Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4074261ybb; Mon, 23 Mar 2020 13:00:53 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvm/f/aAM/z2F5Sh3edELw2LIx/MCMTr6j+Oshg7bu5JzLH+NWVLgOGqxd9x6KaCYqHssc8 X-Received: by 2002:a4a:8e59:: with SMTP id z25mr920144ook.86.1584993653621; Mon, 23 Mar 2020 13:00:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584993653; cv=none; d=google.com; s=arc-20160816; b=V9ZKcTHn4c8XYpETxF2KPeqwRfPvFFRpLWly2i/S9mEljWvGM81fuiXWjCg6iUGMln AXsfRetscvH+545GJlXbWsFFryRPzz7z39TzLt6BwKD0WhKME7fDkdzWLllf3EUm8pY9 f7Yv1OD6k7ZKjVs2ViStRMgEsjN7E9MJR2qmwWjr+GHLZIv2vSXPX/9Mx2KAoarfxDMz kYg3aTE7Hfbb8maDK/7g7LQQqhJVvSAX3yWlj2Z1vtFT/IPJAroIPB3hUqauo2qJScF9 Oqu/r9hZm1YiQxHRzEPicvuNpSSZ1+4iZmaY+VEEWHPpgc5qrZVc1spza51cDQisU35a dWCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+qqP3p6NUFM3pblvdRB2elYDHfWUXO+b1eOHuuUBxWo=; b=ZzC2XjWNpXJhlGLwaSP8VanP5T5LCWuKKpWndI0IDa/KmjFTzKGPxO0XJ2Z3YoqDVK xPvVPe9ah/ELLeBg2XrzKcFG8mbjKnZhUx0VLfSwVq88aBGLKWNtN00JJNzpxRDEuU6x zdP7IkRt+VnpDL8j5Jss9oQ81eLYwtcnoMo7mVsTB3Btx4/xifNoOlv+N01YVNiCoQbU p3+EO0JyeHDkJh7lT6bviIXKX7Qc4CT6tm/h24AO7nHwUb+9ncfKQUsPE+wt1JMMK0Z2 0RKsltKEAIA4XGQcmEV2bPVzROXdVb0nVc8xNDHlukSidych7mGJ9Ex5w9FBa5zR48x2 LFuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="XN6N/+/X"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 193si7599652oie.51.2020.03.23.13.00.40; Mon, 23 Mar 2020 13:00:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="XN6N/+/X"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727008AbgCWUAF (ORCPT + 99 others); Mon, 23 Mar 2020 16:00:05 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:36870 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725877AbgCWUAF (ORCPT ); Mon, 23 Mar 2020 16:00:05 -0400 Received: by mail-qt1-f193.google.com with SMTP id d12so10459475qtj.4; Mon, 23 Mar 2020 13:00:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+qqP3p6NUFM3pblvdRB2elYDHfWUXO+b1eOHuuUBxWo=; b=XN6N/+/XUOYasY96gW1pjrCuXxY8GQUlnV5GJXilFIfrrnts8K7V/RdjEIFOFdTVHo HkyXrkBkUIHWwEVIpaIlhoLtZdPgXWHciZQHPpjN8nZm17zewSzyr25ptGZtnsDJtfos b5hYAFmzOKKE4cGf0/OYqMl1A412YyF9/XtxMzfbTiYd2nPbMGfTOGXkUBGt1NkGU1a2 NFK4I/1L1FPdpv07v9Q8Gk2q0s6BO8C7UV0AtWW1QF20Ty28GjsTddd7Qd6bXy8FQkN/ n5AUVjtCeu6ON59Kay8w1oqAW6ZkhSv2FFqNXlUIgxenc32X/DKdsSUE7IBJRDnXY7qY wMTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+qqP3p6NUFM3pblvdRB2elYDHfWUXO+b1eOHuuUBxWo=; b=CxhMLGMkCEAxzXByB7DDj8pc6uH97Zyr7QSGb4Yz12+iSy7KduYSN6qiZoPvwVlKO1 6rQuJTJgXQTP0XueNpiSM+4kdo5estzTsvHOD5oxqi5F90qdNwOX8s7/rF3wvpER33kT sXFpV4cDGQx0m/rrJ4OjcL1DDprKH2Rx5jzHvQbkzEocyB+3pT7miQSYVKCAYXofGmjC mkOQPx121Mhzwt0nWhjEyWFhSPiSWspKCItN888fswOZxJrObw1A0KzAliUkTmS8xLyB 9ZWK4grWtrRRiTmJNONGsLyTe7MLKT49WtGi11lOeQAY6tLXJ9WHgBNyebC40NGv2fj6 PHMw== X-Gm-Message-State: ANhLgQ0BFDFnMUkc77QhWeZBMNK0Ws3UmberFtlI3e4X1HGV1XDV7IpH DJjvgt/V6SEu4YWL4jP2/HCoL//Ywbm8I2VP4CM= X-Received: by 2002:ac8:7448:: with SMTP id h8mr22843425qtr.117.1584993603585; Mon, 23 Mar 2020 13:00:03 -0700 (PDT) MIME-Version: 1.0 References: <20200323164415.12943-1-kpsingh@chromium.org> <20200323164415.12943-4-kpsingh@chromium.org> In-Reply-To: <20200323164415.12943-4-kpsingh@chromium.org> From: Andrii Nakryiko Date: Mon, 23 Mar 2020 12:59:52 -0700 Message-ID: Subject: Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs To: KP Singh Cc: open list , bpf , linux-security-module@vger.kernel.org, Brendan Jackman , Florent Revest , Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 9:45 AM KP Singh wrote: > > From: KP Singh > > When CONFIG_BPF_LSM is enabled, nops functions, bpf_lsm_, are > generated for each LSM hook. These nops are initialized as LSM hooks in > a subsequent patch. > > Signed-off-by: KP Singh > Reviewed-by: Brendan Jackman > Reviewed-by: Florent Revest > --- > include/linux/bpf_lsm.h | 21 +++++++++++++++++++++ > kernel/bpf/bpf_lsm.c | 19 +++++++++++++++++++ > 2 files changed, 40 insertions(+) > create mode 100644 include/linux/bpf_lsm.h > > diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h > new file mode 100644 > index 000000000000..c6423a140220 > --- /dev/null > +++ b/include/linux/bpf_lsm.h > @@ -0,0 +1,21 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > + > +/* > + * Copyright (C) 2020 Google LLC. > + */ > + > +#ifndef _LINUX_BPF_LSM_H > +#define _LINUX_BPF_LSM_H > + > +#include > +#include > + > +#ifdef CONFIG_BPF_LSM > + > +#define LSM_HOOK(RET, NAME, ...) RET bpf_lsm_##NAME(__VA_ARGS__); > +#include > +#undef LSM_HOOK > + > +#endif /* CONFIG_BPF_LSM */ > + > +#endif /* _LINUX_BPF_LSM_H */ > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 82875039ca90..530d137f7a84 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -7,6 +7,25 @@ > #include > #include > #include > +#include > +#include > + > +/* For every LSM hook that allows attachment of BPF programs, declare a NOP > + * function where a BPF program can be attached as an fexit trampoline. > + */ > +#define LSM_HOOK(RET, NAME, ...) LSM_HOOK_##RET(NAME, __VA_ARGS__) > + > +#define LSM_HOOK_int(NAME, ...) \ > +noinline __weak int bpf_lsm_##NAME(__VA_ARGS__) \ > +{ \ > + return 0; \ > +} > + > +#define LSM_HOOK_void(NAME, ...) \ > +noinline __weak void bpf_lsm_##NAME(__VA_ARGS__) {} > + Could unify with: #define LSM_HOOK(RET, NAME, ...) noinline __weak RET bpf_lsm_##NAME(__VA_ARGS__) { return (RET)0; } then you don't need LSM_HOOK_int and LSM_HOOK_void. > +#include > +#undef LSM_HOOK > > const struct bpf_prog_ops lsm_prog_ops = { > }; > -- > 2.20.1 >