| Message ID | 20231103190523.6353-18-andrii@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | BPF token and BPF FS-based delegation | expand |
On Nov 3, 2023 Andrii Nakryiko <andrii@kernel.org> wrote: > > Utilize newly added bpf_token_create/bpf_token_free LSM hooks to > allocate struct bpf_security_struct for each BPF token object in > SELinux. This just follows similar pattern for BPF prog and map. > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org> > --- > security/selinux/hooks.c | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) Thanks Andrii, we'll need some additional code to fully enable the BPF tokens on a SELinux system but I can help provide that if you'd like. Although I might not be able to get to that until after the merge window closes. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 002351ab67b7..1501e95366a1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -6828,6 +6828,29 @@ static void selinux_bpf_prog_free(struct bpf_prog *prog) > prog->aux->security = NULL; > kfree(bpfsec); > } > + > +static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, > + struct path *path) > +{ > + struct bpf_security_struct *bpfsec; > + > + bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); > + if (!bpfsec) > + return -ENOMEM; > + > + bpfsec->sid = current_sid(); > + token->security = bpfsec; > + > + return 0; > +} > + > +static void selinux_bpf_token_free(struct bpf_token *token) > +{ > + struct bpf_security_struct *bpfsec = token->security; > + > + token->security = NULL; > + kfree(bpfsec); > +} > #endif > > struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { > @@ -7183,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), > LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), > LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), > + LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), > #endif > > #ifdef CONFIG_PERF_EVENTS > @@ -7241,6 +7265,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > #ifdef CONFIG_BPF_SYSCALL > LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), > LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), > + LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), > #endif > #ifdef CONFIG_PERF_EVENTS > LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), > -- > 2.34.1 -- paul-moore.com
On Sun, Nov 5, 2023 at 9:01 PM Paul Moore <paul@paul-moore.com> wrote: > > On Nov 3, 2023 Andrii Nakryiko <andrii@kernel.org> wrote: > > > > Utilize newly added bpf_token_create/bpf_token_free LSM hooks to > > allocate struct bpf_security_struct for each BPF token object in > > SELinux. This just follows similar pattern for BPF prog and map. > > > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org> > > --- > > security/selinux/hooks.c | 25 +++++++++++++++++++++++++ > > 1 file changed, 25 insertions(+) > > Thanks Andrii, we'll need some additional code to fully enable the > BPF tokens on a SELinux system but I can help provide that if you'd > like. Although I might not be able to get to that until after the > merge window closes. Yep, I'd appreciate your help with the SELinux side. Until after the merge window is fine, yes. Thanks for reviewing the patch set! > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 002351ab67b7..1501e95366a1 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -6828,6 +6828,29 @@ static void selinux_bpf_prog_free(struct bpf_prog *prog) > > prog->aux->security = NULL; > > kfree(bpfsec); > > } > > + > > +static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, > > + struct path *path) > > +{ > > + struct bpf_security_struct *bpfsec; > > + > > + bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); > > + if (!bpfsec) > > + return -ENOMEM; > > + > > + bpfsec->sid = current_sid(); > > + token->security = bpfsec; > > + > > + return 0; > > +} > > + > > +static void selinux_bpf_token_free(struct bpf_token *token) > > +{ > > + struct bpf_security_struct *bpfsec = token->security; > > + > > + token->security = NULL; > > + kfree(bpfsec); > > +} > > #endif > > > > struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { > > @@ -7183,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > > LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), > > LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), > > LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), > > + LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), > > #endif > > > > #ifdef CONFIG_PERF_EVENTS > > @@ -7241,6 +7265,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { > > #ifdef CONFIG_BPF_SYSCALL > > LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), > > LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), > > + LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), > > #endif > > #ifdef CONFIG_PERF_EVENTS > > LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), > > -- > > 2.34.1 > > -- > paul-moore.com
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 002351ab67b7..1501e95366a1 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6828,6 +6828,29 @@ static void selinux_bpf_prog_free(struct bpf_prog *prog) prog->aux->security = NULL; kfree(bpfsec); } + +static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr, + struct path *path) +{ + struct bpf_security_struct *bpfsec; + + bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL); + if (!bpfsec) + return -ENOMEM; + + bpfsec->sid = current_sid(); + token->security = bpfsec; + + return 0; +} + +static void selinux_bpf_token_free(struct bpf_token *token) +{ + struct bpf_security_struct *bpfsec = token->security; + + token->security = NULL; + kfree(bpfsec); +} #endif struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { @@ -7183,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog), LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free), LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free), + LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free), #endif #ifdef CONFIG_PERF_EVENTS @@ -7241,6 +7265,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #ifdef CONFIG_BPF_SYSCALL LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create), LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load), + LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create), #endif #ifdef CONFIG_PERF_EVENTS LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),
Utilize newly added bpf_token_create/bpf_token_free LSM hooks to allocate struct bpf_security_struct for each BPF token object in SELinux. This just follows similar pattern for BPF prog and map. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> --- security/selinux/hooks.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+)