
"Mickaël Salaün" <mic@digikod.net>,
"Florent Revest" <revest@chromium.org>,
"Brendan Jackman" <jackmanb@chromium.org>,
"Martin KaFai Lau" <kafai@fb.com>,
"Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Nicolas Ferre" <nicolas.ferre@microchip.com>,
"Stanislav Fomichev" <sdf@google.com>,
"Quentin Monnet" <quentin.monnet@netronome.com>,
"Andrey Ignatov" <rdna@fb.com>, "Joe Stringer" <joe@wand.net.nz>
Subject: [PATCH bpf-next v2 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM
Date: Wed, 15 Jan 2020 18:13:27 +0100 [thread overview]
Message-ID: <20200115171333.28811-5-kpsingh@chromium.org> (raw)
In-Reply-To: <20200115171333.28811-1-kpsingh@chromium.org>
From: KP Singh <kpsingh@google.com>
- The list of hooks registered by an LSM is currently immutable as they
are declared with __lsm_ro_after_init and they are attached to a
security_hook_heads struct.
- For the BPF LSM we need to de/register the hooks at runtime. Making
the existing security_hook_heads mutable broadens an
attack vector, so a separate security_hook_heads is added for only
those that ~must~ be mutable.
- These mutable hooks are run only after all the static hooks have
successfully executed.
This is based on the ideas discussed in:
https://lore.kernel.org/lkml/20180408065916.GA2832@ircssh-2.c.rugged-nimbus-611.internal
Signed-off-by: KP Singh <kpsingh@google.com>
---
MAINTAINERS | 1 +
include/linux/bpf_lsm.h | 71 +++++++++++++++++++++++++++++++++++++++++
security/bpf/Kconfig | 1 +
security/bpf/Makefile | 2 +-
security/bpf/hooks.c | 20 ++++++++++++
security/bpf/lsm.c | 9 +++++-
security/security.c | 24 +++++++-------
7 files changed, 115 insertions(+), 13 deletions(-)
create mode 100644 include/linux/bpf_lsm.h
create mode 100644 security/bpf/hooks.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 0941f478cfa5..02d7e05e9b75 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3209,6 +3209,7 @@ L: linux-security-module@vger.kernel.org
L: bpf@vger.kernel.org
S: Maintained
F: security/bpf/
+F: include/linux/bpf_lsm.h
BROADCOM B44 10/100 ETHERNET DRIVER
M: Michael Chan <michael.chan@broadcom.com>
diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
new file mode 100644
index 000000000000..9883cf25241c
--- /dev/null
+++ b/include/linux/bpf_lsm.h
@@ -0,0 +1,71 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#ifndef _LINUX_BPF_LSM_H
+#define _LINUX_BPF_LSM_H
+
+#include <linux/bpf.h>
+#include <linux/lsm_hooks.h>
+
+#ifdef CONFIG_SECURITY_BPF
+
+/* Mutable hooks defined at runtime and executed after all the statically
+ * define LSM hooks.
+ */
+extern struct security_hook_heads bpf_lsm_hook_heads;
+
+int bpf_lsm_srcu_read_lock(void);
+void bpf_lsm_srcu_read_unlock(int idx);
+
+#define CALL_BPF_LSM_VOID_HOOKS(FUNC, ...) \
+ do { \
+ struct security_hook_list *P; \
+ int _idx; \
+ \
+ if (hlist_empty(&bpf_lsm_hook_heads.FUNC)) \
+ break; \
+ \
+ _idx = bpf_lsm_srcu_read_lock(); \
+ hlist_for_each_entry(P, &bpf_lsm_hook_heads.FUNC, list) \
+ P->hook.FUNC(__VA_ARGS__); \
+ bpf_lsm_srcu_read_unlock(_idx); \
+ } while (0)
+
+#define CALL_BPF_LSM_INT_HOOKS(RC, FUNC, ...) ({ \
+ do { \
+ struct security_hook_list *P; \
+ int _idx; \
+ \
+ if (hlist_empty(&bpf_lsm_hook_heads.FUNC)) \
+ break; \
+ \
+ _idx = bpf_lsm_srcu_read_lock(); \
+ \
+ hlist_for_each_entry(P, \
+ &bpf_lsm_hook_heads.FUNC, list) { \
+ RC = P->hook.FUNC(__VA_ARGS__); \
+ if (RC && IS_ENABLED(CONFIG_SECURITY_BPF_ENFORCE)) \
+ break; \
+ } \
+ bpf_lsm_srcu_read_unlock(_idx); \
+ } while (0); \
+ IS_ENABLED(CONFIG_SECURITY_BPF_ENFORCE) ? RC : 0; \
+})
+
+#else /* !CONFIG_SECURITY_BPF */
+
+#define CALL_BPF_LSM_INT_HOOKS(RC, FUNC, ...) (RC)
+#define CALL_BPF_LSM_VOID_HOOKS(...)
+
+static inline int bpf_lsm_srcu_read_lock(void)
+{
+ return 0;
+}
+static inline void bpf_lsm_srcu_read_unlock(int idx) {}
+
+#endif /* CONFIG_SECURITY_BPF */
+
+#endif /* _LINUX_BPF_LSM_H */
diff --git a/security/bpf/Kconfig b/security/bpf/Kconfig
index a5f6c67ae526..595e4ad597ae 100644
--- a/security/bpf/Kconfig
+++ b/security/bpf/Kconfig
@@ -6,6 +6,7 @@ config SECURITY_BPF
bool "BPF-based MAC and audit policy"
depends on SECURITY
depends on BPF_SYSCALL
+ depends on SRCU
help
This enables instrumentation of the security hooks with
eBPF programs.
diff --git a/security/bpf/Makefile b/security/bpf/Makefile
index c78a8a056e7e..c526927c337d 100644
--- a/security/bpf/Makefile
+++ b/security/bpf/Makefile
@@ -2,4 +2,4 @@
#
# Copyright 2019 Google LLC.
-obj-$(CONFIG_SECURITY_BPF) := lsm.o ops.o
+obj-$(CONFIG_SECURITY_BPF) := lsm.o ops.o hooks.o
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
new file mode 100644
index 000000000000..b123d9cb4cd4
--- /dev/null
+++ b/security/bpf/hooks.c
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2019 Google LLC.
+ */
+
+#include <linux/bpf_lsm.h>
+#include <linux/srcu.h>
+
+DEFINE_STATIC_SRCU(security_hook_srcu);
+
+int bpf_lsm_srcu_read_lock(void)
+{
+ return srcu_read_lock(&security_hook_srcu);
+}
+
+void bpf_lsm_srcu_read_unlock(int idx)
+{
+ return srcu_read_unlock(&security_hook_srcu, idx);
+}
diff --git a/security/bpf/lsm.c b/security/bpf/lsm.c
index 5c5c14f990ce..d4ea6aa9ddb8 100644
--- a/security/bpf/lsm.c
+++ b/security/bpf/lsm.c
@@ -4,14 +4,21 @@
* Copyright 2019 Google LLC.
*/
+#include <linux/bpf_lsm.h>
#include <linux/lsm_hooks.h>
/* This is only for internal hooks, always statically shipped as part of the
- * BPF LSM. Statically defined hooks are appeneded to the security_hook_heads
+ * BPF LSM. Statically defined hooks are appended to the security_hook_heads
* which is common for LSMs and R/O after init.
*/
static struct security_hook_list lsm_hooks[] __lsm_ro_after_init = {};
+/* Security hooks registered dynamically by the BPF LSM and must be accessed
+ * by holding bpf_lsm_srcu_read_lock and bpf_lsm_srcu_read_unlock. The mutable
+ * hooks dynamically allocated by the BPF LSM are appeneded here.
+ */
+struct security_hook_heads bpf_lsm_hook_heads;
+
static int __init lsm_init(void)
{
security_add_hooks(lsm_hooks, ARRAY_SIZE(lsm_hooks), "bpf");
diff --git a/security/security.c b/security/security.c
index cd2d18d2d279..4a2eb4c089b2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -27,6 +27,7 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <linux/bpf_lsm.h>
#include <net/flow.h>
#define MAX_LSM_EVM_XATTR 2
@@ -652,20 +653,21 @@ static void __init lsm_early_task(struct task_struct *task)
\
hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \
P->hook.FUNC(__VA_ARGS__); \
+ CALL_BPF_LSM_VOID_HOOKS(FUNC, __VA_ARGS__); \
} while (0)
-#define call_int_hook(FUNC, IRC, ...) ({ \
- int RC = IRC; \
- do { \
- struct security_hook_list *P; \
- \
+#define call_int_hook(FUNC, IRC, ...) ({ \
+ int RC = IRC; \
+ do { \
+ struct security_hook_list *P; \
hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
- RC = P->hook.FUNC(__VA_ARGS__); \
- if (RC != 0) \
- break; \
- } \
- } while (0); \
- RC; \
+ RC = P->hook.FUNC(__VA_ARGS__); \
+ if (RC != 0) \
+ break; \
+ } \
+ RC = CALL_BPF_LSM_INT_HOOKS(RC, FUNC, __VA_ARGS__); \
+ } while (0); \
+ RC; \
})
/* Security operations */
--
2.20.1
next prev parent reply other threads:[~2020-01-15 17:14 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-15 17:13 [PATCH bpf-next v2 00/10] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 01/10] bpf: btf: Make some of the API visible outside BTF KP Singh
2020-01-18 12:44 ` kbuild test robot
2020-01-18 12:44 ` kbuild test robot
2020-01-20 11:00 ` KP Singh
2020-01-20 11:00 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 02/10] bpf: lsm: Add a skeleton and config options KP Singh
2020-01-16 7:04 ` Casey Schaufler
2020-01-16 12:52 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 03/10] bpf: lsm: Introduce types for eBPF based LSM KP Singh
2020-01-15 17:13 ` KP Singh [this message]
2020-01-15 17:30 ` [PATCH bpf-next v2 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM Stephen Smalley
2020-01-16 9:48 ` KP Singh
2020-01-16 6:33 ` Casey Schaufler
2020-01-16 10:19 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 05/10] bpf: lsm: BTF API for LSM hooks KP Singh
2020-01-17 0:28 ` Andrii Nakryiko
2020-01-20 11:10 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 06/10] bpf: lsm: Implement attach, detach and execution KP Singh
2020-01-15 17:24 ` Greg Kroah-Hartman
2020-01-16 9:45 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 07/10] bpf: lsm: Make the allocated callback RO+X KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 08/10] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-01-15 21:19 ` Andrii Nakryiko
2020-01-15 21:37 ` Andrii Nakryiko
2020-01-16 12:49 ` KP Singh
2020-01-16 17:26 ` KP Singh
2020-01-16 19:10 ` Andrii Nakryiko
2020-01-17 22:16 ` KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 09/10] bpf: lsm: Add selftests " KP Singh
2020-01-15 17:13 ` [PATCH bpf-next v2 10/10] bpf: lsm: Add Documentation KP Singh
2020-01-15 22:12 ` [PATCH bpf-next v2 00/10] MAC and Audit policy using eBPF (KRSI) Andrii Nakryiko
2020-01-20 11:12 ` KP Singh
2020-01-16 10:03 ` Brendan Jackman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200115171333.28811-5-kpsingh@chromium.org \
--to=kpsingh@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brendan.d.gregg@gmail.com \
--cc=christian@brauner.io \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=joe@wand.net.nz \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mchehab+samsung@kernel.org \
--cc=mhalcrow@google.com \
--cc=mic@digikod.net \
--cc=mjg59@google.com \
--cc=nicolas.ferre@microchip.com \
--cc=pjt@google.com \
--cc=quentin.monnet@netronome.com \
--cc=rdna@fb.com \
--cc=revest@chromium.org \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=thgarnie@chromium.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.