On Thu, Oct 05, 2023 at 06:07:28PM +0200, KP Singh wrote:
SNIP
> diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> index df9699bce372..4f31384b5637 100644
> --- a/kernel/bpf/trampoline.c
> +++ b/kernel/bpf/trampoline.c
> @@ -511,11 +511,30 @@ static enum bpf_tramp_prog_type
> bpf_attach_type_to_tramp(struct bpf_prog *prog)
> }
> }
>
> +static void bpf_trampoline_toggle_lsm(struct bpf_trampoline *tr,
> + enum bpf_tramp_prog_type kind)
> +{
> + struct bpf_tramp_link *link;
> + volatile bool found = false;
> +
> + /* Loop through the links and if any LSM program is attached, ensure
> + * that the hook is enabled.
> + */
> + hlist_for_each_entry(link, &tr->progs_hlist[kind], tramp_hlist) {
> + if (link->link.prog->type == BPF_PROG_TYPE_LSM) {
> + found = true;
> + break;
> + }
> + }
> +
> + bpf_lsm_toggle_hook(tr->func.addr, found);
> +}
> +
> static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link,
> struct bpf_trampoline *tr)
> {
> enum bpf_tramp_prog_type kind;
> struct bpf_tramp_link *link_exiting;
> - int err = 0, num_lsm_progs = 0;
> + int err = 0;
> int cnt = 0, i;
>
> kind = bpf_attach_type_to_tramp(link->link.prog);
> @@ -547,15 +566,14 @@ static int __bpf_trampoline_link_prog(struct
> bpf_tramp_link *link, struct bpf_tr
> /* prog already linked */
> return -EBUSY;
>
> - if (link_exiting->link.prog->type == BPF_PROG_TYPE_LSM)
> - num_lsm_progs++;
> }
>
> - if (!num_lsm_progs && link->link.prog->type == BPF_PROG_TYPE_LSM)
> - bpf_lsm_toggle_hook(tr->func.addr, true);
> -
> hlist_add_head(&link->tramp_hlist, &tr->progs_hlist[kind]);
> tr->progs_cnt[kind]++;
> +
> + if (link->link.prog->type == BPF_PROG_TYPE_LSM)
> + bpf_trampoline_toggle_lsm(tr, kind);
how about keeping BPF_PROG_TYPE_LSM progs type count of attached programs
in bpf_trampoline and toggle lsm on first coming in and last going out?
also the trampoline attach is actually made in bpf_trampoline_update,
so I wonder it'd make more sense to put it in there, but it's already
complicated, so it actually might be easier in here
jirka
> +
> err = bpf_trampoline_update(tr, true /* lock_direct_mutex */);
> if (err) {
> hlist_del_init(&link->tramp_hlist);
> @@ -578,7 +596,6 @@ static int __bpf_trampoline_unlink_prog(struct
> bpf_tramp_link *link, struct bpf_
> {
> struct bpf_tramp_link *link_exiting;
> enum bpf_tramp_prog_type kind;
> - bool lsm_link_found = false;
> int err, num_lsm_progs = 0;
>
> kind = bpf_attach_type_to_tramp(link->link.prog);
> @@ -595,18 +612,14 @@ static int __bpf_trampoline_unlink_prog(struct
> bpf_tramp_link *link, struct bpf_
> tramp_hlist) {
> if (link_exiting->link.prog->type == BPF_PROG_TYPE_LSM)
> num_lsm_progs++;
> -
> - if (link_exiting->link.prog == link->link.prog)
> - lsm_link_found = true;
> }
> }
>
> hlist_del_init(&link->tramp_hlist);
> tr->progs_cnt[kind]--;
>
> - if (lsm_link_found && num_lsm_progs == 1)
> - bpf_lsm_toggle_hook(tr->func.addr, false);
> -
> + if (link->link.prog->type == BPF_PROG_TYPE_LSM)
> + bpf_trampoline_toggle_lsm(tr, kind);
> return bpf_trampoline_update(tr, true /* lock_direct_mutex */);
> }
>
>
> - KP
