bpf: lsm: Provide attachment points for BPF LSM programs (9d3fdea7) · Commits · 戴 / test

When CONFIG_BPF_LSM is enabled, nop functions, bpf_lsm_<hook_name>, are generated for each LSM hook. These functions are initialized as LSM hooks in a subsequent patch. Signed-off-by:

KP Singh <kpsingh@google.com> Signed-off-by:

Daniel Borkmann <daniel@iogearbox.net> Reviewed-by:

Brendan Jackman <jackmanb@google.com> Reviewed-by:

Florent Revest <revest@google.com> Reviewed-by:

Kees Cook <keescook@chromium.org> Acked-by:

Yonghong Song <yhs@fb.com> Acked-by:

James Morris <jamorris@linux.microsoft.com> Link: https://lore.kernel.org/bpf/20200329004356.27286-4-kpsingh@chromium.org

include/linux/bpf_lsm.h

0 → 100644

+22 −0

Original line number	Diff line number	Diff line
		/* SPDX-License-Identifier: GPL-2.0 */

		/*
		* Copyright (C) 2020 Google LLC.
		*/

		#ifndef _LINUX_BPF_LSM_H
		#define _LINUX_BPF_LSM_H

		#include <linux/bpf.h>
		#include <linux/lsm_hooks.h>

		#ifdef CONFIG_BPF_LSM

		#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
		RET bpf_lsm_##NAME(__VA_ARGS__);
		#include <linux/lsm_hook_defs.h>
		#undef LSM_HOOK

		#endif /* CONFIG_BPF_LSM */

		#endif /* _LINUX_BPF_LSM_H */

kernel/bpf/bpf_lsm.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -7,6 +7,20 @@
		#include <linux/filter.h>
		#include <linux/bpf.h>
		#include <linux/btf.h>
		#include <linux/lsm_hooks.h>
		#include <linux/bpf_lsm.h>

		/* For every LSM hook that allows attachment of BPF programs, declare a nop
		* function where a BPF program can be attached.
		*/
		#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
		noinline RET bpf_lsm_##NAME(__VA_ARGS__) \
		{ \
		return DEFAULT; \
		}

		#include <linux/lsm_hook_defs.h>
		#undef LSM_HOOK

		const struct bpf_prog_ops lsm_prog_ops = {
		};

Admin message