Commit fc611f47 authored by KP Singh's avatar KP Singh Committed by Daniel Borkmann
Browse files

bpf: Introduce BPF_PROG_TYPE_LSM 



Introduce types and configs for bpf programs that can be attached to
LSM hooks. The programs can be enabled by the config option
CONFIG_BPF_LSM.

Signed-off-by: default avatarKP Singh <kpsingh@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Reviewed-by: default avatarBrendan Jackman <jackmanb@google.com>
Reviewed-by: default avatarFlorent Revest <revest@google.com>
Reviewed-by: default avatarThomas Garnier <thgarnie@google.com>
Acked-by: default avatarYonghong Song <yhs@fb.com>
Acked-by: default avatarAndrii Nakryiko <andriin@fb.com>
Acked-by: default avatarJames Morris <jamorris@linux.microsoft.com>
Link: https://lore.kernel.org/bpf/20200329004356.27286-2-kpsingh@chromium.org
parent e5fb60ee

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -3147,6 +3147,7 @@ R: Martin KaFai Lau <kafai@fb.com> 
R:	Song Liu <songliubraving@fb.com>

R:	Yonghong Song <yhs@fb.com>

R:	Andrii Nakryiko <andriin@fb.com>

R:	KP Singh <kpsingh@chromium.org>

L:	netdev@vger.kernel.org

L:	bpf@vger.kernel.org

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git

include/linux/bpf.h

+3 −0
Original line number Diff line number Diff line
@@ -1515,6 +1515,9 @@ extern const struct bpf_func_proto bpf_tcp_sock_proto; 
extern const struct bpf_func_proto bpf_jiffies64_proto;

extern const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto;



const struct bpf_func_proto *bpf_tracing_func_proto(

	enum bpf_func_id func_id, const struct bpf_prog *prog);



/* Shared helpers among cBPF and eBPF. */

void bpf_user_rnd_init_once(void);

u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);

include/linux/bpf_types.h

+4 −0
Original line number Diff line number Diff line
@@ -70,6 +70,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_STRUCT_OPS, bpf_struct_ops, 
	      void *, void *)

BPF_PROG_TYPE(BPF_PROG_TYPE_EXT, bpf_extension,

	      void *, void *)

#ifdef CONFIG_BPF_LSM

BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm,

	       void *, void *)

#endif /* CONFIG_BPF_LSM */

#endif



BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops)

include/uapi/linux/bpf.h

+2 −0
Original line number Diff line number Diff line
@@ -181,6 +181,7 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_TRACING,

	BPF_PROG_TYPE_STRUCT_OPS,

	BPF_PROG_TYPE_EXT,

	BPF_PROG_TYPE_LSM,

};



enum bpf_attach_type {
@@ -211,6 +212,7 @@ enum bpf_attach_type { 
	BPF_TRACE_FENTRY,

	BPF_TRACE_FEXIT,

	BPF_MODIFY_RETURN,

	BPF_LSM_MAC,

	__MAX_BPF_ATTACH_TYPE

};

init/Kconfig

+12 −0
Original line number Diff line number Diff line
@@ -1616,6 +1616,18 @@ config KALLSYMS_BASE_RELATIVE 
# end of the "standard kernel features (expert users)" menu



# syscall, maps, verifier



config BPF_LSM

	bool "LSM Instrumentation with BPF"

	depends on BPF_SYSCALL

	depends on SECURITY

	depends on BPF_JIT

	help

	  Enables instrumentation of the security hooks with eBPF programs for

	  implementing dynamic MAC and Audit Policies.



	  If you are unsure how to answer this question, answer N.



config BPF_SYSCALL

	bool "Enable bpf() system call"

	select BPF

CRA Git | Maintained and supported by SUSTech CRA and CCSE