git.baikalelectronics.ru Git - kernel.git/commit

author	KP Singh <kpsingh@google.com>
	Sun, 29 Mar 2020 00:43:52 +0000 (01:43 +0100)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Sun, 29 Mar 2020 23:34:00 +0000 (01:34 +0200)
commit	0054a673728863897ccfffcc0602d50fc06ed49b
tree	5c98d39252c414dd308b372c07c0bd6bec4944ac	tree \| snapshot
parent	6de333f1151a3890fb957a3c462fb27168dc39c5	commit \| diff

bpf: lsm: Implement attach, detach and execution

JITed BPF programs are dynamically attached to the LSM hooks
using BPF trampolines. The trampoline prologue generates code to handle
conversion of the signature of the hook to the appropriate BPF context.

The allocated trampoline programs are attached to the nop functions
initialized as LSM hooks.

BPF_PROG_TYPE_LSM programs must have a GPL compatible license and
and need CAP_SYS_ADMIN (required for loading eBPF programs).

Upon attachment:

* A BPF fexit trampoline is used for LSM hooks with a void return type.
* A BPF fmod_ret trampoline is used for LSM hooks which return an
int. The attached programs can override the return value of the
bpf LSM hook to indicate a MAC Policy decision.

Signed-off-by: KP Singh <kpsingh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <revest@google.com>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Link: https://lore.kernel.org/bpf/20200329004356.27286-5-kpsingh@chromium.org

include/linux/bpf_lsm.h		diff \| blob \| history
kernel/bpf/bpf_lsm.c		diff \| blob \| history
kernel/bpf/btf.c		diff \| blob \| history
kernel/bpf/syscall.c		diff \| blob \| history
kernel/bpf/trampoline.c		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history