Message ID | 20220721172808.585539-3-fred@cloudflare.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 401e64b3a4af4c7a2f6a00337232a3cf0bb757ed |
Headers | show |
Series | Introduce security_create_user_ns() | expand |
On Thu, Jul 21, 2022 at 12:28:06PM -0500, Frederick Lawler wrote: > Users may want to audit calls to security_create_user_ns() and access > user space memory. Also create_user_ns() runs without > pagefault_disabled(). Therefore, make bpf_lsm_userns_create() sleepable > for mandatory access control policies. > > Signed-off-by: Frederick Lawler <fred@cloudflare.com> > > --- Seems reasonable, Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index c1351df9f7ee..4593437809cc 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -250,6 +250,7 @@ BTF_ID(func, bpf_lsm_task_getsecid_obj) BTF_ID(func, bpf_lsm_task_prctl) BTF_ID(func, bpf_lsm_task_setscheduler) BTF_ID(func, bpf_lsm_task_to_inode) +BTF_ID(func, bpf_lsm_userns_create) BTF_SET_END(sleepable_lsm_hooks) bool bpf_lsm_is_sleepable_hook(u32 btf_id)
Users may want to audit calls to security_create_user_ns() and access user space memory. Also create_user_ns() runs without pagefault_disabled(). Therefore, make bpf_lsm_userns_create() sleepable for mandatory access control policies. Signed-off-by: Frederick Lawler <fred@cloudflare.com> --- Changes since v2: - Rename create_user_ns hook to userns_create Changes since v1: - None --- kernel/bpf/bpf_lsm.c | 1 + 1 file changed, 1 insertion(+)