Message ID | 20240711111908.3817636-12-xukuohai@huaweicloud.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Add return value range check for BPF LSM | expand |
On Thu, Jul 11, 2024 at 07:18:59PM +0800, Xu Kuohai wrote: > From: Xu Kuohai <xukuohai@huawei.com> > > Add a disabled hooks list for BPF LSM. progs being attached to the > listed hooks will be rejected by the verifier. > > Suggested-by: KP Singh <kpsingh@kernel.org> > Signed-off-by: Xu Kuohai <xukuohai@huawei.com> Xu, The patches 11 and higher are mostly independent from lsm refactoring. Please send them as a separate patchset for bpf-next. While lsm cleanups are being reviewed this lsm_disabled list can be a bit larger temporarily.
On 7/13/2024 1:56 AM, Alexei Starovoitov wrote: > On Thu, Jul 11, 2024 at 07:18:59PM +0800, Xu Kuohai wrote: >> From: Xu Kuohai <xukuohai@huawei.com> >> >> Add a disabled hooks list for BPF LSM. progs being attached to the >> listed hooks will be rejected by the verifier. >> >> Suggested-by: KP Singh <kpsingh@kernel.org> >> Signed-off-by: Xu Kuohai <xukuohai@huawei.com> > > Xu, > > The patches 11 and higher are mostly independent from lsm refactoring. > Please send them as a separate patchset for bpf-next. > While lsm cleanups are being reviewed this lsm_disabled list can be > a bit larger temporarily. > It's great to separate patches unrelated to bpf by temporarily extending the lsm disabled list. I'll post an update. Thanks!
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 08a338e1f231..e5feb6560fe6 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -36,6 +36,12 @@ BTF_SET_START(bpf_lsm_hooks) #undef LSM_HOOK BTF_SET_END(bpf_lsm_hooks) +BTF_SET_START(bpf_lsm_disabled_hooks) +BTF_ID(func, bpf_lsm_getprocattr) +BTF_ID(func, bpf_lsm_setprocattr) +BTF_ID(func, bpf_lsm_ismaclabel) +BTF_SET_END(bpf_lsm_disabled_hooks) + /* List of LSM hooks that should operate on 'current' cgroup regardless * of function signature. */ @@ -97,15 +103,24 @@ void bpf_lsm_find_cgroup_shim(const struct bpf_prog *prog, int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, const struct bpf_prog *prog) { + u32 btf_id = prog->aux->attach_btf_id; + const char *func_name = prog->aux->attach_func_name; + if (!prog->gpl_compatible) { bpf_log(vlog, "LSM programs must have a GPL compatible license\n"); return -EINVAL; } - if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) { + if (btf_id_set_contains(&bpf_lsm_disabled_hooks, btf_id)) { + bpf_log(vlog, "attach_btf_id %u points to disabled hook %s\n", + btf_id, func_name); + return -EINVAL; + } + + if (!btf_id_set_contains(&bpf_lsm_hooks, btf_id)) { bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n", - prog->aux->attach_btf_id, prog->aux->attach_func_name); + btf_id, func_name); return -EINVAL; }