From: KP Singh <kpsingh@chromium.org> To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org Cc: "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "James Morris" <jmorris@namei.org>, "Kees Cook" <keescook@chromium.org>, "Thomas Garnier" <thgarnie@chromium.org>, "Michael Halcrow" <mhalcrow@google.com>, "Paul Turner" <pjt@google.com>, "Brendan Gregg" <brendan.d.gregg@gmail.com>, "Jann Horn" <jannh@google.com>, "Matthew Garrett" <mjg59@google.com>, "Christian Brauner" <christian@brauner.io>, "Mickaël Salaün" <mic@digikod.net>, "Florent Revest" <revest@chromium.org>, "Martin KaFai Lau" <kafai@fb.com>, "Song Liu" <songliubraving@fb.com>, "Yonghong Song" <yhs@fb.com>, "Serge E. Hallyn" <serge@hallyn.com>, "Mauro Carvalho Chehab" <mchehab+samsung@kernel.org>, "David S. Miller" <davem@davemloft.net>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Nicolas Ferre" <nicolas.ferre@microchip.com>, "Stanislav Fomichev" <sdf@google.com>, "Quentin Monnet" <quentin.monnet@netronome.com>, "Andrey Ignatov" <rdna@fb.com>, "Joe Stringer" <joe@wand.net.nz> Subject: [RFC v1 01/14] krsi: Add a skeleton and config options for the KRSI LSM Date: Tue, 10 Sep 2019 13:55:14 +0200 [thread overview] Message-ID: <20190910115527.5235-2-kpsingh@chromium.org> (raw) In-Reply-To: <20190910115527.5235-1-kpsingh@chromium.org> From: KP Singh <kpsingh@google.com> The LSM can be enabled by: - Enabling CONFIG_SECURITY_KRSI. - Adding "krsi" to the CONFIG_LSM string. Signed-off-by: KP Singh <kpsingh@google.com> --- MAINTAINERS | 5 +++++ security/Kconfig | 1 + security/Makefile | 2 ++ security/krsi/Kconfig | 22 ++++++++++++++++++++++ security/krsi/Makefile | 1 + security/krsi/krsi.c | 24 ++++++++++++++++++++++++ 6 files changed, 55 insertions(+) create mode 100644 security/krsi/Kconfig create mode 100644 security/krsi/Makefile create mode 100644 security/krsi/krsi.c diff --git a/MAINTAINERS b/MAINTAINERS index 9cbcf167bdd0..8e0364391d8b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9002,6 +9002,11 @@ F: include/linux/kprobes.h F: include/asm-generic/kprobes.h F: kernel/kprobes.c +KRSI SECURITY MODULE +M: KP Singh <kpsingh@chromium.org> +S: Supported +F: security/krsi/ + KS0108 LCD CONTROLLER DRIVER M: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com> S: Maintained diff --git a/security/Kconfig b/security/Kconfig index 0d65594b5196..febf7953803f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -236,6 +236,7 @@ source "security/tomoyo/Kconfig" source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" +source "security/krsi/Kconfig" source "security/safesetid/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index c598b904938f..25779ce89bf2 100644 --- a/security/Makefile +++ b/security/Makefile @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama +subdir-$(CONFIG_SECURITY_KRSI) += krsi subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid @@ -25,6 +26,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ +obj-$(CONFIG_SECURITY_KRSI) += krsi/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o diff --git a/security/krsi/Kconfig b/security/krsi/Kconfig new file mode 100644 index 000000000000..bf5eab4355af --- /dev/null +++ b/security/krsi/Kconfig @@ -0,0 +1,22 @@ +config SECURITY_KRSI + bool "Runtime Security Instrumentation (BPF-based MAC and audit policy)" + depends on SECURITY + depends on SECURITYFS + depends on BPF + depends on BPF_SYSCALL + help + This selects the Kernel Runtime Security Instrumentation + LSM which allows dynamic instrumentation of the security hooks with + eBPF programs. The LSM creates per-hook files in securityfs to which + eBPF programs can be attached. + + If you are unsure how to answer this question, answer N. + +config SECURITY_KRSI_ENFORCE + bool "Deny operations based on the evaluation of the attached programs" + depends on SECURITY_KRSI + help + eBPF programs attached to hooks can be used for both auditing and + enforcement. Enabling enforcement implies that the evaluation result + from the attached eBPF programs will allow and deny the operation + guarded by the security hook. diff --git a/security/krsi/Makefile b/security/krsi/Makefile new file mode 100644 index 000000000000..73320e8d16f8 --- /dev/null +++ b/security/krsi/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_KRSI) := krsi.o diff --git a/security/krsi/krsi.c b/security/krsi/krsi.c new file mode 100644 index 000000000000..9ce4f56fb78d --- /dev/null +++ b/security/krsi/krsi.c @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/lsm_hooks.h> + +static int krsi_process_execution(struct linux_binprm *bprm) +{ + return 0; +} + +static struct security_hook_list krsi_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(bprm_check_security, krsi_process_execution), +}; + +static int __init krsi_init(void) +{ + security_add_hooks(krsi_hooks, ARRAY_SIZE(krsi_hooks), "krsi"); + pr_info("eBPF and LSM are friends now.\n"); + return 0; +} + +DEFINE_LSM(krsi) = { + .name = "krsi", + .init = krsi_init, +}; -- 2.20.1
next prev parent reply other threads:[~2019-09-10 11:56 UTC|newest] Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-10 11:55 [RFC v1 00/14] Kernel Runtime Security Instrumentation KP Singh 2019-09-10 11:55 ` KP Singh [this message] 2019-09-10 11:55 ` [RFC v1 02/14] krsi: Introduce types for KRSI eBPF KP Singh 2019-09-10 11:55 ` [RFC v1 03/14] bpf: krsi: sync BPF UAPI header with tools KP Singh 2019-09-10 11:55 ` [RFC v1 04/14] krsi: Add support in libbpf for BPF_PROG_TYPE_KRSI KP Singh 2019-09-14 16:09 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 05/14] krsi: Initialize KRSI hooks and create files in securityfs KP Singh 2019-09-14 16:26 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution KP Singh 2019-09-14 16:56 ` Yonghong Song 2019-09-15 0:37 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 07/14] krsi: Check for premissions on eBPF attachment KP Singh 2019-09-10 11:55 ` [RFC v1 08/14] krsi: Show attached program names in hook read handler KP Singh 2019-09-10 11:55 ` [RFC v1 09/14] krsi: Add a helper function for bpf_perf_event_output KP Singh 2019-09-14 18:23 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 10/14] krsi: Handle attachment of the same program KP Singh 2019-09-10 11:55 ` [RFC v1 11/14] krsi: Pin argument pages in bprm_check_security hook KP Singh 2019-09-10 11:55 ` [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable KP Singh 2019-09-15 0:16 ` Yonghong Song 2019-09-16 13:00 ` KP Singh 2019-09-17 16:58 ` Yonghong Song 2019-09-17 19:36 ` KP Singh 2019-09-10 11:55 ` [RFC v1 13/14] krsi: Provide an example to read and log environment variables KP Singh 2019-09-15 0:24 ` Yonghong Song 2019-09-10 11:55 ` [RFC v1 14/14] krsi: Pin arg pages only when needed KP Singh 2019-09-15 0:33 ` Yonghong Song 2019-09-15 1:40 ` KP Singh 2019-09-15 19:45 ` Yonghong Song
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190910115527.5235-2-kpsingh@chromium.org \ --to=kpsingh@chromium.org \ --cc=ast@kernel.org \ --cc=bpf@vger.kernel.org \ --cc=brendan.d.gregg@gmail.com \ --cc=christian@brauner.io \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=gregkh@linuxfoundation.org \ --cc=jannh@google.com \ --cc=jmorris@namei.org \ --cc=joe@wand.net.nz \ --cc=kafai@fb.com \ --cc=keescook@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mchehab+samsung@kernel.org \ --cc=mhalcrow@google.com \ --cc=mic@digikod.net \ --cc=mjg59@google.com \ --cc=nicolas.ferre@microchip.com \ --cc=pjt@google.com \ --cc=quentin.monnet@netronome.com \ --cc=rdna@fb.com \ --cc=revest@chromium.org \ --cc=sdf@google.com \ --cc=serge@hallyn.com \ --cc=songliubraving@fb.com \ --cc=thgarnie@chromium.org \ --cc=yhs@fb.com \ --subject='Re: [RFC v1 01/14] krsi: Add a skeleton and config options for the KRSI LSM' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).