On 24-Mär 10:35, Stephen Smalley wrote: > On Mon, Mar 23, 2020 at 12:46 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote: > > > > From: KP Singh <kpsingh@xxxxxxxxxx> > > > > JITed BPF programs are dynamically attached to the LSM hooks > > using BPF trampolines. The trampoline prologue generates code to handle > > conversion of the signature of the hook to the appropriate BPF context. > > > > The allocated trampoline programs are attached to the nop functions > > initialized as LSM hooks. > > > > BPF_PROG_TYPE_LSM programs must have a GPL compatible license and > > and need CAP_SYS_ADMIN (required for loading eBPF programs). > > > > Upon attachment: > > > > * A BPF fexit trampoline is used for LSM hooks with a void return type. > > * A BPF fmod_ret trampoline is used for LSM hooks which return an > > int. The attached programs can override the return value of the > > bpf LSM hook to indicate a MAC Policy decision. > > > > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> > > Reviewed-by: Brendan Jackman <jackmanb@xxxxxxxxxx> > > Reviewed-by: Florent Revest <revest@xxxxxxxxxx> > > --- > > > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > > index 530d137f7a84..2a8131b640b8 100644 > > --- a/kernel/bpf/bpf_lsm.c > > +++ b/kernel/bpf/bpf_lsm.c > > @@ -9,6 +9,9 @@ > > #include <linux/btf.h> > > #include <linux/lsm_hooks.h> > > #include <linux/bpf_lsm.h> > > +#include <linux/jump_label.h> > > +#include <linux/kallsyms.h> > > +#include <linux/bpf_verifier.h> > > > > /* For every LSM hook that allows attachment of BPF programs, declare a NOP > > * function where a BPF program can be attached as an fexit trampoline. > > @@ -27,6 +30,32 @@ noinline __weak void bpf_lsm_##NAME(__VA_ARGS__) {} > > #include <linux/lsm_hook_names.h> > > #undef LSM_HOOK > > > > +#define BPF_LSM_SYM_PREFX "bpf_lsm_" > > + > > +int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, > > + const struct bpf_prog *prog) > > +{ > > + /* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks > > + */ > > + if (!capable(CAP_MAC_ADMIN)) > > + return -EPERM; > > I had asked before, and will ask again: please provide an explicit LSM > hook for mediating whether one can make changes to the LSM hooks. > Neither CAP_MAC_ADMIN nor CAP_SYS_ADMIN suffices to check this for SELinux. What do you think about: int security_check_mutable_hooks(void) Do you have any suggestions on the signature of this hook? Does this hook need to be BPF specific? - KP