Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp2262596pja; Thu, 26 Mar 2020 12:14:51 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsZ8g+XDXjLjnWLmN+IEhgmEZoQ42TUtrQnJE0XJ1zCIzEetjrpNPtxTsF71LBSea2Isnfx X-Received: by 2002:aca:484c:: with SMTP id v73mr1300698oia.138.1585250091084; Thu, 26 Mar 2020 12:14:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585250091; cv=none; d=google.com; s=arc-20160816; b=lok2O2OFlb2jYadpTvMN3Q9LU+dUmADIQuhYaTJ6j6hRKpqItWonSmVfdQVBcblIwc IuFN8AqwAJltbZioz1beOeyXFP4hotU1WHDHQeorG7anz9ZxFlhakrsbJPTP7L87ZJBh yjeK4N5S9fYQHg+aRDGDBhIqCE+/9lmGuzQ9rCKqo0VvIStmZ2tD0Hd2weGBTJaXYp2o l/YhkrsWzN2hQEQ/ohPNViAp0kzTuTDOujSln6tJqI4AtWlgQCL3Loxg9fVNXvUlpgv7 zf4yxiFjKvfQqK98IkX57eeTDnqOc7fYOh2T82fiTo34e2yIWU63S3LBi1ytdj2vgpF/ ojvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qHsOC/D03h0XLJc3jn+ovK0zIf17NyvwgvW1/olri/I=; b=Pu5eAxSMPUJ/Lc1+I0q19zPHrOguYQGbTrIDB3fFSTfqETnE3vkSU6nCdi/Pj8hljr BT8vv4F3ZRItOtVsGikpmNL6p/xHOxEKE9+zPh4nQ0rLuTavGggn/eN7Qbuy2z7GzpqJ ADHL67SZZgimmuqbiJumVUvyxYF48+hy/efmI4+C69UTbylUhOPuSnwxyThrBq9tIZMA Ek0n+WynkuzJ8cAL8nd63vXkgt/AaXz/bFXWVfxcNCAVky+otyMwrS4QYycGbynCbM78 DeHZSyGRGOOq8URLnLXj4hA6jjWhUs1Ut+Ph71Q8zP9cz79jsY/l1SeZ6GNkHtj5Opuv LBiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bf6kiiHY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s27si1473571otg.229.2020.03.26.12.14.38; Thu, 26 Mar 2020 12:14:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bf6kiiHY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728443AbgCZTMd (ORCPT + 99 others); Thu, 26 Mar 2020 15:12:33 -0400 Received: from mail-qt1-f193.google.com ([209.85.160.193]:42788 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726067AbgCZTMd (ORCPT ); Thu, 26 Mar 2020 15:12:33 -0400 Received: by mail-qt1-f193.google.com with SMTP id t9so6433479qto.9; Thu, 26 Mar 2020 12:12:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qHsOC/D03h0XLJc3jn+ovK0zIf17NyvwgvW1/olri/I=; b=bf6kiiHYYEmy+3+jGQVmaoWewfjr+65/fJMxT3+fBDJDAhrQDTAQ0SmQTR7BCn8CRK vZkl+MrEgKTW+TDY2kVcx7MunV5Ah0JzeuoqBPr+QMczC2o/j6nQfbR28g9bguH5Zp0B qnpFSiL9IwOWsGibJm5lBiUzGWZ6GTsw8DCvBhkdB8SjgyaDSjwg+0zMYT1NfGBK+h7n Flx86kVsOZLHxbajZdP5eRt04jWA3o4WqtrqHkLBGmfYrQNyXp2vtZsuS+LCLZD5BBIR C76i1mZKyXw0rj3w+NqtLoQfQqQzdC2I+2FIrFEuQvSMBqlwhaj956AkTW7N0p2URmKG lLfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qHsOC/D03h0XLJc3jn+ovK0zIf17NyvwgvW1/olri/I=; b=gmw1xzwJTAc9p5z5rXbjx3QyRTPInNGPre2z3AOTtuoHM3XaYbbmY492iizHr4HJy9 la+qjNVMv7Vn1aclWiUO+33Dv8jYjoS8EeI48PREQJ6GoNIXLSNohx9YxGs/BJSUbvmo gVObJOZbvLp28n3SNyNU4PyJbEtN+fxhSKodRH45idfAKBLHEIQS1Xg8HZyBPr/wzNx1 eOvsVTooGDLutY1UgSKmiWi/5tEfWGIfRSlDqThprBP5uiIbYn1WYXClEoSyMtuEmXNW THvOnGz77AgQANGu35svMB1nbl3HTxktJJTfNuPFfsjQt/IcHFha07WVsWTmZsAw/OBk 6mFA== X-Gm-Message-State: ANhLgQ35mkFv3S2loU+Ocl+aIZ7wglwc5TysWsBh2dSCRiHCVurOjpbf AVbYfnEgL70quJWG0Z0eidhfWqlbIuCAmMHFen4= X-Received: by 2002:ac8:3f62:: with SMTP id w31mr9934413qtk.171.1585249951604; Thu, 26 Mar 2020 12:12:31 -0700 (PDT) MIME-Version: 1.0 References: <20200326142823.26277-1-kpsingh@chromium.org> <20200326142823.26277-5-kpsingh@chromium.org> In-Reply-To: <20200326142823.26277-5-kpsingh@chromium.org> From: Andrii Nakryiko Date: Thu, 26 Mar 2020 12:12:20 -0700 Message-ID: Subject: Re: [PATCH bpf-next v7 4/8] bpf: lsm: Implement attach, detach and execution To: KP Singh Cc: open list , bpf , linux-security-module@vger.kernel.org, Brendan Jackman , Florent Revest , Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 26, 2020 at 7:29 AM KP Singh wrote: > > From: KP Singh > > JITed BPF programs are dynamically attached to the LSM hooks > using BPF trampolines. The trampoline prologue generates code to handle > conversion of the signature of the hook to the appropriate BPF context. > > The allocated trampoline programs are attached to the nop functions > initialized as LSM hooks. > > BPF_PROG_TYPE_LSM programs must have a GPL compatible license and > and need CAP_SYS_ADMIN (required for loading eBPF programs). > > Upon attachment: > > * A BPF fexit trampoline is used for LSM hooks with a void return type. > * A BPF fmod_ret trampoline is used for LSM hooks which return an > int. The attached programs can override the return value of the > bpf LSM hook to indicate a MAC Policy decision. > > Signed-off-by: KP Singh > Reviewed-by: Brendan Jackman > Reviewed-by: Florent Revest > --- Acked-by: Andrii Nakryiko > include/linux/bpf_lsm.h | 11 ++++++++ > kernel/bpf/bpf_lsm.c | 28 ++++++++++++++++++++ > kernel/bpf/btf.c | 9 ++++++- > kernel/bpf/syscall.c | 57 ++++++++++++++++++++++++++++------------- > kernel/bpf/trampoline.c | 17 +++++++++--- > kernel/bpf/verifier.c | 19 +++++++++++--- > 6 files changed, 114 insertions(+), 27 deletions(-) > [...] > @@ -2479,6 +2496,10 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr) > } > buf[sizeof(buf) - 1] = 0; > tp_name = buf; > + break; > + default: > + err = -EINVAL; > + goto out_put_prog; > } is indentation off here or it's my email client? [...]