Networking LSM hooks are conditionally enabled and when building the new
sleepable BPF LSM hooks with the networking LSM hooks disabled, the
following build error occurs:
BTFIDS vmlinux
FAILED unresolved symbol bpf_lsm_socket_socketpair
To fix the error, conditionally add the networking LSM hooks to the
sleepable set.
Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Signed-off-by: Mikko Ylinen <[email protected]>
---
kernel/bpf/bpf_lsm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 70e5e0b6d69d..5041dd35f2a6 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -149,7 +149,11 @@ BTF_ID(func, bpf_lsm_file_ioctl)
BTF_ID(func, bpf_lsm_file_lock)
BTF_ID(func, bpf_lsm_file_open)
BTF_ID(func, bpf_lsm_file_receive)
+
+#ifdef CONFIG_SECURITY_NETWORK
BTF_ID(func, bpf_lsm_inet_conn_established)
+#endif /* CONFIG_SECURITY_NETWORK */
+
BTF_ID(func, bpf_lsm_inode_create)
BTF_ID(func, bpf_lsm_inode_free_security)
BTF_ID(func, bpf_lsm_inode_getattr)
@@ -181,6 +185,8 @@ BTF_ID(func, bpf_lsm_sb_show_options)
BTF_ID(func, bpf_lsm_sb_statfs)
BTF_ID(func, bpf_lsm_sb_umount)
BTF_ID(func, bpf_lsm_settime)
+
+#ifdef CONFIG_SECURITY_NETWORK
BTF_ID(func, bpf_lsm_socket_accept)
BTF_ID(func, bpf_lsm_socket_bind)
BTF_ID(func, bpf_lsm_socket_connect)
@@ -195,6 +201,8 @@ BTF_ID(func, bpf_lsm_socket_recvmsg)
BTF_ID(func, bpf_lsm_socket_sendmsg)
BTF_ID(func, bpf_lsm_socket_shutdown)
BTF_ID(func, bpf_lsm_socket_socketpair)
+#endif /* CONFIG_SECURITY_NETWORK */
+
BTF_ID(func, bpf_lsm_syslog)
BTF_ID(func, bpf_lsm_task_alloc)
BTF_ID(func, bpf_lsm_task_getsecid)
--
2.17.1
On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
<[email protected]> wrote:
>
> Networking LSM hooks are conditionally enabled and when building the new
> sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> following build error occurs:
>
> BTFIDS vmlinux
> FAILED unresolved symbol bpf_lsm_socket_socketpair
>
> To fix the error, conditionally add the networking LSM hooks to the
> sleepable set.
>
> Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> Signed-off-by: Mikko Ylinen <[email protected]>
Thanks!
Acked-by: KP Singh <[email protected]>
On Fri, Jan 22, 2021 at 11:33 PM KP Singh <[email protected]> wrote:
>
> On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
> <[email protected]> wrote:
> >
> > Networking LSM hooks are conditionally enabled and when building the new
> > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > following build error occurs:
> >
> > BTFIDS vmlinux
> > FAILED unresolved symbol bpf_lsm_socket_socketpair
> >
> > To fix the error, conditionally add the networking LSM hooks to the
> > sleepable set.
> >
> > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> > Signed-off-by: Mikko Ylinen <[email protected]>
>
> Thanks!
>
> Acked-by: KP Singh <[email protected]>
Btw, I was noticing that there's another hook that is surrounded by ifdefs:
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 70e5e0b6d69d..f7f7754e938d 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink)
BTF_ID(func, bpf_lsm_inode_unlink)
BTF_ID(func, bpf_lsm_kernel_module_request)
BTF_ID(func, bpf_lsm_kernfs_init_security)
+
+#ifdef CONFIG_KEYS
BTF_ID(func, bpf_lsm_key_free)
+#endif
+
BTF_ID(func, bpf_lsm_mmap_file)
BTF_ID(func, bpf_lsm_netlink_send)
BTF_ID(func, bpf_lsm_path_notify)
It would be great if you can also add this to your patch :)
I guess the cleanest solution to never let this happen would be to
incorporate this in
lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an
extra parameter to the LSM_HOOK macro and then only generate the BTF IDs
based on this macro parameter.
On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote:
> On Fri, Jan 22, 2021 at 11:33 PM KP Singh <[email protected]> wrote:
> >
> > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
> > <[email protected]> wrote:
> > >
> > > Networking LSM hooks are conditionally enabled and when building the new
> > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > > following build error occurs:
> > >
> > > BTFIDS vmlinux
> > > FAILED unresolved symbol bpf_lsm_socket_socketpair
> > >
> > > To fix the error, conditionally add the networking LSM hooks to the
> > > sleepable set.
> > >
> > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> > > Signed-off-by: Mikko Ylinen <[email protected]>
> >
> > Thanks!
> >
> > Acked-by: KP Singh <[email protected]>
>
> Btw, I was noticing that there's another hook that is surrounded by ifdefs:
>
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index 70e5e0b6d69d..f7f7754e938d 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink)
> BTF_ID(func, bpf_lsm_inode_unlink)
> BTF_ID(func, bpf_lsm_kernel_module_request)
> BTF_ID(func, bpf_lsm_kernfs_init_security)
> +
> +#ifdef CONFIG_KEYS
> BTF_ID(func, bpf_lsm_key_free)
> +#endif
> +
> BTF_ID(func, bpf_lsm_mmap_file)
> BTF_ID(func, bpf_lsm_netlink_send)
> BTF_ID(func, bpf_lsm_path_notify)
>
> It would be great if you can also add this to your patch :)
Thanks for noticing! I cross-checked the sleepable set but somehow
missed this. Just posted v2.
> I guess the cleanest solution to never let this happen would be to
> incorporate this in
> lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an
> extra parameter to the LSM_HOOK macro and then only generate the BTF IDs
> based on this macro parameter.
Agree, a way to get the set automatically created makes sense. But the
extra parameter to LSM_HOOK macro would be BPF specific, right?
-- Regards, Mikko
On Mon, Jan 25, 2021 at 7:55 AM Mikko Ylinen
<[email protected]> wrote:
>
> On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote:
> > On Fri, Jan 22, 2021 at 11:33 PM KP Singh <[email protected]> wrote:
> > >
> > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
> > > <[email protected]> wrote:
> > > >
> > > > Networking LSM hooks are conditionally enabled and when building the new
> > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > > > following build error occurs:
> > > >
> > > > BTFIDS vmlinux
> > > > FAILED unresolved symbol bpf_lsm_socket_socketpair
> > > >
[...]
>
> Agree, a way to get the set automatically created makes sense. But the
> extra parameter to LSM_HOOK macro would be BPF specific, right?
>
The information about whether the hook "must not sleep" has been
mentioned sporadically in comments and
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n920
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n594
I think it would be generally useful for the framework to actually provide this
in the definition in the hook and then ensure (by calling
might_sleep() for hooks
that can sleep).
- KP
> -- Regards, Mikko
Some networking and keys LSM hooks are conditionally enabled
and when building the new sleepable BPF LSM hooks with those
LSM hooks disabled, the following build error occurs:
BTFIDS vmlinux
FAILED unresolved symbol bpf_lsm_socket_socketpair
To fix the error, conditionally add the relevant networking/keys
LSM hooks to the sleepable set.
Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Signed-off-by: Mikko Ylinen <[email protected]>
---
kernel/bpf/bpf_lsm.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 70e5e0b6d69d..1622a44d1617 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -149,7 +149,11 @@ BTF_ID(func, bpf_lsm_file_ioctl)
BTF_ID(func, bpf_lsm_file_lock)
BTF_ID(func, bpf_lsm_file_open)
BTF_ID(func, bpf_lsm_file_receive)
+
+#ifdef CONFIG_SECURITY_NETWORK
BTF_ID(func, bpf_lsm_inet_conn_established)
+#endif /* CONFIG_SECURITY_NETWORK */
+
BTF_ID(func, bpf_lsm_inode_create)
BTF_ID(func, bpf_lsm_inode_free_security)
BTF_ID(func, bpf_lsm_inode_getattr)
@@ -166,7 +170,11 @@ BTF_ID(func, bpf_lsm_inode_symlink)
BTF_ID(func, bpf_lsm_inode_unlink)
BTF_ID(func, bpf_lsm_kernel_module_request)
BTF_ID(func, bpf_lsm_kernfs_init_security)
+
+#ifdef CONFIG_KEYS
BTF_ID(func, bpf_lsm_key_free)
+#endif /* CONFIG_KEYS */
+
BTF_ID(func, bpf_lsm_mmap_file)
BTF_ID(func, bpf_lsm_netlink_send)
BTF_ID(func, bpf_lsm_path_notify)
@@ -181,6 +189,8 @@ BTF_ID(func, bpf_lsm_sb_show_options)
BTF_ID(func, bpf_lsm_sb_statfs)
BTF_ID(func, bpf_lsm_sb_umount)
BTF_ID(func, bpf_lsm_settime)
+
+#ifdef CONFIG_SECURITY_NETWORK
BTF_ID(func, bpf_lsm_socket_accept)
BTF_ID(func, bpf_lsm_socket_bind)
BTF_ID(func, bpf_lsm_socket_connect)
@@ -195,6 +205,8 @@ BTF_ID(func, bpf_lsm_socket_recvmsg)
BTF_ID(func, bpf_lsm_socket_sendmsg)
BTF_ID(func, bpf_lsm_socket_shutdown)
BTF_ID(func, bpf_lsm_socket_socketpair)
+#endif /* CONFIG_SECURITY_NETWORK */
+
BTF_ID(func, bpf_lsm_syslog)
BTF_ID(func, bpf_lsm_task_alloc)
BTF_ID(func, bpf_lsm_task_getsecid)
--
2.17.1
Hello:
This patch was applied to bpf/bpf.git (refs/heads/master):
On Mon, 25 Jan 2021 08:39:36 +0200 you wrote:
> Some networking and keys LSM hooks are conditionally enabled
> and when building the new sleepable BPF LSM hooks with those
> LSM hooks disabled, the following build error occurs:
>
> BTFIDS vmlinux
> FAILED unresolved symbol bpf_lsm_socket_socketpair
>
> [...]
Here is the summary with links:
- [v2] bpf: Drop disabled LSM hooks from the sleepable set
https://git.kernel.org/bpf/bpf/c/78031381ae9c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html