| Message ID | Zbt16HS-9x8YPZNz@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [bpf-next] bpf: add security_file_mprotect() to sleepable_lsm_hooks BTF set | expand |
On Thu, Feb 01, 2024 at 10:43:52AM +0000, Matt Bobrowski wrote: > security_file_mprotect() is missing from the sleepable_lsm_hooks BTF > set. Add it so that operations performed by a BPF program which may > result in the thread being put to sleep are permitted. > > Building a kernel with the DEBUG_ATOMIC_SLEEP confiuration option > enabled and running reasonable workloads stimulating a BPF program > attached to security_file_mprotect() which could end up performing an > operation that could sleep resulted in no splats. Actually, no, please disregard this patch. It was only a matter of timing before something had popped up. This was sent out far too prematurely and I failed to realize that __bpf_prog_enter_sleepable() calls might_fault() and security_file_mprotect() is being called from a context whereby a mmap_lock is already being held. In essence, this also means that it's not possible to run sleepable BPF programs in contexts where a mmap_lock is already held as the page fault handler also attempts to take the mmap_lock, and well all know what happens when you have the same thread attempting to acquire the same lock whilst already holding that lock. > Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> > --- > kernel/bpf/bpf_lsm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 68240c3c6e7d..da52c955f3ca 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -277,10 +277,13 @@ BTF_ID(func, bpf_lsm_bprm_creds_from_file) > BTF_ID(func, bpf_lsm_capget) > BTF_ID(func, bpf_lsm_capset) > BTF_ID(func, bpf_lsm_cred_prepare) > + > BTF_ID(func, bpf_lsm_file_ioctl) > BTF_ID(func, bpf_lsm_file_lock) > BTF_ID(func, bpf_lsm_file_open) > BTF_ID(func, bpf_lsm_file_receive) > +BTF_ID(func, bpf_lsm_mmap_file) > +BTF_ID(func, bpf_lsm_file_mprotect) > > BTF_ID(func, bpf_lsm_inode_create) > BTF_ID(func, bpf_lsm_inode_free_security) > @@ -316,7 +319,6 @@ BTF_ID(func, bpf_lsm_path_chown) > BTF_ID(func, bpf_lsm_key_free) > #endif /* CONFIG_KEYS */ > > -BTF_ID(func, bpf_lsm_mmap_file) > BTF_ID(func, bpf_lsm_netlink_send) > BTF_ID(func, bpf_lsm_path_notify) > BTF_ID(func, bpf_lsm_release_secctx) > -- > 2.43.0.429.g432eaa2c6b-goog /M
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 68240c3c6e7d..da52c955f3ca 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -277,10 +277,13 @@ BTF_ID(func, bpf_lsm_bprm_creds_from_file) BTF_ID(func, bpf_lsm_capget) BTF_ID(func, bpf_lsm_capset) BTF_ID(func, bpf_lsm_cred_prepare) + BTF_ID(func, bpf_lsm_file_ioctl) BTF_ID(func, bpf_lsm_file_lock) BTF_ID(func, bpf_lsm_file_open) BTF_ID(func, bpf_lsm_file_receive) +BTF_ID(func, bpf_lsm_mmap_file) +BTF_ID(func, bpf_lsm_file_mprotect) BTF_ID(func, bpf_lsm_inode_create) BTF_ID(func, bpf_lsm_inode_free_security) @@ -316,7 +319,6 @@ BTF_ID(func, bpf_lsm_path_chown) BTF_ID(func, bpf_lsm_key_free) #endif /* CONFIG_KEYS */ -BTF_ID(func, bpf_lsm_mmap_file) BTF_ID(func, bpf_lsm_netlink_send) BTF_ID(func, bpf_lsm_path_notify) BTF_ID(func, bpf_lsm_release_secctx)
security_file_mprotect() is missing from the sleepable_lsm_hooks BTF set. Add it so that operations performed by a BPF program which may result in the thread being put to sleep are permitted. Building a kernel with the DEBUG_ATOMIC_SLEEP confiuration option enabled and running reasonable workloads stimulating a BPF program attached to security_file_mprotect() which could end up performing an operation that could sleep resulted in no splats. Signed-off-by: Matt Bobrowski <mattbobrowski@google.com> --- kernel/bpf/bpf_lsm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)