| Message ID | ZXM3IHHXpNY9y82a@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list | expand |
On Fri, Dec 8, 2023 at 4:32 PM Matt Bobrowski <mattbobrowski@google.com> wrote: > > security_path_* based LSM hooks appear to be generally missing from > the sleepable_lsm_hooks list. Initially add a small subset of them to > the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers > like bpf_d_path() can be used from sleepable BPF LSM based programs. > > The security_path_* hooks added in this patch are similar to the > security_inode_* counterparts that already exist in the > sleepable_lsm_hooks list, and are called in roughly similar points and > contexts. Presumably, making them OK to be also annotated as > sleepable. > > Building a kernel with DEBUG_ATOMIC_SLEEP options enabled and running > reasonable workloads stimulating activity that would be intercepted by > such security hooks didn't show any splats. > > Notably, I haven't added all the security_path_* LSM hooks that are > available as I don't need them at this point in time. > > Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> Acked-by: KP Singh <kpsingh@kernel.org>
Hello: This patch was applied to bpf/bpf-next.git (master) by Alexei Starovoitov <ast@kernel.org>: On Fri, 8 Dec 2023 15:32:48 +0000 you wrote: > security_path_* based LSM hooks appear to be generally missing from > the sleepable_lsm_hooks list. Initially add a small subset of them to > the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers > like bpf_d_path() can be used from sleepable BPF LSM based programs. > > The security_path_* hooks added in this patch are similar to the > security_inode_* counterparts that already exist in the > sleepable_lsm_hooks list, and are called in roughly similar points and > contexts. Presumably, making them OK to be also annotated as > sleepable. > > [...] Here is the summary with links: - [bpf-next] bpf: add small subset of SECURITY_PATH hooks to BPF sleepable_lsm_hooks list https://git.kernel.org/bpf/bpf-next/c/b13cddf63356 You are awesome, thank you!
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 7d2f96413a57..63b4dc495125 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -304,6 +304,18 @@ BTF_ID(func, bpf_lsm_kernel_module_request) BTF_ID(func, bpf_lsm_kernel_read_file) BTF_ID(func, bpf_lsm_kernfs_init_security) +#ifdef CONFIG_SECURITY_PATH +BTF_ID(func, bpf_lsm_path_unlink) +BTF_ID(func, bpf_lsm_path_mkdir) +BTF_ID(func, bpf_lsm_path_rmdir) +BTF_ID(func, bpf_lsm_path_truncate) +BTF_ID(func, bpf_lsm_path_symlink) +BTF_ID(func, bpf_lsm_path_link) +BTF_ID(func, bpf_lsm_path_rename) +BTF_ID(func, bpf_lsm_path_chmod) +BTF_ID(func, bpf_lsm_path_chown) +#endif /* CONFIG_SECURITY_PATH */ + #ifdef CONFIG_KEYS BTF_ID(func, bpf_lsm_key_free) #endif /* CONFIG_KEYS */
security_path_* based LSM hooks appear to be generally missing from the sleepable_lsm_hooks list. Initially add a small subset of them to the preexisting sleepable_lsm_hooks list so that sleepable BPF helpers like bpf_d_path() can be used from sleepable BPF LSM based programs. The security_path_* hooks added in this patch are similar to the security_inode_* counterparts that already exist in the sleepable_lsm_hooks list, and are called in roughly similar points and contexts. Presumably, making them OK to be also annotated as sleepable. Building a kernel with DEBUG_ATOMIC_SLEEP options enabled and running reasonable workloads stimulating activity that would be intercepted by such security hooks didn't show any splats. Notably, I haven't added all the security_path_* LSM hooks that are available as I don't need them at this point in time. Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> --- kernel/bpf/bpf_lsm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)