From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_copy_up_xattr to 0 or a negative error code.
Before:
- Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when
discarding xattr, -EOPNOTSUPP if it does not know xattr, or any
other negative
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook getprocattr to 0 or a negative error code.
Before:
- Hook getprocattr returns length of value on success or a negative
error code on failure.
After:
- Hook getprocattr returns 0 on success or a negative
From: Xu Kuohai
The return ranges of some bpf lsm test progs can not be deduced by
the verifier accurately. To avoid erroneous rejections, add explicit
return value checks for these progs.
Signed-off-by: Xu Kuohai
---
tools/testing/selftests/bpf/progs/err.h| 10
From: Xu Kuohai
A bpf prog returning a positive number attached to file_alloc_security
hook makes kernel panic.
This happens because file system can not filter out the positive number
returned by the LSM prog using IS_ERR, and misinterprets this positive
number as a file pointer.
Given that
From: Xu Kuohai
LSM BPF prog returning a positive number attached to the hook
file_alloc_security makes kernel panic.
Here is a panic log:
[ 441.235774] BUG: kernel NULL pointer dereference, address: 09
[ 441.236748] #PF: supervisor write access in kernel mode
[ 441.237429] #PF
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook key_getsecurity to 0 or a negative error code.
Before:
- Hook key_getsecurity returns length of value on success or a
negative error code on failure.
After:
- Hook key_getsecurity returns 0 on success or a
From: Xu Kuohai
Add verifier tests to check bpf lsm return values, output parameter
access and disabled hooks.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/verifier.c | 2 +
.../selftests/bpf/progs/verifier_lsm.c| 274 ++
2 files changed, 276
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook audit_rule_match to 0 or a negative error code.
Before:
- Hook audit_rule_match returns 1 if the rule matches, 0 if it not,
and negative error code otherwise.
After:
- Hook audit_rule_match returns 0 on
From: Xu Kuohai
Add test for lsm tail call to ensure tail call can only be used between
bpf lsm progs attached to the same hook.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/test_lsm.c | 46 ++-
.../selftests/bpf/progs/lsm_tailcall.c| 34
From: Xu Kuohai
After checking lsm hook return range in verifier, the test case
"test_progs -t test_lsm" failed, and the failure log says:
libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument
libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LO
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook setprocattr to 0 or a negative error code.
Before:
- Hook setprocattr returns the number of bytes written on success
or a negative error code on failure.
After:
- Hook setprocattr returns 0 on success or a
From: Xu Kuohai
bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook vm_enough_memory to 0 or a negative error code.
Before:
- Hook vm_enough_memory returns 1 if permission is granted, 0 if not.
- LSM_RET_DEFAULT(vm_enough_memory_mm) is 1.
After:
- Hook vm_enough_memory
From: Xu Kuohai
Output parameters are used to refactor the LSM hook return values.
To make these hooks usable by bpf prog, it is necessary for bpf prog
to read and write these output return value parameters.
All return value parameters are added as the last parameter and are
always pointers to
From: Xu Kuohai
The compiler optimized the two bpf progs in token_lsm.c to make return
value from the bool variable in the "return -1" path, causing an
unexpected rejection:
0: R1=ctx() R10=fp0
; int BPF_PROG(bpf_token_capable, struct bpf_token *token, int cap) @
bpf_lsm.c:17
0: (
From: Xu Kuohai
With lsm return value check, the no-alu32 version test_libbpf_get_fd_by_id_opts
is rejected by the verifier, and the log says:
0: R1=ctx() R10=fp0
; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @
test_libbpf_get_fd_by_id_opts.c:27
0: (b7) r0 = 0
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook getselfattr to 0 or a negative error code.
Before:
- Hook getselfattr returns number of attributes found on success
or a negative error code on failure.
After:
- Hook getselfattr returns 0 on success or a
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_getsecurity to 0 or a negative error code.
Before:
- Hook inode_getsecurity returns size of buffer on success or a
negative error code on failure.
After:
- Hook inode_getsecurity returns 0 on success
From: Xu Kuohai
Add a disabled hooks list for BPF LSM. progs being attached to the
listed hooks will be rejected by the verifier.
Suggested-by: KP Singh
Signed-off-by: Xu Kuohai
---
kernel/bpf/bpf_lsm.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_listsecurity to 0 or a negative error code.
Before:
- Hook inode_listsecurity returns number of bytes used/required on
success or a negative error code on failure.
After:
- Hook inode_listsecurity
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func security_inode_need_killpriv
return > 0 if security_inode_killpriv is required, 0 if not, and <
On 7/13/2024 1:56 AM, Alexei Starovoitov wrote:
On Thu, Jul 11, 2024 at 07:18:59PM +0800, Xu Kuohai wrote:
From: Xu Kuohai
Add a disabled hooks list for BPF LSM. progs being attached to the
listed hooks will be rejected by the verifier.
Suggested-by: KP Singh
Signed-off-by: Xu Kuohai
Xu
On 7/12/2024 9:31 PM, Simon Horman wrote:
On Thu, Jul 11, 2024 at 07:18:51PM +0800, Xu Kuohai wrote:
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_getsecurity to 0 or a negative error code.
Before:
- Hook inode_getsecurity returns size of buffer
On 7/11/2024 10:15 PM, Serge Hallyn wrote:
Jul 11, 2024 06:14:09 Xu Kuohai :
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook audit_rule_match to 0 or a negative error code.
Before:
- Hook audit_rule_match returns 1 if the rule matches, 0 if it not,
and negative error
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook getselfattr to 0 or a negative error code.
Before:
- Hook getselfattr returns number of attributes found on success
or a negative error code on
26 matches
Mail list logo
