From patchwork Wed Dec 13 14:38:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 13491102 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.i=@aisec.fraunhofer.de header.b="wa72759e"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.i=@fraunhofer.onmicrosoft.com header.b="jL5W9xhM" Received: from mail-edgeka24.fraunhofer.de (mail-edgeka24.fraunhofer.de [IPv6:2a03:db80:4420:b000::25:24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 725A591 for ; Wed, 13 Dec 2023 06:39:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1702478384; x=1734014384; h=from:to:cc:subject:date:message-id:in-reply-to: references:content-transfer-encoding:mime-version; bh=acMlZA/xra8ZJA8XT9qz/nbXxTd/JYij/1sJaqATZAA=; b=wa72759ecBnXUJOd5Ovd1zvpa/o3sN6QuoTM77J58FyCEkd1KjU/5YUE mBeqt3EvWwDhnF2BdGMl7pN5jeD0RVx7i68Rc/QNzWePwG5Ewdt1yjdeY Dqhh2kWgux7ylyJFCkDe99UmmIVMF8ObTelgr4BSXvVVW+98PcPx4ZWUh Rb6Na0yj1cxr+F3HadUEYhcAJLvYcvpIEMBRT6GWq0px+Mw25Qv+1LEtv wh7qn2mr5tuWEx0ULZLfRwfZP9JP1BsrccaR0F88dQhT6T95poLwPQY96 H32B3+2oWtk7oNkQxIIywCIydpHqARriQ322UJ+C13PPlniK3Gr6idhV9 g==; X-CSE-ConnectionGUID: zkE+Kv4mTRSszHMTxPxlSQ== X-CSE-MsgGUID: COe0W31dSFeUtVOMLpUOYw== Authentication-Results: mail-edgeka24.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com X-IPAS-Result: A2H9AADxwHll/xoBYJlaHQEBAQEJARIBBQUBQIE+BQELAYI4glmEU5FjmCeEBCqCUQNWDwEBAQEBAQEBAQcBAUQEAQEDBIR/AocwJzcGDgECAQMBAQEBAwIDAQEBAQEBAQEGAQEGAQEBAQEBBgYCgRmFLzkNg3mBHgEBAQEBAQEBAQEBAR0CNVQCAQMjBAsBDQEBNwEPJQImAgIyJQYBDQWDAIIrAzGvEH8zgQGCCQEBBrAjGIEhgR8JCQGBEC4Bg2GENAGERYEhhDqCT4FKgQaCLYRYg0aCaINmhTYHMoIhg1GDdo1AfUZaFhsDBwNWKQ8rBwQwIgYJFC0jBlAEFxEhCRMSQIFfgVIKfj8PDhGCPiICBzY2GUiCWhUMNARGdRAqBBQXgRJuGxIeNxESFw0DCHQdAjI8AwUDBDMKEg0LIQVWA0IGSQsDAhoFAwMEgTMFDR4CECwnAwMSSQIQFAM7AwMGAwoxAzBVRAxQA2kfGhgJPA8MGwIbHg0nIwIsQgMRBRACFgMkFgQ2EQkLKAMvBjgCEwwGBgleJhYJBCcDCAQDVAMjexEDBAwDIAMJAwcFLB1AAwsYDUgRLDUGDhtEAXMHpSwBPC0lgW4OQ5ZLAa8HB4IzgV+hDxozlzGSVi6HSZBMIKgQAgQCBAUCDgiBeYIAMz6DNlIZD44gg3iPenUCOQIHAQoBAQMJgjmIKQEB IronPort-PHdr: A9a23:U8UzmhasElYXmbcPnD0jMzX/LTF/0YqcDmcuAucPlecXIeyqqo75N QnE5fw30QGaFY6O8f9Agvrbv+f6VGgJ8ZuN4xVgOJAZWQUMlMMWmAItGoiCD0j6J+TtdCs0A IJJU1o2t2ruKkVRFc3iYEeI53Oo5CMUGhLxOBAwIeLwG4XIiN+w2fz38JrWMGAqzDroT6l1K UeapBnc5PILi4lvIbpj7xbSuXJHdqF36TFDIlSPkhDgo/uh5JMx1gV1lrcf+tRbUKL8LZR9a IcdISQtM2kz68CujhTFQQaVz1c3UmgdkUktYUDP7ET5UMjJnQTKsslwwjTBGNP3bIo1Gjap8 YAoZjjPrnsXHGUpzWzGtpRJz6VQ9UHExVR1lozwPb7EJPpbQo+aee8iHU58Q9hPdgdMUr6OQ 7EBVc9QYclqiYTj9lQRnwCHFBixJqTM5gARqn7ax6Y10LUEFTP23iElDo4EoXCJttnwMLxPD 8KJkPCRk27YZMFt/Gji1pDNajV6/tKVVJtecsjPyXk9HArevHqvuNXcMmisxtYm4jCQ6uFye OyrjkQkhlFN/wK945092qjV36gI6m2Zqz182YweYvC/b09/UIv3WIsVtjudMZNxWN9nWWxzp SImn6UPooXoFMBr4JEuxhqaZvCIfouBuE6lWvyYPDF4g3xoYvSzikX6/Uuhz7jkX9KvmBZRr yVDm8XRrH1FyRHJ68aGR/c8tkes0DqCzUbSv8lKO0kpk6rcJZM7hLk2k5sYq0PYGSHq3k7xi cer X-Talos-CUID: 9a23:LEdxxWmZNdXIqWul/bP8sNHLYiHXOW/e4TTzPRO9NVxSU6+1bGOAwLNgqPM7zg== X-Talos-MUID: 9a23:9lS+bgYaSmtFIOBTnBjh3A45bctTzamTFH4qtLEehu61Knkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="5192938" Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeka24.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:36 +0100 X-CSE-ConnectionGUID: nu86nVvrRsW8njaENf/vQA== X-CSE-MsgGUID: Yd3cNMxSSqWeNwCHxcrtFQ== IronPort-SDR: 6579c1ea_eudvFEcDhuXpb3t7EugF8CGzSwoPqVRQGhy00knICAMJ4XA 0skKpq9RkSDWMm6jiOa7Ljt/OCNUaJJL/9mjsJA== X-IPAS-Result: A0C+AQBtwHll/3+zYZlaHQEBAQEJARIBBQUBQAkcgRkFAQsBgWZSBz6BD4EFhFKDTQEBhS2GRoIhOwGXa4QuglEDVg8BAwEBAQEBBwEBRAQBAYUGAoctAic3Bg4BAgEBAgEBAQEDAgMBAQEBAQEBAQYBAQUBAQECAQEGBIEKE4VoDYZGAgEDEhEECwENAQEUIwEPJQImAgIyBx4GAQ0FIoJegisDMQIBAaIhAYFAAosifzOBAYIJAQEGBASwGxiBIYEfCQkBgRAuAYNhhDQBhEWBIYQ6gk+BSoEGgi2IHoJog2aFNgcygiGDUYN2jUB9RloWGwMHA1YpDysHBDAiBgkULSMGUAQXESEJExJAgV+BUgp+Pw8OEYI+IgIHNjYZSIJaFQw0BEZ1ECoEFBeBEm4bEh43ERIXDQMIdB0CMjwDBQMEMwoSDQshBVYDQgZJCwMCGgUDAwSBMwUNHgIQLCcDAxJJAhAUAzsDAwYDCjEDMFVEDFADaR8WBBgJPA8MGwIbHg0nIwIsQgMRBRACFgMkFgQ2EQkLKAMvBjgCEwwGBgleJhYJBCcDCAQDVAMjexEDBAwDIAMJAwcFLB1AAwsYDUgRLDUGDhtEAXMHpSwBPC0lgW4OQ5ZLAa8HB4IzgV+hDxozlzGSVi6HSZBMIKgQAgQCBAUCDgEBBoF5JoFZMz6DNk8DGQ+OIIN4j3pCMwI5AgcBCgEBAwmCOYgoAQE IronPort-PHdr: A9a23:ta0mWRLkqzD0QnKbrtmcuChnWUAX0o4cQyYLv8N0w7sbaL+quo/iN RaCu6YlhwrTUIHS+/9IzPDbt6nwVGBThPTJvCUMapVRUR8Ch8gM2QsmBc+OE0rgK/D2KSc9G ZcKTwp+8nW2OlRSApy7aUfbv3uy6jAfAFD4Mw90Lf7yAYnck4G80OXhnv+bY1Bmnj24M597M BjklhjbtMQdndlHJ70qwxTE51pkKc9Rw39lI07Wowfk65WV3btOthpdoekg8MgSYeDfROEVX bdYBTIpPiUO6cvnuAPqYSCP63AfAQB02hBIVgvLsynVcaf1kSbgq7FYxii7B8y1T7sqfneMy IBNFA/D0zc6Oi8FqFiUjccl38c56Bj0pTgi/N/EYKSpGL16QpuFWe4HW3RgdcsBah5tOI3mS tpTINgnMPgJoJbPvGIfvAacQiqAO7rDyxNSjXD1jIg+4dQjPATXgAYxG48UvHHQt4irFptOC Lnrl7LD/w7mMOxowTLlzdOXUQkoiN+PX6xwQdjawFIdODzU12yd8rX1DRjEju8IuHq24e5lf +GC21J6kRNU+Cn/59t1oJTpu99L0lXd/w4+7YESJNmJHR0zcZulCpxWryaAK85sT9g/R309o C8h0e5uUf+TeSELzNEi2xf8QqbZNYaS6w/lVOGfLC0+iH82ML68hhPn6UG70aW8Tci71l9Ws zBI2sfBrHED1hHfq4CHR/Jx813n2GOn2Rra9+dEJk45j+zcLZsgyaQ3jZ0drQLIGSqepQ== IronPort-Data: A9a23:sKGHZ6D3JVqOjBVW/3zow5YqxClBgxIJ4kV8jS/XYbTApDkr3j1Vm DcdXmiBOvbfN2Dyc9x1O9mw8k1QscTQy95jOVdlrnsFo1CmBibm6XR1Cm+qYkt+++WaFBoPA /02M4SGdIZsCCaE+n9BC5C5xVFkz6aEW7HgP+DNPyF1VGdMRTwo4f5Zs7dRbrVA357hX2thh fuo+5eEYQX8gGYtWo4pw/vrRC1H7KyaVAww4wRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQCbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WO7AWprn5P2KFqvPDyU/PXl3ihOtXJRRjVWEY0r4f7WBm7 vkEMHYAfhuDweysya+9Su5ii95lIMSD0IE34yw7i2CGS695ENaaGfqiCdxwhF/cguhLHP3eb scdLyVibQ/bSxROIVocTpwklfquhn7xficepF/9Sa8fvDOCkVIviuKF3Nz9S9DRTuNwjn2jv 13L2XvSIgERLsCx8G/Qmp6rrqqV9c/hY6oYDrSl8PNwqF6e3GoeDFsRT1TTifC9h163Xd5SM WQR+yonqak55UrtRd74NzWxu2KsvRMGXddUVeog52ml0qPJ5y6BD3UACztGb8Yr8sQxQFQC2 laPnt7tLT1ov7CcU3ia5vGSoC/aESETIXUDZAcHQBED7t2lp5s85jrKR8x/EajzitToMTXxx S2a6iQzmd07lskN2I248ErBjjbqoYLGJiYk5h7/UGjj5QR8DKanYIyur1bS9upJJoufQnGOu XEFn46V6+VmJZKVjy2LT+UlH7yz4fuBdjrGjjZHBJUv3zuq/HGncMZb5zQWDEdgNcIZfhfmZ 0jcvQ4X75hWVFOoaqtsaqqyBt4swKymEs7qPtjNc9dIfpl3XA6c+z9nYUOWwybml01Eub8+I 5CzY8uqDGhcDaVh0SrwQP0Sl6Iorgg7xGDXQovT1Aaqy7eSZTiVVN8tOV6PdL9i7aesrwDc8 tIZPMyPoz1EXffxbwHX+IoXPFZMJn8+bbj8s8J/aOGOOExlFXsnBvuXxqkuE6RhnqJIhqLL8 2u7V0tw1lXynzvEJB+MZ3Qlb6ngNb57rHQmLWkiJlqlxXUnSZig4b1ZdJYte7Qjsut5wpZcS /gDZtXFGflEVy7G5yVYaJ7xsYhvXAqkiBjIPCe/ZjU7OZl6SGTh89vpfRDm8iUUSC+2tss3p 7y8zRLdaZEKQQNkDc3fbLSkyFbZgJQGsLsvBA6ZfZwKJxSpqdI1bTL0yPRxLdsFNBPDwTWXz UCaDH/0uNXwnmP8y/GQ7YisoZ2gDu1+GURXBS/c67O3PjPd5W2t3clLV+PgQNwXfDmcFHyKN LQJncLveuYKhkhLuIdaGrNmh/B2rdj2qrMQikwuEHzXZh75QvltM1uX7/lp76dt/75+vRfpe 0St/tIBB66FFvm4G3EsJS0kTN+569cqphfo488YGn7KvB1MwOLfUGF5HQW9tyhGHb4kbKIn2 bgAveAV2Syeiz0rENaPvgZQxnXRK3cFffwts5EEMorVmy4u8FVjYIPdOADy8pqge9VBCWh0A z621Y7ppaVQ+VrGSFU3TUPy5Ot6gY8fnixKwHspBUW7qvCcitAZhBRuoCkKFCJLxRB54sdPE 2lMNXwtA56R/j1t1fNxb0r1Fy5vXBSmq1HMkX0Xn2jkTm6tZGzHDEs5Hc2vpEk50WZtTgJ3z YGi6lTOcGjVJZnq/y4IR0RaheTpToVx+i38icmXJZm5MKdgUwX1oJ2FRDQukATmM/MTlUech OhN/cRMU4PZGxMUgZUGD9i96exNZjGCfHdPUNNwzpMvRGv8Qgy/6RKKCkK2e/5OGcD0zF+FO 5RQAfxLBjuD13eojzEEBKQzDad+s9w36fEjJL76B240nIGOjzhusaPv8jrMu0o2cdNMkcoCd 4TbLQCGGW3NhklvunTsqfNcMTGSeug0Zwzb3cG0/t4WFpkFjvpeTEEq3pawvFSXKAFC/S/Ij DjcZqTT8fNu+b5sk6ToDK9HIQe+cvH3a8il7yGxtI5oQe7UEMKTqT4QlEbrDz5WMZQVRd5zs 7aH6/zz/UHduYcJQ3LroIaAG4ZJ9PeNcrJuaOyvF0ZjnAyGRMPIyDkA8TrhKZV2zfVs1vP+T A68MMaNZdoZXulG/0Jsag9cLg08DprmZaKxtAK/qPWxUiIm6zLlF+/+13HVbjB8TBQqarneE Q7/vsi86u9I9LpsAAA2PNA4IptaDmK6Z44YWYzQjwSINkipnVKIhZX6nzUC9zzgKyeJAeT60 73/Vzn8cxW54viQx/oEt4FdmBozCURssNkOY0syqttEuxGnPkE7LMA2E5YPOrdLmAPcibD6Y zDsajM5KCPfBD5rTzT10O7BbCy+WNMcG47eCGQy3kW2byyWOtuxMIF5/H0930YsKyrR8u63D Po/pFvyB0GV6bN0T78x4vebv79W9snCzChVxXGnwt3AODdAM7Akz3c7IRFsUxbAGMTzlEnmA 2g5aGRHYUOjQ37KDsdSVC9JKS4doQ/Q4W0kXQWXzPbbnrer/ulK5fn8GuP0i5koTsABIpwQT nLWGUqJxU2r2UIohKh4gOJx3JdICs+KEPbjfeWnDUcXkrqr42sqA9IakGBdBIs+8QpYCBXGm iPq/3E6A1+fJVtM3KGNjz8E4I91TmlGGgShYNQTftMauUdRIwDlRiWX IronPort-HdrOrdr: A9a23:X6CeIazgGy1XtwcVQKC8KrPw0r1zdoMgy1knxilNoH1uEvBx9a iV9sjzsCWYtN9/YgBFpTntAsW9qBHnm6KdiLN5VdyftWLd2VdAQrsM0aLShxX6Gyb3ssNAzq 9qdqRTDNXxCBxGls7x4gWiM9tI+qjjzImYwc/Ez3xkCSdwa69h6A9lCgGUVmVuXQxHD5IlFJ yaj/A3xQaISDA+dcSxDj0iROjMp9rCiZLgb1o8CxYj7GC1/FCV1II= X-Talos-CUID: 9a23:4t7H7GEsFwDpWWmvqmJh6R5KHP47aEfG8yfWIUaVL2guVoS8HAo= X-Talos-MUID: 9a23:8qRiwAkyqFBA1VywkuyQdnpTOJxjxYG+M3sUrpggpOKkJSdqJxmk2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="73956622" Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:34 +0100 Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Wed, 13 Dec 2023 15:38:34 +0100 Received: from DEU01-BE0-obe.outbound.protection.outlook.com (104.47.7.168) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28 via Frontend Transport; Wed, 13 Dec 2023 15:38:34 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UZ4Q5MxNpoFUcXF5ShoaH8+slCvLV24Y9yRVEJZUwr9POjVxevmXMhZf4iS8+HekAclcJ7f+ZtUJd/RpFVQKzG+9A7rXo+NfcTYia1W67Fi8lEUnbyDjs+lsu+aARyCIxS3eiWqqZaA385RMEbFB/sQXTKmh+dGouwKwI29DsEosQvO+YKcwrYYYGbuSc1ey68ZRWOmhb/4z4QGgMB0rUYSpI98fRBQLdAW5uHEADmRjt3RXj8068vqrR3yOmiqkQGEH9IZVeT6xO8BeRi09EVD4c92embOhfXJECkR/tsIfUrDtmQM9u4nTS8RC2oQ3Cx0ET7ivSbkyzUpu2LDaKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kf7PGGXlKeru3MviIRi+jcvO+FOON4xC3xUeyT0Q+oc=; b=jdr9fC/vAVDGdzr9ClA2XAENReOxdSlb7L4wnhyNzChFdgwBxh6cGg9nj3lR6c5Gpx90Lx0FAB7xXd3/GSddkyidWVFW11g84V3X7oNT3HcyFebKr/fifUhYhgNT6DBq6YouSPA+KKsArPuLNrVlG0pHbbRxPTttbRl0FROgrlBOFr6jSE05ujHJNjdKoYI0uGpTxSGVU8HcqfMMmdWVE00z9ylj/cHVykp4pzxhfKQlix+r+eqLqFF7qAwfy/h55zy1iOoqwpvcaCuXEchSdMqoXNlADVwUjUglmmz4ujIUojEu0j4PNperLe6J2ZBWSvumA40spzK+mZ+YROFiBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kf7PGGXlKeru3MviIRi+jcvO+FOON4xC3xUeyT0Q+oc=; b=jL5W9xhMTD/lTP0LUuvvICe8UZDRf2M94GZNev9gwZsQyyuJ/KDW1DiDrcgk9MlZXjEmy4byl5rdmls56JT41163scZSM7wVpmpM37KqaAFkjvhXzcasZGWy1Qe3QxZC90cmczEflmBkE8T5RzM2y8It1BuHU56pmqbC/EoOilY= Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) by FR2P281MB0026.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 14:38:33 +0000 Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573]) by BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573%3]) with mapi id 15.20.7091.022; Wed, 13 Dec 2023 14:38:33 +0000 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Christian Brauner , Alexander Mikhalitsyn , Alexei Starovoitov , Paul Moore CC: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , , , , , , =?utf-8?q?Michael_Wei=C3=9F?= , Alexander Mikhalitsyn Subject: [RFC PATCH v3 1/3] bpf: cgroup: Introduce helper cgroup_bpf_current_enabled() Date: Wed, 13 Dec 2023 15:38:11 +0100 Message-Id: <20231213143813.6818-2-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> References: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> X-ClientProxiedBy: FR0P281CA0006.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::11) To BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BEZP281MB2791:EE_|FR2P281MB0026:EE_ X-MS-Office365-Filtering-Correlation-Id: 33f0d468-c909-4cb8-66a4-08dbfbe92e76 X-LD-Processed: f930300c-c97d-4019-be03-add650a171c4,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: sLHo0dGNV+zBI2zXpn5OSkyh+NkoUGF/Gn6/vJnjCqJrx6VM2iL0HufNTcWd7cU6XGLatJYyv9bweU58VMGHVD2xEZGChavC6ekGJoVCDX62VnaTBWFPNBGehlQp3yAvftPODDvrwKb8jMeablKSS8e4j6tVQs3fStkVNVmNjgew37LcFME50TcLK5Z6xBLhchAWUC/HUXPk/ftzQjUSve7HshB8G+mXFni0uabU4Scn5v5iwudlF8xrcWn+27jRQhxcJvyf5y7wLLuzJgzxFZj673ZYcoVPFAgEgd7hIj/LYtNE1P+Qc3HXkSV9t2MSVUFDjsYz+v9F1Cat4bs5DvoVt/MWP0VK/3qSqWjiQgEI83TN/nCe/Ip809PM0Ho+S5zlgxSG8Jm2UJXDiKKxDtE4xDNimUyc04jqacsgV4in+F6Ti3r4KnT+UAw12alLt4B6oRtE5PA1y5H93gMBJ0yoKoehuj3NiAIV3fJZicaM5QV1Z1sRtuH38CXYIzWrK/LWHlt6wJvx856j5Mc5Jf6qfKqOVjNImwqJGrmwUq8ZnOz86oRnHe0jGHSNJDDJeqPFvRZ377N0aTY/SY+SKO9Pf6una+Zxnj788ZMghLc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(376002)(136003)(396003)(366004)(39860400002)(346002)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(83380400001)(38100700002)(8936002)(316002)(54906003)(8676002)(2906002)(7416002)(4326008)(5660300002)(66476007)(478600001)(52116002)(41300700001)(66946007)(6512007)(6666004)(6506007)(110136005)(6486002)(66556008)(2616005)(1076003)(82960400001)(86362001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?zr7Vb6yumyD+2uwcsQKYRdXMkBPa?= =?utf-8?q?mCTNgXftFRz0PgDxuWm9/gTr52NjguGQuDew+XjAjkOUdOtEFwvLREgwG5ZIGZZKv?= =?utf-8?q?UHmrVoPnRV/VDSF0QcGs605isdu85hPi8UmqW8WTcJ7dTSYjKp+Ey1+9dbW7BqRpF?= =?utf-8?q?zbkf3NE9NnbOf7TTCTy4bFctctoO9GNAQkKV40XRVOxuHInFDVnUMxIZ3/CqBLdhV?= =?utf-8?q?+/KGze/f8Y/ssqDvAc6a6y7sD2BqWvzVojgn9Ax0l/6lqiQ/ohvoD6jV5BULJIBE6?= =?utf-8?q?E7jZFvyk71gVgv4Vt/5hU8H6EQGx1UFHND7qKxPAaGXdq1Tx1KnSw6V0dtKjLP2Ep?= =?utf-8?q?e0DZ1HS7xH8XIQQ+BXFSoB2e/4MrbJsnWu8bykidehkfC6Z0AkgyEFfZ3TXhhWX2u?= =?utf-8?q?qCEhF+RxAfXAYWg7qwe0i1suGX6foD5MvSMLzBDqzf2LGFwMw87W90Hp5LtmpgQI3?= =?utf-8?q?fZfN1QfzTfGmTFXL4QT9PnU44GVTzMbQNe+hPGmzJj5e6AH/cC0AKZn4c9TOI4Xdx?= =?utf-8?q?QbtlOYZMZJQmb9VD1XNJYS8sgYURwvtqsRZcFYGqPm1Wjx/WsZTWFxl0Llej7YrMM?= =?utf-8?q?Be+FeEvfrDlE5fHFa9JvF0R3Clst0NsroFTn/d2rtrmBYCLWxFlT/l/Ci8qAPK2KA?= =?utf-8?q?EaQhjUitz08O0eSk/Vm2qnlnMZu7PktbzRz1+roFPIA89unVLFcC3Ofmzc6JjfWJu?= =?utf-8?q?7exgmiOShOudey4iawExs04gshMBQEFJ5DP/5dzr2hgOU5FlEooUME0gqTs/+1kcn?= =?utf-8?q?q4GGDgjkVQfDTACx5uLxBH6szguA+lOnVQwGJB8mB6DGA3oVId2ApW2ZLgNirpL5q?= =?utf-8?q?xXQYJOzZ3BWpy8gkKvS8cPHXKqTKUELsegvBH5PdTH3p/+1AA+t35hFTSbEUgrFpL?= =?utf-8?q?Xdbk4IGLlEb9Rpp0lOidON9EFLlgTheymJm328aoUxCc6D2SRGU8GhVHq21OA26M1?= =?utf-8?q?j9NU1Ou3/Nho6zNQwxoms140yaj7fu1UJDzzervoBgQWAnvLOLVVgqh2H7Np4o9Pt?= =?utf-8?q?TADdhdXouLrd8atlYtdenMtKjdps7mgjelasiOfVQ0em4dySXI3N0QwWYvLe3GkTx?= =?utf-8?q?mAGSFYJdpRcMx1xr9bOhpMjat4xBCioeTHzNbaE6E3RCujuIcHUPaoFSsKZFPbKAr?= =?utf-8?q?wWQvtVz6pOBBejQynII9VgHK33ZYu0ZKMZYm4Ix+a5M0TRL4FIs2gqYQj4v3fkZ2v?= =?utf-8?q?YJq4Y7lmk1JjDrHQPAukoOf4SMieZtg/fqpWdc1JHHHMapoMgngp1WcA/wk6qdA1r?= =?utf-8?q?IfsejfnWgN96VfllX/OEhP2RxRfZTG36Dd7OR711zNDPI650kuEpIVgLeO2xHwKmD?= =?utf-8?q?j4A5FYyCDwPDqSEvnfjRYhM23P3yXzS6ThLS01/+oKJJvulc6chtUWiUj33P9bzdc?= =?utf-8?q?UluYL6pk+UaR5b0cUFjMKZNqQK0hCxb3+UjLV0jla87KxlDMAkKbNukKTIxsZa4T3?= =?utf-8?q?MM3/3+GFqczryyPxqVRg+pvEOoglno3eqET0/qQQ15Yx+q/RhTq13QDtOPpxzsrr1?= =?utf-8?q?8YAlwW2flNrFKBZZx+6AHlSX0HOrCSxV/2/Dsk6nXQQqXMQc/qQuC6MbqyQB0Mopu?= =?utf-8?q?tCSVqRp/wfxU36iGsysL4SFkGJNrN1Da6xWQoZkHwRAvChwkyjzeCw=3D?= X-MS-Exchange-CrossTenant-Network-Message-Id: 33f0d468-c909-4cb8-66a4-08dbfbe92e76 X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2023 14:38:33.0294 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: v4uyDlg8Awo9ucSO4WSjBVaJXsKXtQzTgVATA6NiocLaiMyF5AINa11XfBZTTZoK/reAyhSwagNQuVJ6qe6RhHDVz07XYcI3KmXwShPQZMUZHZAggZ9UuX0H5hR15PSz X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB0026 X-OriginatorOrg: aisec.fraunhofer.de This helper can be used to check if a cgroup-bpf specific program is active for the current task. Signed-off-by: Michael Weiß Reviewed-by: Alexander Mikhalitsyn --- include/linux/bpf-cgroup.h | 2 ++ kernel/bpf/cgroup.c | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h index a789266feac3..7cb49bde09ff 100644 --- a/include/linux/bpf-cgroup.h +++ b/include/linux/bpf-cgroup.h @@ -191,6 +191,8 @@ static inline bool cgroup_bpf_sock_enabled(struct sock *sk, return array != &bpf_empty_prog_array.hdr; } +bool cgroup_bpf_current_enabled(enum cgroup_bpf_attach_type type); + /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */ #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \ ({ \ diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 491d20038cbe..9007165abe8c 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -24,6 +24,20 @@ DEFINE_STATIC_KEY_ARRAY_FALSE(cgroup_bpf_enabled_key, MAX_CGROUP_BPF_ATTACH_TYPE); EXPORT_SYMBOL(cgroup_bpf_enabled_key); +bool cgroup_bpf_current_enabled(enum cgroup_bpf_attach_type type) +{ + struct cgroup *cgrp; + struct bpf_prog_array *array; + + rcu_read_lock(); + cgrp = task_dfl_cgroup(current); + rcu_read_unlock(); + + array = rcu_access_pointer(cgrp->bpf.effective[type]); + return array != &bpf_empty_prog_array.hdr; +} +EXPORT_SYMBOL(cgroup_bpf_current_enabled); + /* __always_inline is necessary to prevent indirect call through run_prog * function pointer. */ From patchwork Wed Dec 13 14:38:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 13491103 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.i=@aisec.fraunhofer.de header.b="4Dnp9tMy"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.i=@fraunhofer.onmicrosoft.com header.b="MRBxg+Gq" Received: from mail-edgeka24.fraunhofer.de (mail-edgeka24.fraunhofer.de [IPv6:2a03:db80:4420:b000::25:24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D8C2B0 for ; Wed, 13 Dec 2023 06:39:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1702478386; x=1734014386; h=from:to:cc:subject:date:message-id:in-reply-to: references:content-transfer-encoding:mime-version; bh=ZK1sB6YyT1eBqXeIWt8Dt08WbuOcDu6WuCBOadhSrdA=; b=4Dnp9tMywD+WBli2yS3vPQHF0yAJ8mLPyUwtUDt84ZbDp7zZ4/hk5qwD yxQ++58Wh+YcWoo0Je6WPnas6MDRys7DjNEJyeTAHPkuKrPbv6NgdDskV g5RTgztj2qFUZeR+oKsrSEP9sdA5L348EaeiNkVsgGo/bZx3BErVoTV2v bsMd+NP+TyoB6hhxZG9UvW+LKOAAnBz2wQVXrpUG8o+mH7EJqo8qJvkCL vSsHR8iA3X3iADnst/TVefIg5xOHZx+cOqo3EVQqAI4OBlGJE3iaAaIR9 7JmGP/VcibVeAeikWwXmBiSqU3dav+wRJz089rttIRThRlcVwqAHCVnE6 w==; X-CSE-ConnectionGUID: 6BstVSBHRYKyQyCbe2cAMQ== X-CSE-MsgGUID: 4AlxyK8lTZydOBlz7NthLg== Authentication-Results: mail-edgeka24.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com X-IPAS-Result: A2F5BADxwHll/xoBYJlaHgEBCxIMQIFEC4I5glmEU5FjnCsqglEDVg8BAQEBAQEBAQEHAQFEBAEBAwSEfwKHMCc3Bg4BAgEDAQEBAQMCAwEBAQEBAQEBBgEBBgEBAQEBAQYGAoEZhS85DYN5gR4BAQEBAQEBAQEBAQEdAjVUAgEDIwQLAQ0BATcBDyUCJgICMiUGAQ0FgwCCKwMxrxB/M4EBggkBAQawIxiBIYEfCQkBgRAug2KENAGERVdKhDqCT4FKgQaCLYQKToNGgmiDZoU2BzKBSFmDUZE2fUZaFhsDBwNWKQ8rBwQwIgYJFC0jBlAEFxEhCRMSQIFfgVIKfj8PDhGCPiICPTYZSIJaFQw0BEZ1ECoEFBeBEm4bEh43ERIXDQMIdB0CMjwDBQMEMwoSDQshBVYDQgZJCwMCGgUDAwSBMwUNHgIQLCcDAxJJAhAUAzsDAwYDCjEDMFVEDFADaR8aGAk8DwwbAhseDScjAixCAxEFEAIWAyQWBDYRCQsoAy8GOAITDAYGCV4mFgkEJwMIBANUAyN7EQMEDAMgAwkDBwUsHUADCxgNSBEsNQYOG0QBcwelDCABPD4TCQKBMmwvHJYXAa8HB4IzgV+hDxozlzGSVi6YFSCiRgeFQwIEAgQFAg4IgXmCADM+gzZSGQ+OIDiDQI96dQI5AgcBCgEBAwmCOYY1gXQBAQ IronPort-PHdr: A9a23:6l7bxxSPRhnPG3tPY62Yywm1ltpsou2eAWYlg6HP9ppQJ/3wt523J lfWoO5thQWUA9aT4Kdehu7fo63sHnYN5Z+RvXxRFf4EW0oLk8wLmQwnDsOfT0r9Kf/hdSshG 8peElRi+iLzKh1OFcLzbEHVuCf34yQbBxP/MgR4PKHyHIvThN6wzOe859jYZAAb4Vj1YeZcN hKz/ynYqsREupZoKKs61knsr2BTcutbgEJEd3mUmQrx4Nv1wI97/nZ1mtcMsvBNS777eKJqf fl9N3ELI2s17cvkuFz4QA2D62E1fk4WnxFLUG2npBv6C47QtAb7qshC0iCEGPf8Hb0YGjK7z JUyVjzM1H0JFyc4+zvmjpFCjv9anzP09Hkdi4SBRbu/JPU9UbrCRPpLR2QRD/gAbWt8JJKXX tcgP+hcG8xms7Oni3xUlDeALwSXLdnw4CZulF3Kw/co6vZwE1/J0wFnRO1JqXX+vNPqDaExA P3u6PiPiiTnVqpE2gb9taTDIk1in8mMcrEqfvvbllYTDSObhA669YbBPT2W2OQV6kGmzcQ9c N6g22keuRty8z+UnsE9gNTz268l22ze6AFL66FvB+SYdWt8UNSrRcgYp2SbLYxwWsQ4XyRyt T0nzqFToZegZ3tiIPUPwhfeb7mKf4eF4Ru5CKCfOz5lgnJidr+lwRq/ogCsyez5A9G9y00C7 jFEnd/Fqm0X2lTN59KGRPpw8gbp2TuG2w3JrOARCU4unLfdK5kvz6R2kZwWsE/ZGTTxllmwh 6iTHng= X-Talos-CUID: 9a23:gMIXE2AVZ73pKvP6E3dN71IqIeoFSEz+3U7BCEW1U21AbYTAHA== X-Talos-MUID: 9a23:nMT3dwkMca45bK+xD1d1dno+HcN48of+DHw/gJkhkc2WagpsOxOS2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="5192944" Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeka24.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:40 +0100 X-CSE-ConnectionGUID: l1KIAwhgT1KSmFdOXIdFZQ== X-CSE-MsgGUID: 6FlmAzNGTwmOOwqkGkANTw== IronPort-SDR: 6579c1ef_9fQJLxIh06Qw4+Sl5gyIhw+lAqbMU1V9935hCf4t7hLuZpc ImU1tlmF1XKCCcvGDuqEkOwmSwXDuyag5InZkpQ== X-IPAS-Result: A0DOBwBtwHll/3+zYZlaHgEBCxIMQAkcgR8LgWdSBz6BD4EFhFKDTQEBhS2GRoIhOwGcGYJRA1YPAQMBAQEBAQcBAUQEAQGFBgKHLQInNwYOAQIBAQIBAQEBAwIDAQEBAQEBAQEGAQEFAQEBAgEBBgSBChOFaA2GRgIBAxIRBAsBDQEBFCMBDyUCJgICMgceBgENBSKCXoIrAzECAQGiIQGBQAKLIn8zgQGCCQEBBgQEsBsYgSGBHwkJAYEQLoNihDQBhEVXSoQ6gk+BSoEGgi2ECoQUgmiDZoU2BzKBSFmDUZE2fUZaFhsDBwNWKQ8rBwQwIgYJFC0jBlAEFxEhCRMSQIFfgVIKfj8PDhGCPiICPTYZSIJaFQw0BEZ1ECoEFBeBEm4bEh43ERIXDQMIdB0CMjwDBQMEMwoSDQshBVYDQgZJCwMCGgUDAwSBMwUNHgIQLCcDAxJJAhAUAzsDAwYDCjEDMFVEDFADaR8WBBgJPA8MGwIbHg0nIwIsQgMRBRACFgMkFgQ2EQkLKAMvBjgCEwwGBgleJhYJBCcDCAQDVAMjexEDBAwDIAMJAwcFLB1AAwsYDUgRLDUGDhtEAXMHpQwgATw+EwkCgTJsLxyWFwGvBweCM4FfoQ8aM5cxklYumBUgokYHhUMCBAIEBQIOAQEGgXkmgVkzPoM2TwMZD44gOINAj3pCMwI5AgcBCgEBAwmCOYY1gXMBAQ IronPort-PHdr: A9a23:RBL2yBXF6JF/qooYCHuLyNscVSLV8KyzVDF92vMcY89mbPH6rNzra VbE7LB2jFaTANuIo/kRkefSurDtVSsa7JKIoH0OI/kuHxNQh98fggogB8CIEwv8KvvrZDY9B 8NMSBlu+HToeVMAA8v6albOpWfoqDAIEwj5NQ17K/6wHYjXjs+t0Pu19YGWaAJN11/fKbMnA g+xqFf9v9Ub07B/IKQ8wQebh3ZTYO1ZyCZJCQC4mBDg68GsuaJy6ykCntME2ot+XL/hfqM+H 4wdKQ9jHnA+5MTtuhSGdgaJ6nYGe0k9khdDAFugjlnwXsLoky3Xt/Zf5yOTI+jMR+A5dXek9 oRZEQHLrHtdOR4g8WqNu8gtvqAGoS2A8k8aocbeNaSvHupxPYzEYuozFGhPDpdvBhYGP6WtR LpTINoDYMBykZXH/Xcp9yKSOyOhP8rV1RVRoG3U4bNgwd0zQAOY0wMtWIkx923VhsXzK54Uc rGol42ZinLSS8oPyzTM6NXkeUB84s+0XZ1zK8XgwxYwKxnl0F/Lg9DvGzGb1eoNqzGy0shOC MeThD4gkhNroWmo/Z8qm4OUvN84+kH47zhd8q0Sf/+BaHNeZu+uH84D/zHfNpFxRNslWX0to ish17ka7IayZzNZoHxG7xvWavjCdpSBwTu5CqCfOz5lgnJidr+lwRq/ogCsyez5A9G9y00C7 jFEnd/Fqm0X2lTN59KGRPpw8gbp2TuG2w3JrOARCU4unLfdK5kvz6R2kZwWsE/ZGTTxllmwh 6iTHng= IronPort-Data: A9a23:V5EqYKL9u6waIivlFE+Rf5ElxSXFcZb7ZxGr2PjKsXjdYENS3mFVz WVOXG6Ab/7fYWOkKYggPtu19BgHuZfQzd5rG1Md+CA2RRqmiyZq6fd1jqvUF3nPRiEWZBs/t 63yUvGZcYZsCCea/0/xWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2+aEuvDnRVvR0 T/Oi5eHYgT8gWcvajt8B5+r8XuDgtyi4Fv0gXRjPZinjHeG/1EJAZQWI72GLneQauG4ycbjG o4vZJnglo/o109F5uGNy94XQWVWKlLmBjViv1INM0SUbriukQRpukozHKJ0hU66EFxllfgpo DlGncTYpQvEosQglcxFOyS0HR2SMoVCoZzmCGe/vvDK7HbDXXfL89RiInMPaNhwFuZfWQmi9 NQDLSwVKB2TjOLwzqiyV+9sgcouNo/nMevzuFk5kGqfXKlgGM+SBfyQure03x9o7ixKNfPfb MoQZD4pcxnBeAZnM1YMBZl4kv2hm3//dDNVshSZqMLb5kCMl10sjua2bbI5fPTUa8FQt1S+i V7Z+kPeHQgZG9+27waapyfEaujn2HmTtJgpPLei/+NsjUe7xWEJDhASE1yhrpGRg0qzS9tZJ 0EO0i8vraE29Ue6SJ/2WBjQiHefojYfVsBWHul87xuCooLM6hudLnANUzoEbdshrsJwTjsvv neFltXoCDhHsbqaRHuH/LCE6zW/JUA9JGkOfy4FZQgI+d/upMc0lB2nZtNqCrK0iJvxECzYx zGMsTh4i7gN5eYQ0KO01VPKmTShot7OVAFdzhTXRUqr5EVyY4vNT46v6V6d4/9bMI+TQ1+Nl HcBksmaqusJCPmllzSWQeMCHJmq6uyDPTmahkRgd7E6+zqF9HmkcoRdpjp5IS9BMs8DfSLuS EDUvgxV6dlYO37CRa1wZ5m4I8cn167tEZLiTP+8RsNTb55tdQmv/Tppe0eU0mbx1kMrlMkXJ 5aBdu6+AHAbF+JjzTyrV6Eay7Bt2yNW7WbSRpT81Dy8w7eEaXKUD7cYWHOHa+Ejs/iFpC3a9 t9eM42BzBA3ePbzeCba2Y4aKVQbKz4wApWeg8ZPeMadLQd8XmIsEfncxfUmYYMNt6BUkPrYu 3KwQElVzHLhinDdbwaHcHZubPXoR5kXhXY6OzE8eFiz13U9bIKH8qgSbd00cKMh+eglyuR7J 9EBesOdErFURz/a4TUBfNz4q4B/cBmDmw2DJWymbSI5cpomQBbGkuIIZSO2qXJLX3Xy7JRv5 uT6iUXFRNwIAQp4BdvQaPWhwkn3sXV1dP9OYnYk6+J7IS3E2IZwIjH3jvg5LttKLhPGxzCA0 B2RDwteru7Iy7LZOvGS7Uxdh9b4T7lNDQBBEnPF7L27EyDf8yDxicVDSeuEN3SVHm/95KzoN 60fwuDeIc83ug9Ak7N9NLJ3koM4xd/k/IFBwipeQX7kUlWMC5FbGEeg4/VhjKN3++JmiVOEY X7Xoth+EpeVCfzhC28UdVYEbPzc9PQ6mQvyzPUSIWf67R9R+IuWDEBZOjfVgildMolwDpIBx N0lmc8J6j6QjgghHcaGgxt1qUWNDC0keIc2uq4KBLTEjlIQ9WhDRpjHGwnK4J2rQPddAHkAe zO7qvLLuOVB+xDkbXE2K0no4cNcopY/4DZx014IIgWyqOrv3/MY8kVYzmUqc15z0B5C7uNUP 1prPW1TIYGl3W9hpOpHblCWNzBxPj+r0W2v9AJRj0zcdVeiaULVJm5kOeqtwlEQw1gBQhdlp oOn2ETXehe0Wvru3xkCe19v8N3iat1Tyjfsuu6aG+a9Ip1rRga934GPYzITpgrFEPEBohTNh dNX8dZabYz5Mi8toJMHNbSK6IRISD64CTxDZdpD4JI2GXrtfWDu+DqWdGG0VMB/B93L1k6aG cZeHN1rUiri5XyBswIdJ64AHOJzlqQb4NEDJ7DZHk8dkr6ltjEymonhxiv/o24KQttVjsc2L L3KRQ+CCmC9gXh1mXfHict5ZlqDftgPYTPj0NCP8OkmE4wJtMduexoQ1oSYkmq0Mgw92T6pp yLGOrHrytJ9xbRWn4fDFrtJAyO2I4jRUMWK6AWCjMRcX+jQMMvhtxInlXe/Bl54ZYAuYtVQk aiBlPXV30mf5bY/bD3/qqm7TqJM4Z2/YfpTPsfJN0JlpCqlWvL3wh496mu9eI1oktRc25Gdf DGGSvCMLPwbZ9QM40duSXl6Mw0cAKHJfKvftXuDj/CTOCM8jy3DDv2arEHMU08KVxUmGZPED i3Mh82P/fFd9YRFOw8FDappArh+O17SZpElfNzQ6xidIHGj2G2Anr7QhCsQ1yzCJSiBIvbb/ KDqexnaXzaxsZHu09t2ndFTvBoWLXAlmsg2XBsX1OBXggCALlwtDLoiI7RfLb8MiQ309pXzR A+VXVsYES+nAAh1K0Tt0ursTiK0J7IoOO6gAhcL4knNSSO9JL3YMYtb7i06vktHIGry/tqGd +Mb1Gb7ZCWq45dTQu0W2Py3rMFnyt7exVMK4UrNqNPzMTlPHYQ10GFdIyQVWRzlC83tkGD5F VoxT01AQ2C5ThfVOuRkcHh3BhoYnW3OyxMFUCSx++vc6r6rlLB49P7COu/Ni+xJKIxAIbMVX nr4Slec+23ciDRZpaItvMlvmqNuT+6CGs+hNqL4WAkOhOeK5386O98Z1z86JC34FNWzz3uG/ tV030UDOQ== IronPort-HdrOrdr: A9a23:2UfVDqM/OqxBd8BcTj+jsMiBIKoaSvp037BL7SBMoX48SKalfq WV8cjzuiWE7Ar5NEtNpTnjAse9qBrnnPYf3WB7B9aftWfd11eAHcVL9ovoy3nMBzb3/etQ+a Npc607Ncb5B1p3lub2iTPIduoI8Z2u66CijaP51HdiTQZjdqFm4UNQEx+fEkd/WQlBAvMCZf ihz/sCjyGhcnxSSN+6CHkDV/XCoNOOr57vZBpuPW9F1DWz X-Talos-CUID: 9a23:GAhmHGrQOhPNTOwu6JHdyIPmUcR8UVz003ffHxabMmNHRJqlaFO+ypoxxg== X-Talos-MUID: 9a23:5mpvQggIvjIgcStTmuYfssMpauls5o28Lm8xjpAhnNadNgNzEhGhk2Hi X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="73956635" Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:39 +0100 Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Wed, 13 Dec 2023 15:38:38 +0100 Received: from DEU01-BE0-obe.outbound.protection.outlook.com (104.47.7.169) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28 via Frontend Transport; Wed, 13 Dec 2023 15:38:38 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DvwT4mE6ADU6Vny9aWCUkiGrKHvTEkuHlrHEDQcPsuvExz1qKtadM5jq0/TVswh3njiwJG7dU0Y8tx9GnvbaKk6hxTbxIHqr36lPpiDkwolkH2mExX8NobXGfdegUU/BGbRre0nyoEcZZ/ndcXUhxQih6Zrye0zkxRZw5SgDv4DdJTe0z9KxrrE6a0AU+mZehEry/xQgMsW9pjaYGk/vv0GlW5Gp/uTkBm87VktIpUi51mWamfhJiSY/8Azmq0CgJ1hYp815iA2QQclMPzamroT2ou5FraGj8pg3HoMObYNFCrhLTiUuAynl60lqks9A/IWZHUKHVj7utVJgmQ/ZQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qInEitJWbavMRb8eD+nqKZ1vKL42fHqic2Yl5Zj5iWI=; b=gUaglQ9ocs72jKpHAvGAfDH92UX7sP7fxFUQInaU/uICRzmMLV55MGmQ+q/LOILHhLLoek3JqiH/b1nIcGt50Q94P2KI3x0l+d6DDXwo1wzF5AIPAeQ7DbIGxdDkmb/ZVY4S/Y2x5+VqtL2W5TkxMHEiQ70b2HgiHfda03RwnOom68KC+sCK4GPXv0zfZOkhjkYmqNIdBGKPe5vQ7webCjv0WoOlEDVV61caBHzZZbWOm30LidUsM96bioz2c4s35/9dd5qpn7rzp5D9JG7CiB7U661mtC0ZhNsf1ybuun5kVdCisr8dQsKY7ZFq2udnjGd7HEf7Itk5/VDngTtehg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qInEitJWbavMRb8eD+nqKZ1vKL42fHqic2Yl5Zj5iWI=; b=MRBxg+GqwQA9jf89V9R/UNyCY4GXj5NBVtR2DO2QDVBeSARwBqNzJTv2zQz9j6gge/3W/qiBxnwQnK9u3L9//yLQ1zkYh5Dc85+VPhGk2gYb7wTrH6b3B4bLjfkfhp1AUJF5MTg8oQzrk9oS0nyb5R5EXyTruLZCO2JQHUMoYbg= Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) by FR2P281MB0026.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 14:38:37 +0000 Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573]) by BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573%3]) with mapi id 15.20.7091.022; Wed, 13 Dec 2023 14:38:37 +0000 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Christian Brauner , Alexander Mikhalitsyn , Alexei Starovoitov , Paul Moore CC: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , , , , , , =?utf-8?q?Michael_Wei=C3=9F?= Subject: [RFC PATCH v3 2/3] fs: Make vfs_mknod() to check CAP_MKNOD in user namespace of sb Date: Wed, 13 Dec 2023 15:38:12 +0100 Message-Id: <20231213143813.6818-3-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> References: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> X-ClientProxiedBy: FR0P281CA0006.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::11) To BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BEZP281MB2791:EE_|FR2P281MB0026:EE_ X-MS-Office365-Filtering-Correlation-Id: 4d387641-8229-4b0d-6be4-08dbfbe93152 X-LD-Processed: f930300c-c97d-4019-be03-add650a171c4,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Efena57SBdHhQOhS3PL7/J3MV5xj2ZTnE7K5rFX+Ilb3P/l7q2SbyrpdWK1Op1NRDB/84tPFK1MQvXJKl7W44qyIkUl5Dl0KNiFtXl9fsyUPsxGFp15E+8NbptoALdFJ2IUkQe0dywmoHA9Wtu88j1kLnnVCuU8rAZpZszbf/kBIoWLQwX8rcpCqlpQzHo6PsdfEdc2/8LaDyf0oLQBwdrbuX5rFiLLilnmMtHEiVWavsWGChuAgtCNfKrnLUec+s5NOB7EtOlxuMYlqkPCn8/xEwqcqrsgaFK9nKABA5S1LefHu4klb4arWAh7SS8OSUv/hPzXLrvVjLFeDDn7yqHjoSdSAzlTf6n6RuiKIhFmoAk0HLAKrem6e5Y6BRJ6RdQXmPnH1Dotr+JIea99is5m3ihsVsMA2VH+aq/1JytgCgE1SIRaK3l/1CLXtd8KFYbGkZyrpYVBg2og9QlFLHtBbGwRPpZGT/Ecf51pk1Rlmodj+xJr5SSD3/+PbpaZcin2ELLOqdlDbvfPcMJUvFGmOx7S4QD/OQFJvVUMivDLPFnf9fR8Tl8n1mGZYzS1/9ZV70PD16mCJ9NSl0zMSkXDu2oi3A4xfRSCFEVr3H2o= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(376002)(136003)(396003)(366004)(39860400002)(346002)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(83380400001)(107886003)(38100700002)(8936002)(316002)(54906003)(8676002)(2906002)(7416002)(4326008)(5660300002)(66476007)(478600001)(52116002)(41300700001)(66946007)(6512007)(6666004)(6506007)(110136005)(6486002)(66556008)(2616005)(1076003)(82960400001)(86362001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?lLg3ygsfLoOtdL85pPKbLx6Krc+P?= =?utf-8?q?wpBKJboOIYSM2Jm4MYfLFv/JoNyqPd9rWrhiB+0GzMYGXIJ0oa61f0oZRayGSQBTF?= =?utf-8?q?7hfkcRUeVhbcqRyZztchBB/8VrdECKf3II12cepx6Bj08r4mn5YGjNGe0hrlWY9+A?= =?utf-8?q?kYmxHyUqWqpHDVI2whMSlWmZi0L1UZOctA9CW44u0yCRM9jo0i8nB1d+2ljocjKiU?= =?utf-8?q?LZSsFDnBVJWmcmqEJSNfVwi5YzAsDWfCTdk4+QzqnqcnRnnOhBpyvUn1e0rkVJCdg?= =?utf-8?q?B4lSFvd6CD0YnY/UBw6GUXzEGvAnzDR/+ltAVA1qdGuSPcdPI7Qff2PHh7HAh/652?= =?utf-8?q?GJtV0BPxG09e9ZvKaWQNAZIODr36qQ3GaPGSyWFdGDT6fFnNZ8PhVYK7FJquKWh2Q?= =?utf-8?q?CMUKD1yez4drwMHPFuzPQYY55DzhUIcsHUA2SpH2BXZ6X2ZV8mP+O9FH1+uAE/66M?= =?utf-8?q?sMZl2zk70Ygn7pbarnZBg4uHzIH7zwHTSQHDH2OA09hSaLJX6KuIs4zr/9v1WqVQp?= =?utf-8?q?P5XDAGKDZPsjHP8HeoGU4Qqj8J+53y3EtmuxM36VJK0KgFXpThQzcIxaeB9MB6M0d?= =?utf-8?q?hCHngXFK2wNuUXFBR65cnLOaypxmYQsdhbz134wHxQx3HIjOMEz3rW9wjf7n+8zgA?= =?utf-8?q?TaNyQqBogqNiL1duPfR5cw1MlC+tzaY62Kt3Hy7yd7/WQ7HuGeAOjDXzyzVD4/K1v?= =?utf-8?q?zy1Ek4QLqaWQL10I+w27XuaFyPZGFJuet79P/NH9seHrNLbKdrk1EiIcGSz58lbuK?= =?utf-8?q?7ITdA9K4QH72Cl/Sw7mqwo7c6LHq+Op9ND4ff80Bc2sBnkqwZo63YirMXSv/i832Q?= =?utf-8?q?VRz14XbGmDv3y5WS0hKRFESL1WBYwoy/PnsPnzLvYx2M8CcU8E+Cn3f3ihl6bhZt0?= =?utf-8?q?wpbo1M7/RRqQUcScc24MefVvaGzRMPnlK63A1gL8ztLfZqeXmtCwJNl24dCJxlNSB?= =?utf-8?q?UcmuFC/zrkPYVeEaTJuRo3UfnHn6k7PFszp1bQuBHZ3CrSauGBxxL2svI7W5/UJX5?= =?utf-8?q?zJuRXJOUDepx1n3UKV4R4OotObLj8OOLRyuI+afuootDzfmkM1PstYr4QvSHzwZb4?= =?utf-8?q?vsNdPT1/oho6miwc6LfKfpvs1OKayZKNSMNR0ufK8Q4P36olvCNbyyFKKhTrEC0Vp?= =?utf-8?q?3/xC26x6zd9Z39FCJWLpKqLspwxQRPkBYByJ1FyE9zLobs91/3oinlN3Wcu6lxwsl?= =?utf-8?q?QVXitoFdkpbhieGmyKjQIWZNhvCMqFx/uc6xRoTWstnC5IJXULo4WEfMTdh9xX5g/?= =?utf-8?q?Ctj4qt7hPQpcARtjjFMLN075UejRtHuz1zm7/fCs70QwBdkaTLISBPtz+s+wD1jHx?= =?utf-8?q?QHammWW5g7pbLJFS5zdefkiH/J+QyK6YsbKMw3tOqfo7GgKZxo/xCuru3jwXF+92C?= =?utf-8?q?Sh7AJT5aSAWTf5hI0reggnrTSggifPbDzNam9Ph4HXvQw3CzdJTo5AckhilC2Z6Au?= =?utf-8?q?BR6EDjHi6dqNtE2Ojj5ealHp5gf7jSTMzcrq4OBEFAzeuguAU74Rq+fUPFhgfo6Ld?= =?utf-8?q?286+aCyvbnBnbGWwL14av9tUOAM/S0c5t+tof2IgAAmFtMhoEWNa3GrFSgVttqzO7?= =?utf-8?q?x1qR5216Cj1cXU3v2sKwsrAU9WddKXS+T3yeQhFzqlSG/W8zARW6cU=3D?= X-MS-Exchange-CrossTenant-Network-Message-Id: 4d387641-8229-4b0d-6be4-08dbfbe93152 X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2023 14:38:37.8133 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: inWNPP5rXJPv8+40/lfU8h0e0fVzINWORuOy67+OHCfHVAdD495BTkRB4LsnY3H1RbLYorZVejGWmB96CXK5N6Ab3tdCD6e20TClnq//nixv0NNNs1588LkUpBv9SQ9D X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB0026 X-OriginatorOrg: aisec.fraunhofer.de Check CAP_MKNOD for user namespace of sb with ns_cabable() in fs/namei.c. This will allow lsm-based guarding of device node creation in non-initial user namespace by stripping out SB_I_NODEV for mounts in its own namespace. Currently, device access is blocked unconditionally in may_open_dev() and mounts inside unprivileged user namespaces get SB_I_NODEV set in sb->s_iflags causing open() to fail with -EACCES. Device access by cgroups is mediated in the following places 1) fs/namei.c: inode_permission() -> devcgroup_inode_permission vfs_mknod() and -> devcgroup_inode_mknod 2) block/bdev.c: blkdev_get_by_dev() -> devcgroup_check_permission 3) drivers/gpu/drm/amd/amdkfd/kfd_priv.h: kfd_devcgroup_check_permission -> devcgroup_check_permission We leave this all in place. However, a lsm now can implement the security hook security_inode_mknod() which is called directly after the devcgroup_inode_mknod() in vfs_mknod() and remove the SB_I_NODEV. This will let the call to may_open_dev() during open() succeed. Turning the check form capable(CAP_MKNOD) to ns_capable(sb->s_userns, CAP_MKNOD) is inherently save due to SB_I_NODEV. However, this may allow to create device nodes which then could not be opened. To give user space some time to adopt, we introduce a sysctl knob which must be explicitly set to "1" to activate the use of ns_capable(). Otherwise, we just check the global capability for the current task as before. I tested this approach in a GyroidOS container using the small devguard LSM of the followup commit. Signed-off-by: Michael Weiß --- fs/namei.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index 71c13b2990b4..cc61545e02ce 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1032,6 +1032,7 @@ static int sysctl_protected_symlinks __read_mostly; static int sysctl_protected_hardlinks __read_mostly; static int sysctl_protected_fifos __read_mostly; static int sysctl_protected_regular __read_mostly; +static int sysctl_nscap_mknod __read_mostly; #ifdef CONFIG_SYSCTL static struct ctl_table namei_sysctls[] = { @@ -1071,6 +1072,15 @@ static struct ctl_table namei_sysctls[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_TWO, }, + { + .procname = "nscap_mknod", + .data = &sysctl_nscap_mknod, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, { } }; @@ -3940,6 +3950,24 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname, } EXPORT_SYMBOL(user_path_create); +/** + * sb_mknod_capable - check userns of sb for CAP_MKNOD + * @sb: super block to which userns CAP_MKNOD should be checked + * + * Check userns of sb for CAP_MKNOD + * + * Check CAP_MKNOD for owning user namespace of sb if corresponding sysctl is set. + * Otherwise just check global capability for current task. This allows + * lsm-based guarding of device node creation in non-initial user namespace. + */ +static bool sb_mknod_capable(struct super_block *sb) +{ + struct user_namespace *user_ns; + + user_ns = sysctl_nscap_mknod ? sb->s_user_ns : &init_user_ns; + return ns_capable(user_ns, CAP_MKNOD); +} + /** * vfs_mknod - create device node or file * @idmap: idmap of the mount the inode was found from @@ -3966,7 +3994,7 @@ int vfs_mknod(struct mnt_idmap *idmap, struct inode *dir, return error; if ((S_ISCHR(mode) || S_ISBLK(mode)) && !is_whiteout && - !capable(CAP_MKNOD)) + !sb_mknod_capable(dentry->d_sb)) return -EPERM; if (!dir->i_op->mknod) From patchwork Wed Dec 13 14:38:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 13491104 X-Patchwork-Delegate: paul@paul-moore.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=aisec.fraunhofer.de header.i=@aisec.fraunhofer.de header.b="WZiCyQHV"; dkim=pass (1024-bit key) header.d=fraunhofer.onmicrosoft.com header.i=@fraunhofer.onmicrosoft.com header.b="ADbUTnch" Received: from mail-edgeka24.fraunhofer.de (mail-edgeka24.fraunhofer.de [IPv6:2a03:db80:4420:b000::25:24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BE53B0 for ; Wed, 13 Dec 2023 06:39:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=aisec.fraunhofer.de; i=@aisec.fraunhofer.de; q=dns/txt; s=emailbd1; t=1702478389; x=1734014389; h=from:to:cc:subject:date:message-id:in-reply-to: references:content-transfer-encoding:mime-version; bh=fBGOTfZY/o/A6MXWqtrZ2pIBlMj1OKBCD9LPgcpMKac=; b=WZiCyQHVdYEC8h5HKJTlj++UWxDKQ/zwjx2fHIpD/SLpdq86LGz7gait 7EnuvSoh0n1SIxOrawCcHxGNXYK5q/3jGL+NsgdbH+6XSaGMJcoyjFwrz o53tHVpMcYoehKglAl+48dXbFOp137VXSlo98fLNiTQ8Y3bEFwp0oUGGs UFFNVftfCGfJJrywoh9PxlvnCKaMNnB7z0TV5464BWvp8Usmro9vQM+1M HIh3gTsPJuSGPP9Ej53bKp0Qw/210fclT2nS9BjDkX0Ve4JaeovY8jD+9 YUAnaH6xBkEbOm53ZmckAEKv9GRHw2GAS2d7ivkv8vtwTiua16/QmeLqA Q==; X-CSE-ConnectionGUID: P/ZU4PSvRL6FaWWckXZprw== X-CSE-MsgGUID: EV5zJoBOQkWQecf95iGCYw== Authentication-Results: mail-edgeka24.fraunhofer.de; dkim=pass (signature verified) header.i=@fraunhofer.onmicrosoft.com X-IPAS-Result: A2ElAADxwHll/x0BYJlaHAEBAQEBAQcBARIBAQQEAQFAgTsHAQELAYI4glmEU4gdiUacKyqBLBSBEQNWDwEBAQEBAQEBAQcBAUQEAQEDBIR/AocwJzQJDgECAQMBAQEBAwIDAQEBAQEBAQEGAQEGAQEBAQEBBgYCgRmFLzkNg3mBHgEBAQEBAQEBAQEBAR0CNVQCAQMjBAsBDQEBNwEPJQImAgIyJQYBDQWDAIIrAzGvEH8zgQGCCQEBBrAjGIEhgR8JCQGBEC4Bg2GENAGERYEhhDqCT4EVNYEGgi2EBlKDRoJogVOCE4R6PAcygiGCdF2DOD4ljRt9RloWGwMHA1YpDysHBDAiBgkULSMGUAQXESEJExJAgV+BUgp+Pw8OEYI+IgI9NhlIgloVDDQERnUQKgQUF4ESbhsSHjcREhcNAwh0HQIyPAMFAwQzChINCyEFVgNCBkkLAwIaBQMDBIEzBQ0eAhAsJwMDEkkCEBQDOwMDBgMKMQMwVUQMUANpHxoYCTwLBAwbAhseDScjAixCAxEFEAIWAyQWBDYRCQsoAy8GOAITDAYGCV4mFgkEJwMIBANUAyN7EQMEDAMgAwkDBwUsHUADCxgNSBEsNQYOG0QBcwekZyUgATxRAYF8DU4clhcBjByiaweCM4FfoQ8aM5cxklaHb5BUIKJGhUoCBAIEBQIOCIFjghYzPk+CZ1IZD44gDBaDVo96dQI5AgcBCgEBAwmCOYgpAQE IronPort-PHdr: A9a23:QG474R+2rfNSL/9uWXO9ngc9DxPPxp3qa1dGopNykalHN7+j9s6/Y h+X7qB3gVvATYjXrOhJj+PGvqyzPA5I7cOPqnkfdpxLWRIfz8IQmg0rGsmeDkPnavXtan9yB 5FZWVto9G28KxIQFtz3elvSpXO/93sVHBD+PhByPeP7BsvZiMHksoL6+8j9eQJN1ha0fb4gF wi8rwjaqpszjJB5I6k8jzrl8FBPffhbw38tGUOLkkTZx+KduaBu6T9RvPRzx4tlauDXb684R LpXAXEdPmY56dfCmTLDQACMtR5+Gm8Wxx0LLDTf8kzqZLzJrnegl/c6gRbdN8fMUoEvch6I7 JhPQUPTrB4iHmQ/4lyC2akSxKgOiT6rmiB5yI70OLvIbuJ4UYjlf/ozak9uD+VrSyVMK6jjf ZoIPsQ6LLlAvY2itWsWjDK3XDKjWeDvlDtJrWX3jKln8r4ASwfa+BN5QvshvHv0qNPOC44vc sHsi4nywijtTc1N0zbxtJDSawIwi6qvDeopfurW8UskRi/ihWeMuaq1IDKU8P03olig17s5U u2ft1R7ghxhsBrz/d1rl4TXiYM+4wnf/hRa0IdpcI7wWAt6e9miCJxKq2SAOpBrRt93W2hzo 3VSItwuvJe6eG0HxJsqxBeFN7qJaYGV5BLkWuuLZzt11zppe7O60g676lPoivb9Wc+9zEtQo 2Jbn8PNuHEA212b6sWORvZnuEb08TiV3h3V6uZKLFpykqzeKpU7xaU3mIZVukPGdhI= X-Talos-CUID: 9a23:aIYws2o7Y/kVfHlCd0foPl/mUfhiQECB9EzOGWvmJ29Wd7aWeW2I4rwxxg== X-Talos-MUID: 9a23:I466hQkFeJUGhUh1xFaGdnpPCpp6waOEL3kOrqwLsMfVaC1fEAaC2WE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="5192953" Received: from mail-mtaka29.fraunhofer.de ([153.96.1.29]) by mail-edgeka24.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:44 +0100 X-CSE-ConnectionGUID: 1sZalnPLS3C4g3DKMY97iQ== X-CSE-MsgGUID: nW3SOYqaSbugn0zBDGauWQ== IronPort-SDR: 6579c1f3_PjPxJ/FApAP9GnbEAKH6XO7j3/p003LpLTU3Ez2JPGpRrOd 4LeLY8Ux3WiQirCOpr1j7iArnSU/zQwXgdL45VQ== X-IPAS-Result: A0BCAABtwHll/3+zYZlaHAEBAQEBAQcBARIBAQQEAQFACRyBFgcBAQsBgWZSBz6BD4EFhFKDTQEBhE5fhkaCITsBnBmBLBSBEQNWDwEDAQEBAQEHAQFEBAEBhQYChy0CJzQJDgECAQECAQEBAQMCAwEBAQEBAQEBBgEBBQEBAQIBAQYEgQoThWgNhkYCAQMSEQQLAQ0BARQjAQ8lAiYCAjIHHgYBDQUigl6CKwMxAgEBoiEBgUACiyJ/M4EBggkBAQYEBLAbGIEhgR8JCQGBEC4Bg2GENAGERYEhhDqCT4EVNYEGgi2EBoQYgmiBU4IThHo8BzKCIYJ0XYM4PiWNG31GWhYbAwcDVikPKwcEMCIGCRQtIwZQBBcRIQkTEkCBX4FSCn4/Dw4Rgj4iAj02GUiCWhUMNARGdRAqBBQXgRJuGxIeNxESFw0DCHQdAjI8AwUDBDMKEg0LIQVWA0IGSQsDAhoFAwMEgTMFDR4CECwnAwMSSQIQFAM7AwMGAwoxAzBVRAxQA2kfFgQYCTwLBAwbAhseDScjAixCAxEFEAIWAyQWBDYRCQsoAy8GOAITDAYGCV4mFgkEJwMIBANUAyN7EQMEDAMgAwkDBwUsHUADCxgNSBEsNQYOG0QBcwekZyUgATxRAYF8DU4clhcBjByiaweCM4FfoQ8aM5cxklaHb5BUIKJGhUoCBAIEBQIOAQEGgWM8gVkzPk+CZ08DGQ+OIAwWg1aPekIzAjkCBwEKAQEDCYI5iCgBAQ IronPort-PHdr: A9a23:hbo4YhUkdSStn6SMds7S6TRM0LTV8KyzVDF92vMcY89mbPH6rNzra VbE7LB2jFaTANuIo/kRkefSurDtVSsa7JKIoH0OI/kuHxNQh98fggogB8CIEwv8KvvrZDY9B 8NMSBlu+HToeVMAA8v6albOpWfoqDAIEwj5NQ17K/6wHYjXjs+t0Pu19YGWaAJN11/fKbMnA g+xqFf9v9Ub07B/IKQ8wQebh3ZTYO1ZyCZJCQC4mBDg68GsuaJy6ykCntME2ot+XL/hfqM+H 4wdKQ9jHnA+5MTtuhSGdgaJ6nYGe0k9khdDAFugjlnwXsL28QTGrPQgyBOxBdGqF5EpHm2dq K1hcgDZkwwtHT0G1GiLsehJqYsBpgCc8k8aocbeNai5PsdCeKjdXYsgGDBZWOl6by5oK6yZQ NosNfYIMM9z8JvsoGoglgrhHRuoW/Hf0h5hjybN0vA507olECrc3V0kQvNUkS7SsPHqbfo7f uy67K3O9grqUtB3gHDd0ofVXDIfuvuNUe5oa9PD2GN0NFOd11qwrrTnNGK58e8/r3i9v/VhV MS2sX8XkDkg+z+g9vsW1qDUlpA3lmvesjh03ok0DvThU0VKQs6lTM4D/zHfNpFxRNslWX0to ish17ka7IayZzNZoHxG7xvWavjCdpSBwTu5BaCfOz5lgnJidr+lwRq/ogCsyez5A9G9y00C7 jFEnd/Fqm0X2lTN59KGRPpw8gbp2TuG2w3JrOARCU4unLfdK5kvz6R2kZwWsE/ZGTTxllmwh 6iTHng= IronPort-Data: A9a23:MOonoagiZhw4ByBplLJSimTQX161zBQKZh0ujC45NGQN5FlHY01je htvXjiCOKyCambzf98iO4qy8x9VvJfXzIQwQFZt+Ss9HyhjpJueD7x1DKtf0wB+jiHnZBg6h ynLQoCYdKjYdleF+1H1dOCn9CEgvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRWmthg vus5ZWDULOZ82QsaDlNsfvY8EoHUMna4Vv0gHRuPZing3eDzxH5PLpHTYmtIn3xRJVjH+LSb 44vG5ngows1Vz90Yj+Uuu6Tnn8iG9Y+DiDS4pZiYJVOtzAZzsAEPgbXA9JHAatfo23hc9mcU 7yhv7ToIesiFvWkdOjwz3C0HgkmVZCq9oMrLlDmqv6ay0v+V0C36KlhV20VGLxJpedOVDQmG fwwcFjhbziYgv6uhr+rQekqiN4qMc/rO40SoDdswFk1D95/HMuFEvqMvIAJmm5q2aiiHt6GD yYdQT9uZxTJbhkJJVoWE4kWleazi3K5fSdRtVSVoqQ6+S7fwWSd1ZC9aIaKJ4TiqcN9mHnDn UX35m3CCAwVMoSN4xaq+2+Tv7qa9c/8cMdIfFGizdZgmlSOwGEJIB4bT122pb++kEHWc9tbJ lwd/CYjt4A39UyiStj2Thv+q3mB1jYVQMZ4EOAg7gyJjK3O7G6xHmEZShZZYcEi8coxQiYnk FSOmrvBCTVpsbCRYXOa+bqdtzm1KW4TIHNqTSYCQREE4vHgrZs1gxaJScxseIawh8fpGDe2x zmXhCw/gagDy8IGyc2T5lfBjBqvq4LPQwpz4R/YNkq07hhRaoTjbIutgXDZ6vZGaoiQVUWIt nUCl+CR6ekPCdeGkynlaOYVB7Cv6PatMzDGh1NrWZ47+FyF4HKtVY9X5z56KQFiNcNsUT/gZ 0vOvite45hcOHbsZqhyC6qzDMAxxIDjGM7jW/SSacBBCrBoaQKB4CBoTU+L2H7klEUqjec0P pLzWditF3EyG6lhzSTwQ+YbzK9twToxg37QLbj+zhej1qG2f2yYU7oJMR2Oc4gR5aaFulqO8 tJ3OM6DyhEZW+r7CgHM/JQcIHgKJHw/FJawoMtSHsaJOgROBm4sEbnSzKkndogjmL5a/s/M/ 3egSgpbxUD5iHnvNwqHcDZgZanpUJI5qmg0VQQoPFC1yz0teoqi8qobX4U4cKNh9+F5y/NwC f4fdK2oBvVJVySC4DkWcIP8sJ0ncROnmAaDFzSqbSJ5fJN6QQHNvNj+cWPSGDImV3fs8Jph5 uT/h0aCG8VFWQEkB4DYcvuyyVO2s3UH3u5/N6fVHuRulIzX2NECAwT/lPYqJcELJxjZgDyc0 gedGxADoufR5YQy9bH0aWqs9O9FysMvTxYILHqR9rusKyjR80yqxIIKAq7CfinQWCmwsO+ub PlchaO0evAWvkd4g6wlGZZSzIU6+4TOoZ1exV9aB3nlVQmgJY5hBXik5vNxkJNx6IVXgiaIf 36e28J7POyJMfz1EVRKKwsCaP+C5M4umTLTzKoUJmPm6A9e4Yi3UUdbFESJgylzdbFwMJ0Xx NkwnMss7y2+lRsYHdKUhQ9E92m3DyIhUod2kro4EYPUmg4Q5VUaWqPlCwjy+4CpV9VAFmIIM w2krvPOqJoEz3WTbkdpM2bG2NRsoKgnuTdI/QckHEuIkN+Uvc0H9kRd3hpvRzsE0ygd9fx4P 1VqEEhHJa+u2TNMr+obVkCOHzBxPjGoynbT+XAoylKAF1KJU1bTJlITIeyOpUAV01xNdwhho Y239jzXbibITurQgA0JRk9Xm97yR4dQ9yrDuvydMearIp0YWQfh04iSPTcmih2/Gs4gplz1l c8z9sZKVKDLHyoxoao6Noqk6YotWC20fGxvfPUw054KTEf9eS6z0wegM0qeWN1ADN2U/F6aC /5BHNNuVRO/5RmKvAIkILM+JZ10kMF049BYSLfgJDMFgYC+tRtsiorbrQLltV8oQvJvsMczE ZzQfDS8CV6thWNYtmvOjctcME+6XIU0XxL91+WL7+k5LZIPn+Vye0UU0LHvnXGqHCZ43hCT5 iXvWrT3yrF89IFSgIfcKKVPKAGqI9fVVu7T0gSSscxLXOzfI/X1qAIZhVn2DTt4ZYJLdYxMq o2Ml9rr0GfunrU8CTnZkqbcMZh535y5We4PP//nKHVfozC5Z/btxBk+4EG9F41ClYJMx8ugR jbgUvCKS/wuZ45/ykFWOg9kKDRML4Tsb6zlmzGxkOTUNDgZzj78DY2G8V3HUDhlUxEmarPCD j36gfKM3uxjjZ9tAUYEDs52ApUjL17EX7AnRuLLtjKZLzeJh32aseHclz4l2yD6OkeZGemr5 KD1ZwXMWymznIrqz9hplZN4kTNKLXR6gMg2Jlk8/fwvgR+ELWc2F8YvGrRYNYN1ywvcjIrZY hPJZ0scURTNZyxOK0jA0Y6yTzWhCfwrEfanAD4Qpme/STq8XaGEC5tfrhZQ2W98IGbf/bv2O OMl2yPCOzaqyctUXscV3PuwhNlnyt78xn4l/UPckdT4My0BAIclhWBQIw5QaRPpS839tl3HB WwQd1B2REuWTU3QE8E5X1V3HBofni3kzhR2TCOp7evchb6mz7x7+KWiA93w77wNUp1bbvpGD 3b6XHCE7G2qy2Qe8/lh8c4ghahvT+mHBI6mJavkXhcfhLy09n9hBc4ZgC4TV4s3zWazyb8Ge uWEuBDS3Hi4FX0= IronPort-HdrOrdr: A9a23:eS5elKngTr+RlPiUraBYzXbC2KHpDfLS3DAbv31ZSRFFG/Fw9v rPoBx4vSWftN91YhwdcL+7Sc29qB/nmaKdg7N+AV7KZmCP01dAR7sC0WKN+VLdMhy73vVc3q 8lXrRkANb0AXR/hcb+pDSiG9wjzMKm/cmT9ILj5kYoZRprYKklyRx4BAadGlB3QwcDLYMhEZ qX7tdGoT3IQwV0Uu2LQlEfX+PK4/vRlJznZhYaBxkorDKDhTatgYSKcCSl4g== X-Talos-CUID: 9a23:qGw4O2F5w1yuGbkYqmI+73wdHsYdVkaG5yvfeGObLFc4F7ysHAo= X-Talos-MUID: 9a23:RlecQAxO1rKLfzirZ1q8Sq+A4emaqKKRU3sqoIwPgMOZOiooKR2xoz2qfbZyfw== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.04,272,1695679200"; d="scan'208";a="804750" Received: from 153-97-179-127.vm.c.fraunhofer.de (HELO smtp.exch.fraunhofer.de) ([153.97.179.127]) by mail-mtaKA29.fraunhofer.de with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Dec 2023 15:38:42 +0100 Received: from XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) by XCH-HYBRID-03.ads.fraunhofer.de (10.225.9.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Wed, 13 Dec 2023 15:38:42 +0100 Received: from DEU01-BE0-obe.outbound.protection.outlook.com (104.47.7.168) by XCH-HYBRID-04.ads.fraunhofer.de (10.225.9.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28 via Frontend Transport; Wed, 13 Dec 2023 15:38:42 +0100 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QBwayfhh0YN0OKbdUUhT/e77vBk2MCWwZX1XCaE2BmjMU5liR+LQV+zQNMfgRd6oO2BA9DaK6bU4mpL27BdXdwMkQ4HcCKYWVn6rCLYh5JOY2yDBD+1H0iSmylDSQW+OspWwaS9/BcPJUG466hpgZHrJJLxZbeTnXJ4q8ZuGlY84xJOSpQ1IixA5gfqExXKNX/7Fdnb+b8ygqgNpWMMaP894DeW7dk9BFgfopFB4oBey9qkl2mqORWRmX+cr5UWvae5FP1ubOtX0mpHUu5tcVMrzJ+aU+4CLe3eRg4h5DaOQyTAF0581HUJXMAi5T0leiUYi9A/0WlZRKGiGrvBeuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o+GTrv5xRCPt42Iu/1W/bbRwYsCBBkWLa4SLQMA2nzU=; b=c1axGrYg3nNwqGnkHdRLUH9kw2ZaZvfwjv1Q3Apq3Hoir0kAh31yPjnIbpUwUdsRfkzdtAykA1iJMdDb17JFXsYpuipeccxLrx3w7yxPdawaI0wPtWQk1ZVzIciAFs0H7bcMI8toSgneSp055IsnUgXmx3ZJvMrkWker1AlQqxVBuzgYZY/7kCEN8hsnDaTnaoNTqwKYt9S9anTtbdCPDOadljNAEaRDeTByBFe0RVhPV0QW/XnlTI8d3lIthCJPApAio1AVmzpNWmEGtsiieN71zgegke/gKhMR8Dg/E4IYVOvHHK3eWAKDHW2tNVMGXC/dgmHRfzXkvgFLo3dI/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=aisec.fraunhofer.de; dmarc=pass action=none header.from=aisec.fraunhofer.de; dkim=pass header.d=aisec.fraunhofer.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fraunhofer.onmicrosoft.com; s=selector2-fraunhofer-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o+GTrv5xRCPt42Iu/1W/bbRwYsCBBkWLa4SLQMA2nzU=; b=ADbUTnchH0R52pnGCPjAAGMG9KRtaeAC7zyoYFSy7pzl7zXpIAa1Sg5kh6liCri9l5I2I2ntLw15AGdgHlnSWAUKI1/HRguFJVsbid4prqzyB3K801gHoPjc9DOcZtxN8wiiNqRyXSP91ogXTR4AuxzJ4Sr/uevgiCA1scYKxi4= Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) by FR2P281MB0026.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 14:38:41 +0000 Received: from BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573]) by BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM ([fe80::d273:9b9b:dadf:e573%3]) with mapi id 15.20.7091.022; Wed, 13 Dec 2023 14:38:41 +0000 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Christian Brauner , Alexander Mikhalitsyn , Alexei Starovoitov , Paul Moore CC: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , , , , , , =?utf-8?q?Michael_Wei=C3=9F?= Subject: [RFC PATCH v3 3/3] devguard: added device guard for mknod in non-initial userns Date: Wed, 13 Dec 2023 15:38:13 +0100 Message-Id: <20231213143813.6818-4-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> References: <20231213143813.6818-1-michael.weiss@aisec.fraunhofer.de> X-ClientProxiedBy: FR0P281CA0006.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::11) To BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:50::14) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BEZP281MB2791:EE_|FR2P281MB0026:EE_ X-MS-Office365-Filtering-Correlation-Id: e944c049-f14d-46e7-3a43-08dbfbe9335a X-LD-Processed: f930300c-c97d-4019-be03-add650a171c4,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: jqscTcZr0vvPN8GzE21vhgJ3/Rk9QZNLl42t4xQNkXWSh2s8hK+i3nxJ7i81T+5VF7fi5GTDLtRcK4rXR+nIaywztHyEUBPeUYV9VJkj1w6y4PUrF8Xnz3rdPyksDk1Y/+pVjtspgiLI9aE6SU1e47Q6J1h5xcyW9sZ1VTkDe4Zn34loOCLg2uaGL3MVYGH70SNx0LhfufJw0iaMZfekwBO9SZAdhdjUwnjga1qSKFbJsfw5p+5r1KTMomG5YRg/LAJf2jOdyqpa2givu5ftpzmOAdGNVBtPH9J2pQeCv9i4/rPZXWBCrTXSwEwxSCILNU6/oqbMjsk4O0p+sGa1R9GZZYThp2Bn3haMdl6weFXUKNLYp2shT7Rcm3p6P/gfeNuiRYuLOHtePITYOWllNlxfDUh+FmFYXAtbG9o+IvTaiS7ZQAKezFiMWgyIBZCCDERLgY3kl23iHKGkoYAZInbANPFGFmEXDwXKRU7rkq69jGi+1xmrNji3HdcXNATyWVjYk+32p0U0xvLLqaHrwjM5iYC8v8G1Bd3tOdXLInYBHeADNgVTAjRBwvua22GjeSd3q51sKYw8R1Qf+MAw1t//jEVMXLfCnMAyQgqbvHo= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(376002)(136003)(396003)(366004)(39860400002)(346002)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(83380400001)(107886003)(38100700002)(8936002)(316002)(54906003)(8676002)(2906002)(7416002)(4326008)(5660300002)(66476007)(478600001)(52116002)(41300700001)(66946007)(6512007)(6666004)(6506007)(110136005)(6486002)(66556008)(2616005)(1076003)(82960400001)(86362001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?PnE5DkxWd20YCHUSTv5Z0Tuv+Dm+?= =?utf-8?q?sapn2m+7b4r446xyWcFCAdwFgIAl47odkKVVDVdg/vFLXA2+DO7CsXNxlutUmfgvN?= =?utf-8?q?fJ2uiWZb+xLrqR3g85svzH2oMRMBw2L/+QJhz+T80MRZ2e9X9dzt1YicVBSi9hr5p?= =?utf-8?q?rt9ZbRDA0cWEdOrORjgtkuz1oVsiNDi4i6vsUb+x0TDF8SLQjzITIzkECwpFpvhNq?= =?utf-8?q?HC7i9qpFUyO8+kr5mo8axyhnyJwWo5VVzmZey0nIN4t3WNpkmqPZj/bVwzvIEuaKH?= =?utf-8?q?Gz3Th7lWjkTnOYQW04LZqwqsRY9ckaXSMKZaodvY6nA+CQUPVkI9vVjkoR+CrdDaU?= =?utf-8?q?QA67BQnMRiE6k7RucGiO8sQt30vW9qtBexxoAipx0rntcdftgPrMKMTD3V4sRkTGZ?= =?utf-8?q?w0dxFD2Ei4n4XMp+LjdevZptGOdgpm7qhT7pfe9BUIIXbqNC69qtC0kY97SxKP+98?= =?utf-8?q?RyJqpR2XjtE/ZJqJ/gVs6g8R/NHZ5I+bspkQmDK1AOuqhPUcfjzLxTkG1pWNg+/u/?= =?utf-8?q?NfyN2/5iDG3ghF/RnoWNunk5HzhfSXwpt1d3FOfR4t2FXKJP+S6bNJrvZUFoqO1VA?= =?utf-8?q?NXOWvMZf7hH1YUw6HsRyL5CBhFUpHX1ZVifKECYsMAv4/8BfN8vMQdHI7sS5B2Pmc?= =?utf-8?q?QUBisOTMdXZGXZNnlUKXxKS5uTs8Fvk6NeAxwUeOCdKE6fQ05blo4coLrUbxnAChf?= =?utf-8?q?gtmyRoS+xU97ksKKYNGxuWjDKG5IIy60Q2fZbWaWACkGmJj8L0g9VYNi1/onBWC5x?= =?utf-8?q?FAz6sS38214UG4ifHvGWkQYoVapgzDYSp/oFdUAOJGlW1LuKOFzLqsy43i9m0Lm+p?= =?utf-8?q?CgVWD+bCX8/XbodZeIVF1rgCtNb30XyvreVwae7Y+6nDenAXK8tItS2Rbsdf/jTyo?= =?utf-8?q?rZ2dFBMK5oVbWc5cYBe+gSDk61EtGxYR7NFhlCC868ZB5AslkNWZ04JwQazaEwqui?= =?utf-8?q?7fKwEErVH6tTxcZ8V939FVamKn28S367VhwRDpGFXN2j2Z/dGRmSfx55ifmF9DxrW?= =?utf-8?q?HCPiE9j+x2Y+th1KBnejj+BOjLZ0c5PIPOf6tV7lzsxNbVX2+FuAnklnz2mtra2b0?= =?utf-8?q?EsriY9qm5XB+ntpAi3CiCA+xcEa/iamd0cq/535wlNahcnml321XNHpr2wfqxCyr1?= =?utf-8?q?NjyxpG3h8tPZvftwABVyMnNEvaogTqOhim/RaYY+W0wF71+wrmI54GFGMrgsvdiYU?= =?utf-8?q?U/gOiJaX4iH6SHk5oNcGhe6Oe9DDRpBdEh8eE1bQNGL+frh/dof0yO2S0HXzx1K8/?= =?utf-8?q?if5u6UifK47EJYHfDUVP0XfLedq4SH+t8o8LwdhH3S6RXrsAcBqfFOH+6VLI9wep/?= =?utf-8?q?vOf59dBKyOgrJcsslbm+cADHYO5tt2ixdLWTVo0uEKHHGsCe66YhMa3h6Nej0KfG0?= =?utf-8?q?wsbGU72cQz2sIWBBJaOkpxXNDaAmU0O9BCeFt4PEpHK9zuXvnucOjKcy61E5CH8G1?= =?utf-8?q?eGB1VqWZ9XMjiDqknFVgibPBPA8BmZpetsfDuz+wq6vUZZqCXimHTzCc98/rnyQ5R?= =?utf-8?q?ly/lb7mr7P6j6ZB8N39Bf7r81kNj0pN/0rGmm/H0M3SzLotivgXFhnRrVNi6VgkfY?= =?utf-8?q?u3vGFp+RjyFeEYUlW3cOClGfDCUqJI3LMOVcENR+KoFfsMhUL/a4L0=3D?= X-MS-Exchange-CrossTenant-Network-Message-Id: e944c049-f14d-46e7-3a43-08dbfbe9335a X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2023 14:38:41.2415 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Ez1huEXXHG6DmmwhKA0c1uIVf/lfkGVJKTVDHk7hn3N9xTSaxyQKTVuiBvtgw+z0JgrU6WUlxL8DwunpZd0hHuzLsIlOQWTK3usQ32a5zu/IJh34w76VvlJ0fgv4Veog X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB0026 X-OriginatorOrg: aisec.fraunhofer.de devguard is a simple LSM to allow CAP_MKNOD in non-initial user namespace in cooperation of an attached cgroup device program. We just need to implement the security_inode_mknod() hook for this. In the hook, we check if the current task is guarded by a device cgroup using the lately introduced cgroup_bpf_current_enabled() helper. If so, we strip out SB_I_NODEV from the super block. Access decisions to those device nodes are then guarded by existing device cgroups mechanism. Signed-off-by: Michael Weiß --- security/Kconfig | 11 +++++---- security/Makefile | 1 + security/devguard/Kconfig | 12 ++++++++++ security/devguard/Makefile | 2 ++ security/devguard/devguard.c | 44 ++++++++++++++++++++++++++++++++++++ 5 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 security/devguard/Kconfig create mode 100644 security/devguard/Makefile create mode 100644 security/devguard/devguard.c diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..7ec4017745d4 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -194,6 +194,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/devguard/Kconfig" source "security/integrity/Kconfig" @@ -233,11 +234,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf,devguard" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf,devguard" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf,devguard" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,bpf,devguard" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf,devguard" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list, except for those with order diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..82a0d8cab3c3 100644 --- a/security/Makefile +++ b/security/Makefile @@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_DEVGUARD) += devguard/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/devguard/Kconfig b/security/devguard/Kconfig new file mode 100644 index 000000000000..592684615a8f --- /dev/null +++ b/security/devguard/Kconfig @@ -0,0 +1,12 @@ +config SECURITY_DEVGUARD + bool "Devguard for device node creation" + depends on SECURITY + depends on CGROUP_BPF + default n + help + This enables devguard, an LSM that allows to guard device node + creation in non-initial user namespace. It may allow mknod + in cooperation of an attached cgroup device program. + This security module stacks with other LSMs. + + If you are unsure how to answer this question, answer N. diff --git a/security/devguard/Makefile b/security/devguard/Makefile new file mode 100644 index 000000000000..fdaff8dc2fea --- /dev/null +++ b/security/devguard/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +obj-$(CONFIG_SECURITY_DEVGUARD) += devguard.o diff --git a/security/devguard/devguard.c b/security/devguard/devguard.c new file mode 100644 index 000000000000..3a0c9c27a691 --- /dev/null +++ b/security/devguard/devguard.c @@ -0,0 +1,44 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Device guard security module + * + * Simple in-kernel LSM to allow cap_mknod in non-initial + * user namespace if current task is guarded by device cgroup. + * + * Copyright (C) 2023 Fraunhofer AISEC. All rights reserved. + * + * Authors: Michael Weiß + */ + +#include +#include + +static int devguard_inode_mknod(struct inode *dir, struct dentry *dentry, + umode_t mode, dev_t dev) +{ + if (dentry->d_sb->s_iflags & ~SB_I_NODEV) + return 0; + + // strip SB_I_NODEV on super block if device cgroup is active + if (cgroup_bpf_current_enabled(CGROUP_DEVICE)) + dentry->d_sb->s_iflags &= ~SB_I_NODEV; + + return 0; +} + +static struct security_hook_list devguard_hooks[] __ro_after_init = { + LSM_HOOK_INIT(inode_mknod, devguard_inode_mknod), +}; + +static int __init devguard_init(void) +{ + security_add_hooks(devguard_hooks, ARRAY_SIZE(devguard_hooks), + "devguard"); + pr_info("devguard: initialized\n"); + return 0; +} + +DEFINE_LSM(devguard) = { + .name = "devguard", + .init = devguard_init, +};