Message ID | 20220801180146.1157914-3-fred@cloudflare.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 401e64b3a4af4c7a2f6a00337232a3cf0bb757ed |
Headers | show |
Series | Introduce security_create_user_ns() | expand |
On Mon, Aug 01, 2022 at 01:01:44PM -0500, Frederick Lawler wrote: > Users may want to audit calls to security_create_user_ns() and access > user space memory. Also create_user_ns() runs without > pagefault_disabled(). Therefore, make bpf_lsm_userns_create() sleepable > for mandatory access control policies. > > Signed-off-by: Frederick Lawler <fred@cloudflare.com> > Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> We can take this set through bpf-next tree if it's easier. Or if it goes through other trees: Acked-by: Alexei Starovoitov <ast@kernel.org>
On Mon, Aug 1, 2022 at 7:00 PM Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > On Mon, Aug 01, 2022 at 01:01:44PM -0500, Frederick Lawler wrote: > > Users may want to audit calls to security_create_user_ns() and access > > user space memory. Also create_user_ns() runs without > > pagefault_disabled(). Therefore, make bpf_lsm_userns_create() sleepable > > for mandatory access control policies. > > > > Signed-off-by: Frederick Lawler <fred@cloudflare.com> > > Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> > > We can take this set through bpf-next tree if it's easier. Thanks Alexei, but I'm currently planning to merge it into the LSM next branch once the merge window closes. > Or if it goes through other trees: > Acked-by: Alexei Starovoitov <ast@kernel.org> I appreciate the review/ACK, would you mind reviewing the tests too (patch 3/4)?
On Mon, Aug 1, 2022 at 8:02 PM Frederick Lawler <fred@cloudflare.com> wrote: > > Users may want to audit calls to security_create_user_ns() and access > user space memory. Also create_user_ns() runs without > pagefault_disabled(). Therefore, make bpf_lsm_userns_create() sleepable > for mandatory access control policies. > > Signed-off-by: Frederick Lawler <fred@cloudflare.com> > Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Acked-by: KP Singh <kpsingh@kernel.org>
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index c1351df9f7ee..4593437809cc 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -250,6 +250,7 @@ BTF_ID(func, bpf_lsm_task_getsecid_obj) BTF_ID(func, bpf_lsm_task_prctl) BTF_ID(func, bpf_lsm_task_setscheduler) BTF_ID(func, bpf_lsm_task_to_inode) +BTF_ID(func, bpf_lsm_userns_create) BTF_SET_END(sleepable_lsm_hooks) bool bpf_lsm_is_sleepable_hook(u32 btf_id)