| Message ID | 20210122123003.46125-1-mikko.ylinen@linux.intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf: Drop disabled LSM hooks from the sleepable set | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen <mikko.ylinen@linux.intel.com> wrote: > > Networking LSM hooks are conditionally enabled and when building the new > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > following build error occurs: > > BTFIDS vmlinux > FAILED unresolved symbol bpf_lsm_socket_socketpair > > To fix the error, conditionally add the networking LSM hooks to the > sleepable set. > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com> Thanks! Acked-by: KP Singh <kpsingh@kernel.org>
On Fri, Jan 22, 2021 at 11:33 PM KP Singh <kpsingh@kernel.org> wrote: > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > <mikko.ylinen@linux.intel.com> wrote: > > > > Networking LSM hooks are conditionally enabled and when building the new > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > following build error occurs: > > > > BTFIDS vmlinux > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > To fix the error, conditionally add the networking LSM hooks to the > > sleepable set. > > > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > > Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com> > > Thanks! > > Acked-by: KP Singh <kpsingh@kernel.org> Btw, I was noticing that there's another hook that is surrounded by ifdefs: diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 70e5e0b6d69d..f7f7754e938d 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink) BTF_ID(func, bpf_lsm_inode_unlink) BTF_ID(func, bpf_lsm_kernel_module_request) BTF_ID(func, bpf_lsm_kernfs_init_security) + +#ifdef CONFIG_KEYS BTF_ID(func, bpf_lsm_key_free) +#endif + BTF_ID(func, bpf_lsm_mmap_file) BTF_ID(func, bpf_lsm_netlink_send) BTF_ID(func, bpf_lsm_path_notify) It would be great if you can also add this to your patch :) I guess the cleanest solution to never let this happen would be to incorporate this in lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an extra parameter to the LSM_HOOK macro and then only generate the BTF IDs based on this macro parameter.
On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote: > On Fri, Jan 22, 2021 at 11:33 PM KP Singh <kpsingh@kernel.org> wrote: > > > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > > <mikko.ylinen@linux.intel.com> wrote: > > > > > > Networking LSM hooks are conditionally enabled and when building the new > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > > following build error occurs: > > > > > > BTFIDS vmlinux > > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > > > To fix the error, conditionally add the networking LSM hooks to the > > > sleepable set. > > > > > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > > > Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com> > > > > Thanks! > > > > Acked-by: KP Singh <kpsingh@kernel.org> > > Btw, I was noticing that there's another hook that is surrounded by ifdefs: > > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 70e5e0b6d69d..f7f7754e938d 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink) > BTF_ID(func, bpf_lsm_inode_unlink) > BTF_ID(func, bpf_lsm_kernel_module_request) > BTF_ID(func, bpf_lsm_kernfs_init_security) > + > +#ifdef CONFIG_KEYS > BTF_ID(func, bpf_lsm_key_free) > +#endif > + > BTF_ID(func, bpf_lsm_mmap_file) > BTF_ID(func, bpf_lsm_netlink_send) > BTF_ID(func, bpf_lsm_path_notify) > > It would be great if you can also add this to your patch :) Thanks for noticing! I cross-checked the sleepable set but somehow missed this. Just posted v2. > I guess the cleanest solution to never let this happen would be to > incorporate this in > lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an > extra parameter to the LSM_HOOK macro and then only generate the BTF IDs > based on this macro parameter. Agree, a way to get the set automatically created makes sense. But the extra parameter to LSM_HOOK macro would be BPF specific, right? -- Regards, Mikko
On Mon, Jan 25, 2021 at 7:55 AM Mikko Ylinen <mikko.ylinen@linux.intel.com> wrote: > > On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote: > > On Fri, Jan 22, 2021 at 11:33 PM KP Singh <kpsingh@kernel.org> wrote: > > > > > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > > > <mikko.ylinen@linux.intel.com> wrote: > > > > > > > > Networking LSM hooks are conditionally enabled and when building the new > > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > > > following build error occurs: > > > > > > > > BTFIDS vmlinux > > > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > [...] > > Agree, a way to get the set automatically created makes sense. But the > extra parameter to LSM_HOOK macro would be BPF specific, right? > The information about whether the hook "must not sleep" has been mentioned sporadically in comments and https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n920 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n594 I think it would be generally useful for the framework to actually provide this in the definition in the hook and then ensure (by calling might_sleep() for hooks that can sleep). - KP > -- Regards, Mikko
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 70e5e0b6d69d..5041dd35f2a6 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -149,7 +149,11 @@ BTF_ID(func, bpf_lsm_file_ioctl) BTF_ID(func, bpf_lsm_file_lock) BTF_ID(func, bpf_lsm_file_open) BTF_ID(func, bpf_lsm_file_receive) + +#ifdef CONFIG_SECURITY_NETWORK BTF_ID(func, bpf_lsm_inet_conn_established) +#endif /* CONFIG_SECURITY_NETWORK */ + BTF_ID(func, bpf_lsm_inode_create) BTF_ID(func, bpf_lsm_inode_free_security) BTF_ID(func, bpf_lsm_inode_getattr) @@ -181,6 +185,8 @@ BTF_ID(func, bpf_lsm_sb_show_options) BTF_ID(func, bpf_lsm_sb_statfs) BTF_ID(func, bpf_lsm_sb_umount) BTF_ID(func, bpf_lsm_settime) + +#ifdef CONFIG_SECURITY_NETWORK BTF_ID(func, bpf_lsm_socket_accept) BTF_ID(func, bpf_lsm_socket_bind) BTF_ID(func, bpf_lsm_socket_connect) @@ -195,6 +201,8 @@ BTF_ID(func, bpf_lsm_socket_recvmsg) BTF_ID(func, bpf_lsm_socket_sendmsg) BTF_ID(func, bpf_lsm_socket_shutdown) BTF_ID(func, bpf_lsm_socket_socketpair) +#endif /* CONFIG_SECURITY_NETWORK */ + BTF_ID(func, bpf_lsm_syslog) BTF_ID(func, bpf_lsm_task_alloc) BTF_ID(func, bpf_lsm_task_getsecid)
Networking LSM hooks are conditionally enabled and when building the new sleepable BPF LSM hooks with the networking LSM hooks disabled, the following build error occurs: BTFIDS vmlinux FAILED unresolved symbol bpf_lsm_socket_socketpair To fix the error, conditionally add the networking LSM hooks to the sleepable set. Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com> --- kernel/bpf/bpf_lsm.c | 8 ++++++++ 1 file changed, 8 insertions(+)