On Fri, Feb 28, 2025 at 8:53 AM Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> wrote: > > Certain bpf syscall subcommands are available for usage from both > userspace and the kernel. LSM modules or eBPF gatekeeper programs may > need to take a different course of action depending on whether or not > a BPF syscall originated from the kernel or userspace. > > Additionally, some of the bpf_attr struct fields contain pointers to > arbitrary memory. Currently the functionality to determine whether or > not a pointer refers to kernel memory or userspace memory is exposed > to the bpf verifier, but that information is missing from various LSM > hooks. > > Here we augment the LSM hooks to provide this data, by simply passing > a boolean flag indicating whether or not the call originated in the > kernel, in any hook that contains a bpf_attr struct that corresponds > to a subcommand that may be called from the kernel. > > Signed-off-by: Blaise Boscaccy <bboscaccy@xxxxxxxxxxxxxxxxxxx> > --- > include/linux/lsm_hook_defs.h | 6 +++--- > include/linux/security.h | 12 ++++++------ > kernel/bpf/syscall.c | 10 +++++----- > security/security.c | 17 ++++++++++------- > security/selinux/hooks.c | 6 +++--- > 5 files changed, 27 insertions(+), 24 deletions(-) tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c has a BPF program for security_bpf(), please also update it. > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index e2f1ce37c41ef..25f4e74c173be 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -426,14 +426,14 @@ LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) > #endif /* CONFIG_AUDIT */ > > #ifdef CONFIG_BPF_SYSCALL > -LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size) > +LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, bool is_kernel, unsigned int size) I think we should add is_kernel to the end of the argument list. This will cause fewer issues for existing users. Thanks, Song
