26 Aug, 2020
1 commit
-
Similar to bpf_local_storage for sockets, add local storage for inodes.
The life-cycle of storage is managed with the life-cycle of the inode.
i.e. the storage is destroyed along with the owning inode.The BPF LSM allocates an __rcu pointer to the bpf_local_storage in the
security blob which are now stackable and can co-exist with other LSMs.Signed-off-by: KP Singh
Signed-off-by: Alexei Starovoitov
Link: https://lore.kernel.org/bpf/20200825182919.1118197-6-kpsingh@chromium.org
30 Mar, 2020
2 commits
-
JITed BPF programs are dynamically attached to the LSM hooks
using BPF trampolines. The trampoline prologue generates code to handle
conversion of the signature of the hook to the appropriate BPF context.The allocated trampoline programs are attached to the nop functions
initialized as LSM hooks.BPF_PROG_TYPE_LSM programs must have a GPL compatible license and
and need CAP_SYS_ADMIN (required for loading eBPF programs).Upon attachment:
* A BPF fexit trampoline is used for LSM hooks with a void return type.
* A BPF fmod_ret trampoline is used for LSM hooks which return an
int. The attached programs can override the return value of the
bpf LSM hook to indicate a MAC Policy decision.Signed-off-by: KP Singh
Signed-off-by: Daniel Borkmann
Reviewed-by: Brendan Jackman
Reviewed-by: Florent Revest
Acked-by: Andrii Nakryiko
Acked-by: James Morris
Link: https://lore.kernel.org/bpf/20200329004356.27286-5-kpsingh@chromium.org -
When CONFIG_BPF_LSM is enabled, nop functions, bpf_lsm_, are
generated for each LSM hook. These functions are initialized as LSM
hooks in a subsequent patch.Signed-off-by: KP Singh
Signed-off-by: Daniel Borkmann
Reviewed-by: Brendan Jackman
Reviewed-by: Florent Revest
Reviewed-by: Kees Cook
Acked-by: Yonghong Song
Acked-by: James Morris
Link: https://lore.kernel.org/bpf/20200329004356.27286-4-kpsingh@chromium.org