From patchwork Thu Aug 31 20:56:35 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chenbo Feng <chenbofeng.kernel@gmail.com>
X-Patchwork-Id: 9932889
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1DE7360362
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 31 Aug 2017 20:57:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 12213223C6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 31 Aug 2017 20:57:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 06A74228C9; Thu, 31 Aug 2017 20:57:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5943F223C6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 31 Aug 2017 20:57:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751419AbdHaU5O (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 31 Aug 2017 16:57:14 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:36708 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751443AbdHaU5L (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 31 Aug 2017 16:57:11 -0400
Received: by mail-pf0-f196.google.com with SMTP id k3so442882pfc.3;
	Thu, 31 Aug 2017 13:57:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=ZQwf78Y7+8SpP7CrKLxmsUluboYOsNY+gmSAPXJnhRo=;
	b=dYoDlvXJ/J5Hhc9NeJZMhhYSjLuD0RQTFIYhMXnPX6FUjl8IfOLiWxSmQRBYSAXiK3
	UiZ7X8xFtOOZ9m0BqhET5V46Qw/HnbQvQLes6VnUIcZYLl6daY3fZmqdBH4JybiNJb8M
	ZhXj3c8Ie9vm3OfmvrOg0n5r840DTU4oAR6HOJrC0eybRyLa0hDJesWmz3+MV1ZfCU89
	r/qisZe8qM8eyyyaMQelJBlsr5eFsSUanLvtB1G2vhj154vtljCjv53MUhGr9APgdWhc
	OTIuOCtmAXaoltHe6LsgJYBcJ+wQC0hzHtKdP1poiPuXFW+50ocdLpkD05+9e9LuRwFv
	zxww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=ZQwf78Y7+8SpP7CrKLxmsUluboYOsNY+gmSAPXJnhRo=;
	b=n0FDRxhZjrywbZVPF1zaRcLGDSdandaOsrRCFrBO/iuiW3tgxGzNCNwx+t+KNl6lE0
	GHaqN6/vBSoxuGJk5ez6q3KZtd9rFBjccA8KqxF5zuCCh2igbVZs17fHwDLeqnKkslOI
	curryRZYfnclMWVTiC7EfUcBIFPnOjm42SY9jZdzzjZRjubNh6JK73gmpSGJ9Z4FbO+Q
	iCaIYFTPhH1D/vXe7l36zqXOe3CYDPIjbeg9q2Uqej53asguDusX5mOOKhXcME84PQlS
	cfgD4npc+vgCzjoNV+psJ5GP2ACD4NQjhv4t5yE959AS86SeZmB7Mh+STRy52qquBVxD
	Um2Q==
X-Gm-Message-State: AHYfb5g5Gv58W2ICLWTXtXmfdmPMNlxLdV1IJ67n88U//kuRDENI1ick
	a8dMG/5/pyNYDzwI
X-Google-Smtp-Source: 
 ADKCNb7FttGeWvNw9kTzuAMY5iQowygHVrSvBDPi9Sks/9fvmamxA35d05Zk+Nb5yFTEWN7P3+ncsA==
X-Received: by 10.84.194.228 with SMTP id h91mr3931939pld.419.1504213031150;
	Thu, 31 Aug 2017 13:57:11 -0700 (PDT)
Received: from fengc.mtv.corp.google.com ([100.98.121.64])
	by smtp.gmail.com with ESMTPSA id
	g68sm710967pfj.33.2017.08.31.13.57.10
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 31 Aug 2017 13:57:10 -0700 (PDT)
From: Chenbo Feng <chenbofeng.kernel@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: Jeffrey Vander Stoep <jeffv@google.com>, netdev@vger.kernel.org,
	SELinux <Selinux@tycho.nsa.gov>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	lorenzo@google.com, Chenbo Feng <fengc@google.com>
Subject: [PATCH 3/3] selinux: bpf: Implement the selinux checks for eBPF
	object
Date: Thu, 31 Aug 2017 13:56:35 -0700
Message-Id: <20170831205635.80256-4-chenbofeng.kernel@gmail.com>
X-Mailer: git-send-email 2.14.1.581.gf28d330327-goog
In-Reply-To: <20170831205635.80256-1-chenbofeng.kernel@gmail.com>
References: <20170831205635.80256-1-chenbofeng.kernel@gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Chenbo Feng <fengc@google.com>

Introduce 5 new selinux checks for eBPF object related operations. The
check is based on the ownership information of eBPF maps and the
capability of creating eBPF object.

Signed-off-by: Chenbo Feng <fengc@google.com>
---
 security/selinux/hooks.c            | 54 +++++++++++++++++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 ++
 security/selinux/include/objsec.h   |  4 +++
 3 files changed, 60 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061305c4..39ad7d9f335d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -85,6 +85,7 @@
 #include <linux/export.h>
 #include <linux/msg.h>
 #include <linux/shm.h>
+#include <linux/bpf.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6245,6 +6246,52 @@ static void selinux_ib_free_security(void *ib_sec)
 }
 #endif
 
+#ifdef CONFIG_BPF_SYSCALL
+static int selinux_bpf_map_create(void)
+{
+	u32 sid = current_sid();
+
+	return avc_has_perm(sid, sid, SECCLASS_BPF, BPF__MAP_CREATE, NULL);
+}
+
+static int selinux_bpf_map_modify(struct bpf_map *map)
+{
+	struct bpf_security_struct *bpfsec = map->security;
+
+	return avc_has_perm(current_sid(), bpfsec->sid, SECCLASS_BPF,
+			    BPF__MAP_MODIFY, NULL);
+}
+
+static int selinux_bpf_map_read(struct bpf_map *map)
+{
+	struct bpf_security_struct *bpfsec = map->security;
+
+	return avc_has_perm(current_sid(), bpfsec->sid, SECCLASS_BPF,
+			    BPF__MAP_READ, NULL);
+}
+
+static int selinux_bpf_prog_load(void)
+{
+	u32 sid = current_sid();
+
+	return avc_has_perm(sid, sid, SECCLASS_BPF, BPF__PROG_LOAD, NULL);
+}
+
+static int selinux_bpf_post_create(struct bpf_map *map)
+{
+	struct bpf_security_struct *bpfsec;
+
+	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
+	if (!bpfsec)
+		return -ENOMEM;
+
+	bpfsec->sid = current_sid();
+	map->security = bpfsec;
+
+	return 0;
+}
+#endif
+
 static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6465,6 +6512,13 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
 	LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
 #endif
+#ifdef CONFIG_BPF_SYSCALL
+	LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
+	LSM_HOOK_INIT(bpf_map_modify, selinux_bpf_map_modify),
+	LSM_HOOK_INIT(bpf_map_read, selinux_bpf_map_read),
+	LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
+	LSM_HOOK_INIT(bpf_post_create, selinux_bpf_post_create),
+#endif
 };
 
 static __init int selinux_init(void)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index b9fe3434b036..83c880fb17b4 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -235,6 +235,8 @@ struct security_class_mapping secclass_map[] = {
 	  { "access", NULL } },
 	{ "infiniband_endport",
 	  { "manage_subnet", NULL } },
+	{ "bpf",
+	  {"map_create", "map_modify", "map_read", "prog_load" } },
 	{ NULL }
   };
 
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 6ebc61e370ff..ba564f662b0d 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -150,6 +150,10 @@ struct pkey_security_struct {
 	u32	sid;	/* SID of pkey */
 };
 
+struct bpf_security_struct {
+	u32 sid;	/*SID of bpf obj creater*/
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */