Commit fc611f47 authored by KP Singh's avatar KP Singh Committed by Daniel Borkmann

bpf: Introduce BPF_PROG_TYPE_LSM

Introduce types and configs for bpf programs that can be attached to
LSM hooks. The programs can be enabled by the config option
CONFIG_BPF_LSM.
Signed-off-by: default avatarKP Singh <kpsingh@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Reviewed-by: default avatarBrendan Jackman <jackmanb@google.com>
Reviewed-by: default avatarFlorent Revest <revest@google.com>
Reviewed-by: default avatarThomas Garnier <thgarnie@google.com>
Acked-by: default avatarYonghong Song <yhs@fb.com>
Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
Link: https://lore.kernel.org/bpf/20200329004356.27286-2-kpsingh@chromium.org
parent e5fb60ee
...@@ -3147,6 +3147,7 @@ R: Martin KaFai Lau <kafai@fb.com> ...@@ -3147,6 +3147,7 @@ R: Martin KaFai Lau <kafai@fb.com>
R: Song Liu <songliubraving@fb.com> R: Song Liu <songliubraving@fb.com>
R: Yonghong Song <yhs@fb.com> R: Yonghong Song <yhs@fb.com>
R: Andrii Nakryiko <andriin@fb.com> R: Andrii Nakryiko <andriin@fb.com>
R: KP Singh <kpsingh@chromium.org>
L: netdev@vger.kernel.org L: netdev@vger.kernel.org
L: bpf@vger.kernel.org L: bpf@vger.kernel.org
T: git git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
......
...@@ -1515,6 +1515,9 @@ extern const struct bpf_func_proto bpf_tcp_sock_proto; ...@@ -1515,6 +1515,9 @@ extern const struct bpf_func_proto bpf_tcp_sock_proto;
extern const struct bpf_func_proto bpf_jiffies64_proto; extern const struct bpf_func_proto bpf_jiffies64_proto;
extern const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto; extern const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto;
const struct bpf_func_proto *bpf_tracing_func_proto(
enum bpf_func_id func_id, const struct bpf_prog *prog);
/* Shared helpers among cBPF and eBPF. */ /* Shared helpers among cBPF and eBPF. */
void bpf_user_rnd_init_once(void); void bpf_user_rnd_init_once(void);
u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);
......
...@@ -70,6 +70,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_STRUCT_OPS, bpf_struct_ops, ...@@ -70,6 +70,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_STRUCT_OPS, bpf_struct_ops,
void *, void *) void *, void *)
BPF_PROG_TYPE(BPF_PROG_TYPE_EXT, bpf_extension, BPF_PROG_TYPE(BPF_PROG_TYPE_EXT, bpf_extension,
void *, void *) void *, void *)
#ifdef CONFIG_BPF_LSM
BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm,
void *, void *)
#endif /* CONFIG_BPF_LSM */
#endif #endif
BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)
......
...@@ -181,6 +181,7 @@ enum bpf_prog_type { ...@@ -181,6 +181,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_TRACING, BPF_PROG_TYPE_TRACING,
BPF_PROG_TYPE_STRUCT_OPS, BPF_PROG_TYPE_STRUCT_OPS,
BPF_PROG_TYPE_EXT, BPF_PROG_TYPE_EXT,
BPF_PROG_TYPE_LSM,
}; };
enum bpf_attach_type { enum bpf_attach_type {
...@@ -211,6 +212,7 @@ enum bpf_attach_type { ...@@ -211,6 +212,7 @@ enum bpf_attach_type {
BPF_TRACE_FENTRY, BPF_TRACE_FENTRY,
BPF_TRACE_FEXIT, BPF_TRACE_FEXIT,
BPF_MODIFY_RETURN, BPF_MODIFY_RETURN,
BPF_LSM_MAC,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
......
...@@ -1616,6 +1616,18 @@ config KALLSYMS_BASE_RELATIVE ...@@ -1616,6 +1616,18 @@ config KALLSYMS_BASE_RELATIVE
# end of the "standard kernel features (expert users)" menu # end of the "standard kernel features (expert users)" menu
# syscall, maps, verifier # syscall, maps, verifier
config BPF_LSM
bool "LSM Instrumentation with BPF"
depends on BPF_SYSCALL
depends on SECURITY
depends on BPF_JIT
help
Enables instrumentation of the security hooks with eBPF programs for
implementing dynamic MAC and Audit Policies.
If you are unsure how to answer this question, answer N.
config BPF_SYSCALL config BPF_SYSCALL
bool "Enable bpf() system call" bool "Enable bpf() system call"
select BPF select BPF
......
...@@ -29,4 +29,5 @@ obj-$(CONFIG_DEBUG_INFO_BTF) += sysfs_btf.o ...@@ -29,4 +29,5 @@ obj-$(CONFIG_DEBUG_INFO_BTF) += sysfs_btf.o
endif endif
ifeq ($(CONFIG_BPF_JIT),y) ifeq ($(CONFIG_BPF_JIT),y)
obj-$(CONFIG_BPF_SYSCALL) += bpf_struct_ops.o obj-$(CONFIG_BPF_SYSCALL) += bpf_struct_ops.o
obj-${CONFIG_BPF_LSM} += bpf_lsm.o
endif endif
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2020 Google LLC.
*/
#include <linux/filter.h>
#include <linux/bpf.h>
#include <linux/btf.h>
const struct bpf_prog_ops lsm_prog_ops = {
};
const struct bpf_verifier_ops lsm_verifier_ops = {
.get_func_proto = bpf_tracing_func_proto,
.is_valid_access = btf_ctx_access,
};
...@@ -779,8 +779,8 @@ static const struct bpf_func_proto bpf_send_signal_thread_proto = { ...@@ -779,8 +779,8 @@ static const struct bpf_func_proto bpf_send_signal_thread_proto = {
.arg1_type = ARG_ANYTHING, .arg1_type = ARG_ANYTHING,
}; };
static const struct bpf_func_proto * const struct bpf_func_proto *
tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{ {
switch (func_id) { switch (func_id) {
case BPF_FUNC_map_lookup_elem: case BPF_FUNC_map_lookup_elem:
...@@ -865,7 +865,7 @@ kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) ...@@ -865,7 +865,7 @@ kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_override_return_proto; return &bpf_override_return_proto;
#endif #endif
default: default:
return tracing_func_proto(func_id, prog); return bpf_tracing_func_proto(func_id, prog);
} }
} }
...@@ -975,7 +975,7 @@ tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) ...@@ -975,7 +975,7 @@ tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_FUNC_get_stack: case BPF_FUNC_get_stack:
return &bpf_get_stack_proto_tp; return &bpf_get_stack_proto_tp;
default: default:
return tracing_func_proto(func_id, prog); return bpf_tracing_func_proto(func_id, prog);
} }
} }
...@@ -1082,7 +1082,7 @@ pe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) ...@@ -1082,7 +1082,7 @@ pe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_FUNC_read_branch_records: case BPF_FUNC_read_branch_records:
return &bpf_read_branch_records_proto; return &bpf_read_branch_records_proto;
default: default:
return tracing_func_proto(func_id, prog); return bpf_tracing_func_proto(func_id, prog);
} }
} }
...@@ -1210,7 +1210,7 @@ raw_tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) ...@@ -1210,7 +1210,7 @@ raw_tp_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_FUNC_get_stack: case BPF_FUNC_get_stack:
return &bpf_get_stack_proto_raw_tp; return &bpf_get_stack_proto_raw_tp;
default: default:
return tracing_func_proto(func_id, prog); return bpf_tracing_func_proto(func_id, prog);
} }
} }
......
...@@ -181,6 +181,7 @@ enum bpf_prog_type { ...@@ -181,6 +181,7 @@ enum bpf_prog_type {
BPF_PROG_TYPE_TRACING, BPF_PROG_TYPE_TRACING,
BPF_PROG_TYPE_STRUCT_OPS, BPF_PROG_TYPE_STRUCT_OPS,
BPF_PROG_TYPE_EXT, BPF_PROG_TYPE_EXT,
BPF_PROG_TYPE_LSM,
}; };
enum bpf_attach_type { enum bpf_attach_type {
...@@ -211,6 +212,7 @@ enum bpf_attach_type { ...@@ -211,6 +212,7 @@ enum bpf_attach_type {
BPF_TRACE_FENTRY, BPF_TRACE_FENTRY,
BPF_TRACE_FEXIT, BPF_TRACE_FEXIT,
BPF_MODIFY_RETURN, BPF_MODIFY_RETURN,
BPF_LSM_MAC,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
......
...@@ -108,6 +108,7 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns, ...@@ -108,6 +108,7 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns,
case BPF_PROG_TYPE_TRACING: case BPF_PROG_TYPE_TRACING:
case BPF_PROG_TYPE_STRUCT_OPS: case BPF_PROG_TYPE_STRUCT_OPS:
case BPF_PROG_TYPE_EXT: case BPF_PROG_TYPE_EXT:
case BPF_PROG_TYPE_LSM:
default: default:
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment