diff mbox

[RFC,4/4] bpf: Restrict Checmate bpf programs to current kernel ABI

Message ID 20160804071227.GA19135@ircssh.c.rugged-nimbus-611.internal
State New
Headers show

Commit Message

Sargun Dhillon Aug. 4, 2016, 7:12 a.m. UTC
I think it makes sense to restrict Checmate to loading programs that have been 
compiled with the current kernel ABI. We can further stabilize the ABI, and 
perhaps lift this restriction later.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
---
 kernel/bpf/syscall.c         | 2 +-
 samples/bpf/checmate1_kern.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

Comments

Daniel Borkmann Aug. 4, 2016, 9:52 a.m. UTC | #1
On 08/04/2016 09:12 AM, Sargun Dhillon wrote:
> I think it makes sense to restrict Checmate to loading programs that have been
> compiled with the current kernel ABI. We can further stabilize the ABI, and
> perhaps lift this restriction later.
>
> Signed-off-by: Sargun Dhillon <sargun@sargun.me>
> ---
>   kernel/bpf/syscall.c         | 2 +-
>   samples/bpf/checmate1_kern.c | 3 ++-
>   2 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 228f962..2a37b4d 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -741,7 +741,7 @@ static int bpf_prog_load(union bpf_attr *attr)
>   	if (attr->insn_cnt >= BPF_MAXINSNS)
>   		return -EINVAL;
>
> -	if (type == BPF_PROG_TYPE_KPROBE &&
> +	if ((type & (BPF_PROG_TYPE_KPROBE | BPF_PROG_TYPE_CHECMATE)) &&
>   	    attr->kern_version != LINUX_VERSION_CODE)

Btw, this check is correct, program types are not masks.

BPF_PROG_TYPE_KPROBE (== 2) and BPF_PROG_TYPE_CHECMATE (== 7) will now
require every type to have a version code ...

>   		return -EINVAL;
>
> diff --git a/samples/bpf/checmate1_kern.c b/samples/bpf/checmate1_kern.c
> index f78b66b..d4ec1fa 100644
> --- a/samples/bpf/checmate1_kern.c
> +++ b/samples/bpf/checmate1_kern.c
> @@ -3,6 +3,7 @@
>   #include <linux/in.h>
>   #include <linux/checmate.h>
>   #include "bpf_helpers.h"
> +#include <linux/version.h>
>
>   SEC("checmate")
>   int prog(struct checmate_ctx *ctx)
> @@ -24,4 +25,4 @@ int prog(struct checmate_ctx *ctx)
>   }
>
>   char _license[] SEC("license") = "GPL";
> -
> +u32 _version SEC("version") = LINUX_VERSION_CODE;
>

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Daniel Borkmann Aug. 4, 2016, 9:54 a.m. UTC | #2
On 08/04/2016 11:52 AM, Daniel Borkmann wrote:
> On 08/04/2016 09:12 AM, Sargun Dhillon wrote:
>> I think it makes sense to restrict Checmate to loading programs that have been
>> compiled with the current kernel ABI. We can further stabilize the ABI, and
>> perhaps lift this restriction later.
>>
>> Signed-off-by: Sargun Dhillon <sargun@sargun.me>
>> ---
>>   kernel/bpf/syscall.c         | 2 +-
>>   samples/bpf/checmate1_kern.c | 3 ++-
>>   2 files changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index 228f962..2a37b4d 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>> @@ -741,7 +741,7 @@ static int bpf_prog_load(union bpf_attr *attr)
>>       if (attr->insn_cnt >= BPF_MAXINSNS)
>>           return -EINVAL;
>>
>> -    if (type == BPF_PROG_TYPE_KPROBE &&
>> +    if ((type & (BPF_PROG_TYPE_KPROBE | BPF_PROG_TYPE_CHECMATE)) &&
>>           attr->kern_version != LINUX_VERSION_CODE)
>
> Btw, this check is correct, program types are not masks.

Sorry, I meant to write *not* correct, which was hopefully inferable from
the rest.

> BPF_PROG_TYPE_KPROBE (== 2) and BPF_PROG_TYPE_CHECMATE (== 7) will now
> require every type to have a version code ...
>
>>           return -EINVAL;
>>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 228f962..2a37b4d 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -741,7 +741,7 @@  static int bpf_prog_load(union bpf_attr *attr)
 	if (attr->insn_cnt >= BPF_MAXINSNS)
 		return -EINVAL;
 
-	if (type == BPF_PROG_TYPE_KPROBE &&
+	if ((type & (BPF_PROG_TYPE_KPROBE | BPF_PROG_TYPE_CHECMATE)) &&
 	    attr->kern_version != LINUX_VERSION_CODE)
 		return -EINVAL;
 
diff --git a/samples/bpf/checmate1_kern.c b/samples/bpf/checmate1_kern.c
index f78b66b..d4ec1fa 100644
--- a/samples/bpf/checmate1_kern.c
+++ b/samples/bpf/checmate1_kern.c
@@ -3,6 +3,7 @@ 
 #include <linux/in.h>
 #include <linux/checmate.h>
 #include "bpf_helpers.h"
+#include <linux/version.h>
 
 SEC("checmate")
 int prog(struct checmate_ctx *ctx)
@@ -24,4 +25,4 @@  int prog(struct checmate_ctx *ctx)
 }
 
 char _license[] SEC("license") = "GPL";
-
+u32 _version SEC("version") = LINUX_VERSION_CODE;