From: KP Singh <kpsingh@chromium.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: KP Singh <kpsingh@chromium.org>,
open list <linux-kernel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>,
Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>,
"David S. Miller" <davem@davemloft.net>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH bpf-next v4 5/8] bpf: lsm: Implement attach, detach and execution
Date: Fri, 21 Feb 2020 13:02:40 +0100 [thread overview]
Message-ID: <CACYkzJ6E7FDE0xnnZPCmxgC+vEw1o4qcu9szV1DMeDeukbnFxQ@mail.gmail.com> (raw)
In-Reply-To: <20200221021755.3z7ifyyeh6seo3zs@ast-mbp>
On 20-Feb 18:17, Alexei Starovoitov wrote:
> On Thu, Feb 20, 2020 at 06:52:47PM +0100, KP Singh wrote:
> > +
> > + /* This is the first program to be attached to the LSM hook, the hook
> > + * needs to be enabled.
> > + */
> > + if (prog->type == BPF_PROG_TYPE_LSM && tr->progs_cnt[kind] == 1)
> > + err = bpf_lsm_set_enabled(prog->aux->attach_func_name, true);
> > out:
> > mutex_unlock(&tr->mutex);
> > return err;
> > @@ -336,7 +348,11 @@ int bpf_trampoline_unlink_prog(struct bpf_prog *prog)
> > }
> > hlist_del(&prog->aux->tramp_hlist);
> > tr->progs_cnt[kind]--;
> > - err = bpf_trampoline_update(prog->aux->trampoline);
> > + err = bpf_trampoline_update(prog);
> > +
> > + /* There are no more LSM programs, the hook should be disabled */
> > + if (prog->type == BPF_PROG_TYPE_LSM && tr->progs_cnt[kind] == 0)
> > + err = bpf_lsm_set_enabled(prog->aux->attach_func_name, false);
>
> Overall looks good, but I don't think above logic works.
> Consider lsm being attached, then fexit, then lsm detached, then fexit detached.
> Both are kind==fexit and static_key stays enabled.
You're right. I was weary of introducing a new kind (something like
BPF_TRAMP_LSM) since they are just fexit trampolines. For now, I
added nr_lsm_progs as a member in struct bpf_trampoline and refactored
the increment and decrement logic into inline helper functions e.g.
static inline void bpf_trampoline_dec_progs(struct bpf_prog *prog,
enum bpf_tramp_prog_type kind)
{
struct bpf_trampoline *tr = prog->aux->trampoline;
if (prog->type == BPF_PROG_TYPE_LSM)
tr->nr_lsm_progs--;
tr->progs_cnt[kind]--;
}
and doing the check as:
if (prog->type == BPF_PROG_TYPE_LSM && tr->nr_lsm_progs == 0)
err = bpf_lsm_set_enabled(prog->aux->attach_func_name, false);
This should work, If you're okay with it, I will update it in the next
revision of the patch-set.
- KP
next prev parent reply other threads:[~2020-02-21 12:02 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-20 17:52 [PATCH bpf-next v4 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-02-20 17:52 ` [PATCH bpf-next v4 1/8] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-02-20 17:52 ` [PATCH bpf-next v4 2/8] security: Refactor declaration of LSM hooks KP Singh
2020-02-20 17:52 ` [PATCH bpf-next v4 3/8] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-02-20 23:49 ` Casey Schaufler
2020-02-21 11:44 ` KP Singh
2020-02-21 18:23 ` Casey Schaufler
2020-02-22 4:22 ` Kees Cook
2020-02-23 22:08 ` Alexei Starovoitov
2020-02-24 16:32 ` Casey Schaufler
2020-02-24 17:13 ` KP Singh
2020-02-24 18:45 ` Casey Schaufler
2020-02-24 21:41 ` Kees Cook
2020-02-24 22:29 ` Casey Schaufler
2020-02-25 5:41 ` Alexei Starovoitov
2020-02-25 15:31 ` Kees Cook
2020-02-25 19:31 ` KP Singh
2020-02-26 0:30 ` Casey Schaufler
2020-02-26 5:15 ` KP Singh
2020-02-26 15:35 ` Casey Schaufler
2020-02-25 19:29 ` KP Singh
2020-02-24 16:09 ` Casey Schaufler
2020-02-24 17:23 ` KP Singh
2020-02-21 2:25 ` Alexei Starovoitov
2020-02-21 11:47 ` KP Singh
2020-02-20 17:52 ` [PATCH bpf-next v4 4/8] bpf: lsm: Add support for enabling/disabling BPF hooks KP Singh
2020-02-21 18:57 ` Casey Schaufler
2020-02-21 19:11 ` James Morris
2020-02-22 4:26 ` Kees Cook
2020-02-20 17:52 ` [PATCH bpf-next v4 5/8] bpf: lsm: Implement attach, detach and execution KP Singh
2020-02-21 2:17 ` Alexei Starovoitov
2020-02-21 12:02 ` KP Singh [this message]
2020-02-20 17:52 ` [PATCH bpf-next v4 6/8] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-02-25 6:45 ` Andrii Nakryiko
2020-02-20 17:52 ` [PATCH bpf-next v4 7/8] bpf: lsm: Add selftests " KP Singh
2020-02-20 17:52 ` [PATCH bpf-next v4 8/8] bpf: lsm: Add Documentation KP Singh
2020-02-21 19:19 ` [PATCH bpf-next v4 0/8] MAC and Audit policy using eBPF (KRSI) Casey Schaufler
2020-02-21 19:41 ` KP Singh
2020-02-21 22:31 ` Casey Schaufler
2020-02-21 23:09 ` KP Singh
2020-02-21 23:49 ` Casey Schaufler
2020-02-22 0:22 ` Kees Cook
2020-02-22 1:04 ` Casey Schaufler
2020-02-22 3:36 ` Kees Cook
2020-02-27 18:40 ` Dr. Greg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACYkzJ6E7FDE0xnnZPCmxgC+vEw1o4qcu9szV1DMeDeukbnFxQ@mail.gmail.com \
--to=kpsingh@chromium.org \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.