[RFC,bpf-next,seccomp,06/12] lsm: New hook seccomp_extended

Message ID	f7ebfa197042ec56628cecd29b5eedd8f0cfb9c3.1620499942.git.yifeifz2@illinois.edu (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: YiFei Zhu <zhuyifei1999@gmail.com> To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu <yifeifz2@illinois.edu>, linux-security-module@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>, Andrea Arcangeli <aarcange@redhat.com>, Andy Lutomirski <luto@amacapital.net>, Austin Kuo <hckuo2@illinois.edu>, Claudio Canella <claudio.canella@iaik.tugraz.at>, Daniel Borkmann <daniel@iogearbox.net>, Daniel Gruss <daniel.gruss@iaik.tugraz.at>, Dimitrios Skarlatos <dskarlat@cs.cmu.edu>, Giuseppe Scrivano <gscrivan@redhat.com>, Hubertus Franke <frankeh@us.ibm.com>, Jann Horn <jannh@google.com>, Jinghao Jia <jinghao7@illinois.edu>, Josep Torrellas <torrella@illinois.edu>, Kees Cook <keescook@chromium.org>, Sargun Dhillon <sargun@sargun.me>, Tianyin Xu <tyxu@illinois.edu>, Tobin Feldman-Fitzthum <tobin@ibm.com>, Tom Hromatka <tom.hromatka@oracle.com>, Will Drewry <wad@chromium.org> Subject: [RFC PATCH bpf-next seccomp 06/12] lsm: New hook seccomp_extended Date: Mon, 10 May 2021 12:22:43 -0500 Message-Id: <f7ebfa197042ec56628cecd29b5eedd8f0cfb9c3.1620499942.git.yifeifz2@illinois.edu> In-Reply-To: <cover.1620499942.git.yifeifz2@illinois.edu> References: <cover.1620499942.git.yifeifz2@illinois.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	eBPF seccomp filters \| expand [RFC,bpf-next,seccomp,00/12] eBPF seccomp filters [RFC,bpf-next,seccomp,01/12] seccomp: Move no_new_privs check to after prepare_filter [RFC,bpf-next,seccomp,02/12] bpf, seccomp: Add eBPF filter capabilities [RFC,bpf-next,seccomp,03/12] seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp fil… [RFC,bpf-next,seccomp,04/12] libbpf: recognize section "seccomp" [RFC,bpf-next,seccomp,05/12] samples/bpf: Add eBPF seccomp sample programs [RFC,bpf-next,seccomp,06/12] lsm: New hook seccomp_extended [RFC,bpf-next,seccomp,07/12] bpf/verifier: allow restricting direct map access [RFC,bpf-next,seccomp,08/12] seccomp-ebpf: restrict filter to almost cBPF if LSM request such [RFC,bpf-next,seccomp,09/12] yama: (concept) restrict seccomp-eBPF with ptrace_scope [RFC,bpf-next,seccomp,10/12] seccomp-ebpf: Add ability to read user memory [RFC,bpf-next,seccomp,11/12] bpf/verifier: support NULL-able ptr to BTF ID as helper argument [RFC,bpf-next,seccomp,12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group l…

Message ID

f7ebfa197042ec56628cecd29b5eedd8f0cfb9c3.1620499942.git.yifeifz2@illinois.edu (mailing list archive)

State

New, archived

Headers

From: YiFei Zhu <zhuyifei1999@gmail.com>
To: containers@lists.linux.dev, bpf@vger.kernel.org
Cc: YiFei Zhu <yifeifz2@illinois.edu>,
        linux-security-module@vger.kernel.org,
        Alexei Starovoitov <ast@kernel.org>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Austin Kuo <hckuo2@illinois.edu>,
        Claudio Canella <claudio.canella@iaik.tugraz.at>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Daniel Gruss <daniel.gruss@iaik.tugraz.at>,
        Dimitrios Skarlatos <dskarlat@cs.cmu.edu>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Jann Horn <jannh@google.com>,
        Jinghao Jia <jinghao7@illinois.edu>,
        Josep Torrellas <torrella@illinois.edu>,
        Kees Cook <keescook@chromium.org>,
        Sargun Dhillon <sargun@sargun.me>,
        Tianyin Xu <tyxu@illinois.edu>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>,
        Tom Hromatka <tom.hromatka@oracle.com>,
        Will Drewry <wad@chromium.org>
Subject: [RFC PATCH bpf-next seccomp 06/12] lsm: New hook seccomp_extended
Date: Mon, 10 May 2021 12:22:43 -0500
Message-Id: 
 <f7ebfa197042ec56628cecd29b5eedd8f0cfb9c3.1620499942.git.yifeifz2@illinois.edu>
In-Reply-To: <cover.1620499942.git.yifeifz2@illinois.edu>
References: <cover.1620499942.git.yifeifz2@illinois.edu>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

eBPF seccomp filters | expand

Commit Message

YiFei Zhu May 10, 2021, 5:22 p.m. UTC

From: YiFei Zhu <yifeifz2@illinois.edu>

This hooks takes no argument, and returns 0 if the current task is
permitted to use extended seccomp-eBPF features, or -errno if it is
not permitted.

Signed-off-by: YiFei Zhu <yifeifz2@illinois.edu>
---
 include/linux/lsm_hook_defs.h |  4 ++++
 include/linux/security.h      | 13 +++++++++++++
 security/security.c           |  8 ++++++++
 3 files changed, 25 insertions(+)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 61f04f7dc1a4..94e18d95e1cc 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -391,6 +391,10 @@  LSM_HOOK(int, 0, bpf_map_alloc_security, struct bpf_map *map)
 LSM_HOOK(void, LSM_RET_VOID, bpf_map_free_security, struct bpf_map *map)
 LSM_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux)
 LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux)
+
+#ifdef CONFIG_SECCOMP_FILTER_EXTENDED
+LSM_HOOK(int, 0, seccomp_extended, void)
+#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */
 #endif /* CONFIG_BPF_SYSCALL */
 
 LSM_HOOK(int, 0, locked_down, enum lockdown_reason what)
diff --git a/include/linux/security.h b/include/linux/security.h
index 9aeda3f9e838..8e98dd98ac90 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1960,6 +1960,11 @@  extern int security_bpf_map_alloc(struct bpf_map *map);
 extern void security_bpf_map_free(struct bpf_map *map);
 extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
 extern void security_bpf_prog_free(struct bpf_prog_aux *aux);
+
+#ifdef CONFIG_SECCOMP_FILTER_EXTENDED
+extern int security_seccomp_extended(void);
+#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */
+
 #else
 static inline int security_bpf(int cmd, union bpf_attr *attr,
 					     unsigned int size)
@@ -1992,6 +1997,14 @@  static inline int security_bpf_prog_alloc(struct bpf_prog_aux *aux)
 
 static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
 { }
+
+#ifdef CONFIG_SECCOMP_FILTER_EXTENDED
+static inline int security_seccomp_extended(void)
+{
+	return 0;
+}
+#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */
+
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_BPF_SYSCALL */
 
diff --git a/security/security.c b/security/security.c
index 94383f83ba42..301afe76ffb2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2553,6 +2553,14 @@  void security_bpf_prog_free(struct bpf_prog_aux *aux)
 {
 	call_void_hook(bpf_prog_free_security, aux);
 }
+
+#ifdef CONFIG_SECCOMP_FILTER_EXTENDED
+int security_seccomp_extended(void)
+{
+	return call_int_hook(seccomp_extended, 0);
+}
+#endif
+
 #endif /* CONFIG_BPF_SYSCALL */
 
 int security_locked_down(enum lockdown_reason what)

[RFC,bpf-next,seccomp,06/12] lsm: New hook seccomp_extended

Commit Message

Patch