From: Yonghong Song <yhs@fb.com> To: KP Singh <kpsingh@chromium.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "bpf@vger.kernel.org" <bpf@vger.kernel.org>, "linux-security-module@vger.kernel.org" <linux-security-module@vger.kernel.org> Cc: "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "James Morris" <jmorris@namei.org>, "Kees Cook" <keescook@chromium.org>, "Thomas Garnier" <thgarnie@chromium.org>, "Michael Halcrow" <mhalcrow@google.com>, "Paul Turner" <pjt@google.com>, "Brendan Gregg" <brendan.d.gregg@gmail.com>, "Jann Horn" <jannh@google.com>, "Matthew Garrett" <mjg59@google.com>, "Christian Brauner" <christian@brauner.io>, "Mickaël Salaün" <mic@digikod.net>, "Florent Revest" <revest@chromium.org>, "Martin Lau" <kafai@fb.com>, "Song Liu" <songliubraving@fb.com>, "Serge E. Hallyn" <serge@hallyn.com>, "Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>, "David S. Miller" <davem@davemloft.net>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Nicolas Ferre" <nicolas.ferre@microchip.com>, "Stanislav Fomichev" <sdf@google.com>, "Quentin Monnet" <quentin.monnet@netronome.com>, "Andrey Ignatov" <rdna@fb.com>, "Joe Stringer" <joe@wand.net.nz> Subject: Re: Re: [RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution Date: Sun, 15 Sep 2019 00:37:29 +0000 Message-ID: <f2732b46-d4d1-c811-dd6b-ad0ef280513f@fb.com> (raw) In-Reply-To: <bb2d4453-f01f-8fb2-d901-a7a0a5eb4a4d@fb.com> On 9/14/19 5:56 PM, Yonghong Song wrote: > > > On 9/10/19 12:55 PM, KP Singh wrote: >> From: KP Singh <kpsingh@google.com> >> >> A user space program can attach an eBPF program by: >> >> hook_fd = open("/sys/kernel/security/krsi/process_execution", O_RDWR) >> prog_fd = bpf(BPF_PROG_LOAD, ...) >> bpf(BPF_PROG_ATTACH, hook_fd, prog_fd) >> >> When such an attach call is received, the attachment logic looks up the >> dentry and appends the program to the bpf_prog_array. >> >> The BPF programs are stored in a bpf_prog_array and writes to the array >> are guarded by a mutex. The eBPF programs are executed as a part of the >> LSM hook they are attached to. If any of the eBPF programs return >> an error (-ENOPERM) the action represented by the hook is denied. >> >> Signed-off-by: KP Singh <kpsingh@google.com> >> --- >> include/linux/krsi.h | 18 ++++++ >> kernel/bpf/syscall.c | 3 +- >> security/krsi/include/krsi_init.h | 51 +++++++++++++++ >> security/krsi/krsi.c | 13 +++- >> security/krsi/krsi_fs.c | 28 ++++++++ >> security/krsi/ops.c | 102 ++++++++++++++++++++++++++++++ >> 6 files changed, 213 insertions(+), 2 deletions(-) >> create mode 100644 include/linux/krsi.h >> [...] >> >> +static inline int krsi_run_progs(enum krsi_hook_type t, struct krsi_ctx *ctx) >> +{ >> + struct bpf_prog_array_item *item; >> + struct bpf_prog *prog; >> + struct krsi_hook *h = &krsi_hooks_list[t]; >> + int ret, retval = 0; > > Reverse christmas tree style? > >> + >> + preempt_disable(); > > Do we need preempt_disable() here? From the following patches, I see perf_event_output() helper and per-cpu array usage. So, indeed preempt_disable() is needed. > >> + rcu_read_lock(); >> + >> + item = rcu_dereference(h->progs)->items; >> + while ((prog = READ_ONCE(item->prog))) { >> + ret = BPF_PROG_RUN(prog, ctx); >> + if (ret < 0) { >> + retval = ret; >> + goto out; >> + } >> + item++; >> + } >> + >> +out: >> + rcu_read_unlock(); >> + preempt_enable(); >> + return IS_ENABLED(CONFIG_SECURITY_KRSI_ENFORCE) ? retval : 0; >> +} >> + [...]
next prev parent reply index Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-10 11:55 [RFC v1 00/14] Kernel Runtime Security Instrumentation KP Singh 2019-09-10 11:55 ` [RFC v1 01/14] krsi: Add a skeleton and config options for the KRSI LSM KP Singh 2019-09-10 11:55 ` [RFC v1 02/14] krsi: Introduce types for KRSI eBPF KP Singh 2019-09-10 11:55 ` [RFC v1 03/14] bpf: krsi: sync BPF UAPI header with tools KP Singh 2019-09-10 11:55 ` [RFC v1 04/14] krsi: Add support in libbpf for BPF_PROG_TYPE_KRSI KP Singh 2019-09-14 16:09 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 05/14] krsi: Initialize KRSI hooks and create files in securityfs KP Singh 2019-09-14 16:26 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution KP Singh 2019-09-14 16:56 ` Yonghong Song 2019-09-15 0:37 ` Yonghong Song [this message] 2019-09-10 11:55 ` [RFC v1 07/14] krsi: Check for premissions on eBPF attachment KP Singh 2019-09-10 11:55 ` [RFC v1 08/14] krsi: Show attached program names in hook read handler KP Singh 2019-09-10 11:55 ` [RFC v1 09/14] krsi: Add a helper function for bpf_perf_event_output KP Singh 2019-09-14 18:23 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 10/14] krsi: Handle attachment of the same program KP Singh 2019-09-10 11:55 ` [RFC v1 11/14] krsi: Pin argument pages in bprm_check_security hook KP Singh 2019-09-10 11:55 ` [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable KP Singh 2019-09-15 0:16 ` Yonghong Song 2019-09-16 13:00 ` KP Singh 2019-09-17 16:58 ` Yonghong Song 2019-09-17 19:36 ` KP Singh 2019-09-10 11:55 ` [RFC v1 13/14] krsi: Provide an example to read and log environment variables KP Singh 2019-09-15 0:24 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 14/14] krsi: Pin arg pages only when needed KP Singh 2019-09-15 0:33 ` Yonghong Song 2019-09-15 1:40 ` KP Singh 2019-09-15 19:45 ` Yonghong Song
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=f2732b46-d4d1-c811-dd6b-ad0ef280513f@fb.com \ --to=yhs@fb.com \ --cc=ast@kernel.org \ --cc=bpf@vger.kernel.org \ --cc=brendan.d.gregg@gmail.com \ --cc=christian@brauner.io \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=gregkh@linuxfoundation.org \ --cc=jannh@google.com \ --cc=jmorris@namei.org \ --cc=joe@wand.net.nz \ --cc=kafai@fb.com \ --cc=keescook@chromium.org \ --cc=kpsingh@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mchehab+samsung@kernel.org \ --cc=mhalcrow@google.com \ --cc=mic@digikod.net \ --cc=mjg59@google.com \ --cc=nicolas.ferre@microchip.com \ --cc=pjt@google.com \ --cc=quentin.monnet@netronome.com \ --cc=rdna@fb.com \ --cc=revest@chromium.org \ --cc=sdf@google.com \ --cc=serge@hallyn.com \ --cc=songliubraving@fb.com \ --cc=thgarnie@chromium.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git