Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp913134ybl;
        Thu, 23 Jan 2020 10:02:20 -0800 (PST)
X-Google-Smtp-Source: APXvYqx3q6wga4xf++KFUysi2zvyR6g7XvuRV9YerY+dPUuOrG917jvgFihA6P9fBWCSMoHEUQ1L
X-Received: by 2002:a05:6830:1586:: with SMTP id i6mr11691297otr.221.1579802540182;
        Thu, 23 Jan 2020 10:02:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579802540; cv=none;
        d=google.com; s=arc-20160816;
        b=M+d4+ngNLagA+MDOY9cJdOfEm36vbf8RweyFoPEKz6so6ESWjlU51zUSSjfvrQvPsh
         cDFKPw/O9j2qT7ju5La+ZKZ+EuQMHjj32kPiIQwodS/YkdEqe5J4D6Hcq4W84iOuUxdD
         s+gcawsWKIv8AVG/8qxYxQU+24oRzrJStw2OKiZDEdI5EPqCEm2dkseydllcMmXlio+y
         1CkwtEpfVO6shaLpuXWvJzxUswKwf/zf8TSTYGahg1rZvmb8ULwCwmLhWTCV1FPXWNUM
         W6Ec8AlFqqWG9SIN5zZ0bDMk7iSfiz7aSc8yw1uqdTXGM6s8YYJQqYVU1ncrsfcRX0at
         48rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=TjajhBuUHgmsUmSOzJHuUV6Zb4Qt2oP329J3QSODkhs=;
        b=seYth0j4oYKbw2LWsWQlH6TKA/Unu6swf5izYuykyEivmCTncfzcQ/qU2GrHfxB/Uj
         RZKMAX1QLFVvrFiKk9bjT8ms0A/LmkHepKCaARDGm2424fpugXLWkD8qhkKdmRIbCIxy
         3B3aJoGzyfW3lEamDmnkjlRrMHYoqxAAEno2wrYO3YzvVg4z4dmqkUBR1z640Cmb87Q1
         DuiBe6+dlzvNgV3QTpRodMhi0agm1c+z2eRGijvoEilR1wM8vZu1AqdKpimzYIyCM5v+
         Kk7IR2447yM4/nhutkv3TGgZreycerrEBnc+Fnr61eRroPsO0Nxtr2ci0ff5g3ZXnjAD
         fvYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=AyFF7cdv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b137si1130822oii.63.2020.01.23.10.02.01;
        Thu, 23 Jan 2020 10:02:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=AyFF7cdv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729045AbgAWSAw (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Thu, 23 Jan 2020 13:00:52 -0500
Received: from mail-qk1-f193.google.com ([209.85.222.193]:44406 "EHLO
        mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727278AbgAWSAw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jan 2020 13:00:52 -0500
Received: by mail-qk1-f193.google.com with SMTP id v195so4280050qkb.11;
        Thu, 23 Jan 2020 10:00:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=TjajhBuUHgmsUmSOzJHuUV6Zb4Qt2oP329J3QSODkhs=;
        b=AyFF7cdv99soMyTaRXnu+Z5Db/pAg2xMOJRoJ+y/wzJosfTzilFHht/1w6KWm055qT
         LBDkFuCMDYC5+zm3ixghCDggrQogGF5D1O4YMLpHNH1/h39nA2v25cPesevzGFwqqnKv
         bu1SA7hpordVgK/c/xYIr6DQ21oebGyBqQBqnCZ+xr+H/AZHtg4KKiAzgubIUFGESl8f
         Ok6IGfoTFV+0jwTm5NKJrYb3APGEha2ctps9d0CiEB7dJbXK5Rl4/qwaN/KfuJJesAHO
         +JDmLXLHFCjA4FCFh0FIltvtPgsPP+VUoPzXd84hQk6nK1ksXlGOSbXSMu5Kxio5Mi2O
         fpTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=TjajhBuUHgmsUmSOzJHuUV6Zb4Qt2oP329J3QSODkhs=;
        b=Ll/aIywT5t01dipImFSrdSepHlQblt8UvsVRta68PBKp5Z8VWVznkmP4wkcKXOkRI4
         zrRN9J+cPJgCCM+EBOnIDthgduCCYrWHh+HEclVWpsSwxYl7sV3UrerH0HaasZqJBpaD
         3U/fL4MrfknhogC5jEoUdmCJkEvtmUl7vpgKyUkFY+hK4R+3Yy15/A50Lul4eSgpMYok
         qBn5Q/lXEFVNLNWQFsx1HK+dtZ9ny4e6BZgqcg2xNwPk5rsSVO36nwwuB0q4eCOdqY95
         Mno+EpUxtD8sgbVPh4nntubWSQ5SBRkTNNhdSpU1TYjqy5LDIglxSfUbHoLE/fSc2NAr
         FAwA==
X-Gm-Message-State: APjAAAV2g6Mym+8c08WdDCDPoyoFxgPW0LpbqsqEKTvElojIyU9Znd/v
        +t+UTau6bPN/sFRekw9VqMaDwNGywKYHMRF5mbY=
X-Received: by 2002:a37:a685:: with SMTP id p127mr18070215qke.449.1579802450607;
 Thu, 23 Jan 2020 10:00:50 -0800 (PST)
MIME-Version: 1.0
References: <20200123152440.28956-1-kpsingh@chromium.org> <20200123152440.28956-9-kpsingh@chromium.org>
In-Reply-To: <20200123152440.28956-9-kpsingh@chromium.org>
From:   Andrii Nakryiko <andrii.nakryiko@gmail.com>
Date:   Thu, 23 Jan 2020 10:00:39 -0800
Message-ID: <CAEf4BzZ7gmCTzxw4f=fp=j2_buBQ3rV8m3qWH8s-ySY6sGVPzw@mail.gmail.com>
Subject: Re: [PATCH bpf-next v3 08/10] tools/libbpf: Add support for BPF_PROG_TYPE_LSM
To:     KP Singh <kpsingh@chromium.org>
Cc:     open list <linux-kernel@vger.kernel.org>,
        bpf <bpf@vger.kernel.org>, linux-security-module@vger.kernel.org,
        Brendan Jackman <jackmanb@google.com>,
        Florent Revest <revest@google.com>,
        Thomas Garnier <thgarnie@google.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        James Morris <jmorris@namei.org>,
        Kees Cook <keescook@chromium.org>,
        Thomas Garnier <thgarnie@chromium.org>,
        Michael Halcrow <mhalcrow@google.com>,
        Paul Turner <pjt@google.com>,
        Brendan Gregg <brendan.d.gregg@gmail.com>,
        Jann Horn <jannh@google.com>,
        Matthew Garrett <mjg59@google.com>,
        Christian Brauner <christian@brauner.io>,
        =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>,
        Florent Revest <revest@chromium.org>,
        Brendan Jackman <jackmanb@chromium.org>,
        Martin KaFai Lau <kafai@fb.com>,
        Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Mauro Carvalho Chehab <mchehab+samsung@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Nicolas Ferre <nicolas.ferre@microchip.com>,
        Stanislav Fomichev <sdf@google.com>,
        Quentin Monnet <quentin.monnet@netronome.com>,
        Andrey Ignatov <rdna@fb.com>, Joe Stringer <joe@wand.net.nz>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 23, 2020 at 7:25 AM KP Singh <kpsingh@chromium.org> wrote:
>
> From: KP Singh <kpsingh@google.com>
>
> * Add functionality in libbpf to attach eBPF program to LSM hooks
> * Lookup the index of the LSM hook in security_hook_heads and pass it in
>   attr->lsm_hook_idx
>
> Signed-off-by: KP Singh <kpsingh@google.com>
> Reviewed-by: Brendan Jackman <jackmanb@google.com>
> Reviewed-by: Florent Revest <revest@google.com>
> Reviewed-by: Thomas Garnier <thgarnie@google.com>
> ---

Looks good, but see few nits below.

Acked-by: Andrii Nakryiko <andriin@fb.com>

>  tools/lib/bpf/bpf.c      |   6 ++-
>  tools/lib/bpf/bpf.h      |   1 +
>  tools/lib/bpf/libbpf.c   | 104 +++++++++++++++++++++++++++++++++++++--
>  tools/lib/bpf/libbpf.h   |   4 ++
>  tools/lib/bpf/libbpf.map |   3 ++
>  5 files changed, 114 insertions(+), 4 deletions(-)
>

[...]

> @@ -5084,6 +5099,8 @@ __bpf_object__open(const char *path, const void *obj_buf, size_t obj_buf_sz,
>                 if (prog->type != BPF_PROG_TYPE_UNSPEC)
>                         continue;
>
> +
> +

why these extra lines?

>                 err = libbpf_prog_type_by_name(prog->section_name, &prog_type,
>                                                &attach_type);
>                 if (err == -ESRCH)
> @@ -6160,6 +6177,7 @@ bool bpf_program__is_##NAME(const struct bpf_program *prog)       \
>  }                                                              \
>
>  BPF_PROG_TYPE_FNS(socket_filter, BPF_PROG_TYPE_SOCKET_FILTER);
> +BPF_PROG_TYPE_FNS(lsm, BPF_PROG_TYPE_LSM);
>  BPF_PROG_TYPE_FNS(kprobe, BPF_PROG_TYPE_KPROBE);
>  BPF_PROG_TYPE_FNS(sched_cls, BPF_PROG_TYPE_SCHED_CLS);
>  BPF_PROG_TYPE_FNS(sched_act, BPF_PROG_TYPE_SCHED_ACT);
> @@ -6226,6 +6244,8 @@ static struct bpf_link *attach_raw_tp(const struct bpf_sec_def *sec,
>                                       struct bpf_program *prog);
>  static struct bpf_link *attach_trace(const struct bpf_sec_def *sec,
>                                      struct bpf_program *prog);
> +static struct bpf_link *attach_lsm(const struct bpf_sec_def *sec,
> +                                  struct bpf_program *prog);
>
>  struct bpf_sec_def {
>         const char *sec;
> @@ -6272,6 +6292,9 @@ static const struct bpf_sec_def section_defs[] = {
>         SEC_DEF("freplace/", EXT,
>                 .is_attach_btf = true,
>                 .attach_fn = attach_trace),
> +       SEC_DEF("lsm/", LSM,
> +               .expected_attach_type = BPF_LSM_MAC,

curious, will there be non-MAC LSM programs? if yes, how they are
going to be different and which prefix will we use then?

> +               .attach_fn = attach_lsm),
>         BPF_PROG_SEC("xdp",                     BPF_PROG_TYPE_XDP),
>         BPF_PROG_SEC("perf_event",              BPF_PROG_TYPE_PERF_EVENT),
>         BPF_PROG_SEC("lwt_in",                  BPF_PROG_TYPE_LWT_IN),
> @@ -6533,6 +6556,44 @@ static int bpf_object__collect_struct_ops_map_reloc(struct bpf_object *obj,
>         return -EINVAL;
>  }
>
> +static __s32 find_lsm_hook_idx(struct bpf_program *prog)

nit: I'd stick to int for return result, we barely ever use __s32 in libbpf.c

[...]