From: Kees Cook <keescook@chromium.org>
To: KP Singh <kpsingh@chromium.org>
Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>, Paul Turner <pjt@google.com>,
Jann Horn <jannh@google.com>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks
Date: Mon, 23 Mar 2020 12:44:38 -0700 [thread overview]
Message-ID: <202003231237.F654B379@keescook> (raw)
In-Reply-To: <20200323164415.12943-6-kpsingh@chromium.org>
On Mon, Mar 23, 2020 at 05:44:13PM +0100, KP Singh wrote:
> From: KP Singh <kpsingh@google.com>
>
> The bpf_lsm_ nops are initialized into the LSM framework like any other
> LSM. Some LSM hooks do not have 0 as their default return value. The
> __weak symbol for these hooks is overridden by a corresponding
> definition in security/bpf/hooks.c
>
> The LSM can be enabled / disabled with CONFIG_LSM.
>
> Signed-off-by: KP Singh <kpsingh@google.com>
Nice! This is super clean on the LSM side of things. :)
One note below...
> Reviewed-by: Brendan Jackman <jackmanb@google.com>
> Reviewed-by: Florent Revest <revest@google.com>
> ---
> security/Kconfig | 10 ++++----
> security/Makefile | 2 ++
> security/bpf/Makefile | 5 ++++
> security/bpf/hooks.c | 55 +++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 67 insertions(+), 5 deletions(-)
> create mode 100644 security/bpf/Makefile
> create mode 100644 security/bpf/hooks.c
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 2a1a2d396228..cd3cc7da3a55 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -277,11 +277,11 @@ endchoice
>
> config LSM
> string "Ordered list of enabled LSMs"
> - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
> - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
> - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
> - default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
> - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> + default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
> + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
> help
> A comma-separated list of LSMs, in initialization order.
> Any LSMs left off this list will be ignored. This can be
> diff --git a/security/Makefile b/security/Makefile
> index 746438499029..22e73a3482bd 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -12,6 +12,7 @@ subdir-$(CONFIG_SECURITY_YAMA) += yama
> subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
> subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
> subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
> +subdir-$(CONFIG_BPF_LSM) += bpf
>
> # always enable default capabilities
> obj-y += commoncap.o
> @@ -30,6 +31,7 @@ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
> obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
> obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> +obj-$(CONFIG_BPF_LSM) += bpf/
>
> # Object integrity file lists
> subdir-$(CONFIG_INTEGRITY) += integrity
> diff --git a/security/bpf/Makefile b/security/bpf/Makefile
> new file mode 100644
> index 000000000000..c7a89a962084
> --- /dev/null
> +++ b/security/bpf/Makefile
> @@ -0,0 +1,5 @@
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Copyright (C) 2020 Google LLC.
> +
> +obj-$(CONFIG_BPF_LSM) := hooks.o
> diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> new file mode 100644
> index 000000000000..68e5824868f9
> --- /dev/null
> +++ b/security/bpf/hooks.c
> @@ -0,0 +1,55 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright (C) 2020 Google LLC.
> + */
> +#include <linux/lsm_hooks.h>
> +#include <linux/bpf_lsm.h>
> +
> +/* Some LSM hooks do not have 0 as their default return values. Override the
> + * __weak definitons generated by default for these hooks
If you wanted to avoid this, couldn't you make the default return value
part of lsm_hooks.h?
e.g.:
LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct inode *inode,
const char *name, void **buffer, bool alloc)
...
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
LSM_HOOK_##RET(NAME, DEFAULT, __VA_ARGS__)
...
#define LSM_HOOK_int(NAME, DEFAULT, ...) \
noinline int bpf_lsm_##NAME(__VA_ARGS__) \
{ \
return (DEFAULT); \
}
Then all the __weak stuff is gone, and the following 4 functions don't
need to be written out, and the information is available to the macros
if anyone else might ever want it.
-Kees
> + */
> +noinline int bpf_lsm_inode_getsecurity(struct inode *inode, const char *name,
> + void **buffer, bool alloc)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +noinline int bpf_lsm_inode_setsecurity(struct inode *inode, const char *name,
> + const void *value, size_t size,
> + int flags)
> +{
> + return -EOPNOTSUPP;
> +}
> +
> +noinline int bpf_lsm_task_prctl(int option, unsigned long arg2,
> + unsigned long arg3, unsigned long arg4,
> + unsigned long arg5)
> +{
> + return -ENOSYS;
> +}
> +
> +noinline int bpf_lsm_xfrm_state_pol_flow_match(struct xfrm_state *x,
> + struct xfrm_policy *xp,
> + const struct flowi *fl)
> +{
> + return 1;
> +}
> +
> +static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> + #define LSM_HOOK(RET, NAME, ...) LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
> + #include <linux/lsm_hook_names.h>
> + #undef LSM_HOOK
> +};
> +
> +static int __init bpf_lsm_init(void)
> +{
> + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
> + pr_info("LSM support for eBPF active\n");
> + return 0;
> +}
> +
> +DEFINE_LSM(bpf) = {
> + .name = "bpf",
> + .init = bpf_lsm_init,
> +};
> --
> 2.20.1
>
--
Kees Cook
next prev parent reply other threads:[~2020-03-23 19:44 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-23 16:44 [PATCH bpf-next v5 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-03-23 19:02 ` Yonghong Song
2020-03-23 16:44 ` [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks KP Singh
2020-03-23 19:33 ` Kees Cook
2020-03-23 19:56 ` Andrii Nakryiko
2020-03-24 16:06 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-03-23 19:04 ` Yonghong Song
2020-03-23 19:33 ` Kees Cook
2020-03-23 19:59 ` Andrii Nakryiko
2020-03-24 10:39 ` KP Singh
2020-03-24 16:12 ` KP Singh
2020-03-24 21:26 ` Andrii Nakryiko
2020-03-24 22:39 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution KP Singh
2020-03-23 19:16 ` Yonghong Song
2020-03-23 19:44 ` KP Singh
2020-03-23 20:18 ` Andrii Nakryiko
2020-03-24 19:00 ` KP Singh
2020-03-24 14:35 ` Stephen Smalley
2020-03-24 14:50 ` KP Singh
2020-03-24 14:58 ` Stephen Smalley
2020-03-24 16:25 ` Casey Schaufler
2020-03-24 17:49 ` Stephen Smalley
2020-03-24 18:01 ` Kees Cook
2020-03-24 18:06 ` KP Singh
2020-03-24 18:21 ` Stephen Smalley
2020-03-24 18:27 ` KP Singh
2020-03-24 18:31 ` KP Singh
2020-03-24 18:34 ` Kees Cook
2020-03-24 18:33 ` Kees Cook
2020-03-23 16:44 ` [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks KP Singh
2020-03-23 19:44 ` Kees Cook [this message]
2020-03-23 19:47 ` KP Singh
2020-03-23 20:21 ` Andrii Nakryiko
2020-03-23 20:47 ` Casey Schaufler
2020-03-23 21:44 ` Kees Cook
2020-03-23 21:58 ` Casey Schaufler
2020-03-23 22:12 ` Kees Cook
2020-03-23 23:39 ` Casey Schaufler
2020-03-24 1:53 ` KP Singh
2020-03-25 14:35 ` KP Singh
2020-03-24 1:13 ` Casey Schaufler
2020-03-24 1:52 ` KP Singh
2020-03-24 14:37 ` Stephen Smalley
2020-03-24 14:42 ` KP Singh
2020-03-24 14:51 ` Stephen Smalley
2020-03-24 14:51 ` KP Singh
2020-03-24 17:57 ` Kees Cook
2020-03-23 16:44 ` [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-03-23 19:21 ` Yonghong Song
2020-03-23 20:25 ` Andrii Nakryiko
2020-03-24 1:57 ` KP Singh
2020-03-23 16:44 ` [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests " KP Singh
2020-03-23 20:04 ` Yonghong Song
2020-03-24 20:04 ` KP Singh
2020-03-24 23:54 ` Andrii Nakryiko
2020-03-25 0:36 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202003231237.F654B379@keescook \
--to=keescook@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jackmanb@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjt@google.com \
--cc=revest@chromium.org \
--cc=revest@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).