Thread (59 messages) 59 messages, 6 authors, 2020-03-25

Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

From: KP Singh <hidden>
Date: 2020-03-23 19:44:37
Also in: bpf, lkml 

On 23-Mär 12:16, Yonghong Song wrote:

On 3/23/20 9:44 AM, KP Singh wrote:
quoted
From: KP Singh <redacted>

JITed BPF programs are dynamically attached to the LSM hooks
using BPF trampolines. The trampoline prologue generates code to handle
conversion of the signature of the hook to the appropriate BPF context.

The allocated trampoline programs are attached to the nop functions
initialized as LSM hooks.

BPF_PROG_TYPE_LSM programs must have a GPL compatible license and
and need CAP_SYS_ADMIN (required for loading eBPF programs).

Upon attachment:

* A BPF fexit trampoline is used for LSM hooks with a void return type.
* A BPF fmod_ret trampoline is used for LSM hooks which return an
   int. The attached programs can override the return value of the
   bpf LSM hook to indicate a MAC Policy decision.

Signed-off-by: KP Singh <redacted>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <redacted>
---
  include/linux/bpf.h     |  4 ++++
  include/linux/bpf_lsm.h | 11 +++++++++++
  kernel/bpf/bpf_lsm.c    | 29 +++++++++++++++++++++++++++++
  kernel/bpf/btf.c        |  9 ++++++++-
  kernel/bpf/syscall.c    | 26 ++++++++++++++++++++++----
  kernel/bpf/trampoline.c | 17 +++++++++++++----
  kernel/bpf/verifier.c   | 19 +++++++++++++++----
  7 files changed, 102 insertions(+), 13 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index af81ec7b783c..adf2e5a6de4b 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -433,6 +433,10 @@ struct btf_func_model {
   * programs only. Should not be used with normal calls and indirect calls.
   */
  #define BPF_TRAMP_F_SKIP_FRAME		BIT(2)
+/* Override the return value of the original function. This flag only makes
+ * sense for fexit trampolines.
+ */
+#define BPF_TRAMP_F_OVERRIDE_RETURN     BIT(3)
Whether the return value is overridable is determined by hook return type as
below. Do we still need this flag?
Apologies, this is a relic and should not have been there, will send a
new revision with this removed.

- KP

quoted
  /* Each call __bpf_prog_enter + call bpf_func + call __bpf_prog_exit is ~50
   * bytes on x86.  Pick a number to fit into BPF_IMAGE_SIZE / 2
[...]
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help