Thread (59 messages) 59 messages, 6 authors, 2020-03-25

Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs

From: KP Singh <hidden>
Date: 2020-03-24 16:12:18
Also in: bpf, lkml 

On 24-Mär 11:39, KP Singh wrote:
On 23-Mär 12:59, Andrii Nakryiko wrote:
quoted
On Mon, Mar 23, 2020 at 9:45 AM KP Singh [off-list ref] wrote:
quoted
From: KP Singh <redacted>

When CONFIG_BPF_LSM is enabled, nops functions, bpf_lsm_<hook_name>, are
generated for each LSM hook. These nops are initialized as LSM hooks in
a subsequent patch.

Signed-off-by: KP Singh <redacted>
Reviewed-by: Brendan Jackman <jackmanb@google.com>
Reviewed-by: Florent Revest <redacted>
---
 include/linux/bpf_lsm.h | 21 +++++++++++++++++++++
 kernel/bpf/bpf_lsm.c    | 19 +++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 include/linux/bpf_lsm.h

diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
new file mode 100644
index 000000000000..c6423a140220
--- /dev/null
+++ b/include/linux/bpf_lsm.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (C) 2020 Google LLC.
+ */
+
+#ifndef _LINUX_BPF_LSM_H
+#define _LINUX_BPF_LSM_H
+
+#include <linux/bpf.h>
+#include <linux/lsm_hooks.h>
+
+#ifdef CONFIG_BPF_LSM
+
+#define LSM_HOOK(RET, NAME, ...) RET bpf_lsm_##NAME(__VA_ARGS__);
+#include <linux/lsm_hook_names.h>
+#undef LSM_HOOK
+
+#endif /* CONFIG_BPF_LSM */
+
+#endif /* _LINUX_BPF_LSM_H */
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 82875039ca90..530d137f7a84 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -7,6 +7,25 @@
 #include <linux/filter.h>
 #include <linux/bpf.h>
 #include <linux/btf.h>
+#include <linux/lsm_hooks.h>
+#include <linux/bpf_lsm.h>
+
+/* For every LSM hook  that allows attachment of BPF programs, declare a NOP
+ * function where a BPF program can be attached as an fexit trampoline.
+ */
+#define LSM_HOOK(RET, NAME, ...) LSM_HOOK_##RET(NAME, __VA_ARGS__)
+
+#define LSM_HOOK_int(NAME, ...)                        \
+noinline __weak int bpf_lsm_##NAME(__VA_ARGS__)        \
+{                                              \
+       return 0;                               \
+}
+
+#define LSM_HOOK_void(NAME, ...) \
+noinline __weak void bpf_lsm_##NAME(__VA_ARGS__) {}
+
Could unify with:

#define LSM_HOOK(RET, NAME, ...) noinline __weak RET bpf_lsm_##NAME(__VA_ARGS__)
{
    return (RET)0;
}

then you don't need LSM_HOOK_int and LSM_HOOK_void.
Nice.

But, given that we are adding default values and that
they are only needed for int hooks, we will need to keep the macros
separate for int and void. Or, Am I missing a trick here?

- KP
Actually, was able to get it work. not setting a default for void
hooks makes the macros messier. So i just set it void. For example:

  LSM_HOOK(void, void, bprm_committing_creds, struct linux_binprm *bprm)

This also allows me to use the cleanup you suggested and not having
to split every usage into int and void.

- KP

quoted
quoted
+#include <linux/lsm_hook_names.h>
+#undef LSM_HOOK

 const struct bpf_prog_ops lsm_prog_ops = {
 };
--
2.20.1
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help