@@ -9002,6 +9002,11 @@ F: include/linux/kprobes.h
F: include/asm-generic/kprobes.h
F: kernel/kprobes.c
+KRSI SECURITY MODULE
+M: KP Singh <kpsingh@chromium.org>
+S: Supported
+F: security/krsi/
+
KS0108 LCD CONTROLLER DRIVER
M: Miguel Ojeda Sandonis <miguel.ojeda.sandonis@gmail.com>
S: Maintained
@@ -236,6 +236,7 @@ source "security/tomoyo/Kconfig"
source "security/apparmor/Kconfig"
source "security/loadpin/Kconfig"
source "security/yama/Kconfig"
+source "security/krsi/Kconfig"
source "security/safesetid/Kconfig"
source "security/integrity/Kconfig"
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
+subdir-$(CONFIG_SECURITY_KRSI) += krsi
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
@@ -25,6 +26,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
+obj-$(CONFIG_SECURITY_KRSI) += krsi/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
new file mode 100644
@@ -0,0 +1,22 @@
+config SECURITY_KRSI
+ bool "Runtime Security Instrumentation (BPF-based MAC and audit policy)"
+ depends on SECURITY
+ depends on SECURITYFS
+ depends on BPF
+ depends on BPF_SYSCALL
+ help
+ This selects the Kernel Runtime Security Instrumentation
+ LSM which allows dynamic instrumentation of the security hooks with
+ eBPF programs. The LSM creates per-hook files in securityfs to which
+ eBPF programs can be attached.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_KRSI_ENFORCE
+ bool "Deny operations based on the evaluation of the attached programs"
+ depends on SECURITY_KRSI
+ help
+ eBPF programs attached to hooks can be used for both auditing and
+ enforcement. Enabling enforcement implies that the evaluation result
+ from the attached eBPF programs will allow and deny the operation
+ guarded by the security hook.
new file mode 100644
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_KRSI) := krsi.o
new file mode 100644
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/lsm_hooks.h>
+
+static int krsi_process_execution(struct linux_binprm *bprm)
+{
+ return 0;
+}
+
+static struct security_hook_list krsi_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(bprm_check_security, krsi_process_execution),
+};
+
+static int __init krsi_init(void)
+{
+ security_add_hooks(krsi_hooks, ARRAY_SIZE(krsi_hooks), "krsi");
+ pr_info("eBPF and LSM are friends now.\n");
+ return 0;
+}
+
+DEFINE_LSM(krsi) = {
+ .name = "krsi",
+ .init = krsi_init,
+};