On Wed, 20 Jul 2016, Daniel Borkmann wrote:
On 07/19/2016 06:34 PM, Alexei Starovoitov wrote:
On Tue, Jul 19, 2016 at 01:17:53PM +0200, Daniel Borkmann wrote:
+ return -EINVAL;
+
+ /* Is this a user address, or a kernel address? */
+ if (!access_ok(VERIFY_WRITE, to,
ing that the active mm is the thread's mm
-A log message indicating the experimental nature of this helper
It does not include:
-A heuristic to determine is access_ok is broken, or if the platform
didn't implement it. It seems all platforms with MMUs implement it today,
and it seems clear
On Thu, Jul 21, 2016 at 01:00:51AM +0200, Daniel Borkmann wrote:
> On 07/20/2016 11:58 AM, Sargun Dhillon wrote:
> [...]
> >So, with that, what about the following:
> >It includes
> >-Desupporting no MMU platforms as we've deemed them incapable of being
> > sa
pace, as opposed to globally
v2->v3: Fixed formatting issues
v3->v4: Rename copy_to_user -> bpf_probe_write
Simplify checking of whether or not it's safe to write
Add warnings to dmesg
Sargun Dhillon (2):
bpf: Add bpf_probe_write BPF helper to be called in tracers (kprob
limit the address space
the probe can write into by checking the space with access_ok.
This is so the call doesn't sleep.
Given this feature is experimental, and has the risk of crashing
the system, we print a warning on invocation.
It was tested with the tracex7 program on x86-64.
Signed-off-
This example shows using a kprobe to act as a dnat mechanism to divert
traffic for arbitrary endpoints. It rewrite the arguments to a syscall
while they're still in userspace, and before the syscall has a chance
to copy the argument into kernel space.
Signed-off-by: Sargun Dhillon
Cc: A
On Fri, Jul 22, 2016 at 11:53:52AM +0200, Daniel Borkmann wrote:
> On 07/22/2016 04:14 AM, Alexei Starovoitov wrote:
> >On Thu, Jul 21, 2016 at 06:09:17PM -0700, Sargun Dhillon wrote:
> >>This allows user memory to be written to during the course of a kprobe.
> >>It sho
On Sat, Jul 23, 2016 at 12:35:12PM -0700, Alexei Starovoitov wrote:
> On Fri, Jul 22, 2016 at 05:05:27PM -0700, Sargun Dhillon wrote:
> > It was tested with the tracex7 program on x86-64.
>
> it's my fault to start tracexN tradition that turned out to be
> cumbersome
ail when helper is broken
Sargun Dhillon (2):
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
samples/bpf: Add test/example of using bpf_probe_write_user bpf helper
include/uapi/linux/bpf.h | 10
kernel/trace/bpf_trace.c | 48
the risk of crashing the
system, we print a warning on first invocation, and the process name
on subsequent invocations.
It was tested with the tracex7 program on x86-64.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
include/uapi/linux/bpf.h | 10 ++
kern
ts as a test because the mapped
address is 255.255.255.255:555 -> real address, and that's not a legal
address to connect to. If the helper is broken, the example will fail.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
samples/bpf/Makefile
ad.
Given this feature is experimental, and has the risk of crashing the
system, we print a warning on installing a proglet that could invoke
this helper, along with the process name.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Acked-by: Alexei Starovoitov
---
include/u
probe beyond what
was done by hand.
Sargun Dhillon (2):
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
samples/bpf: Add test/example of using bpf_probe_write_user bpf helper
include/uapi/linux/bpf.h | 10
kernel/trace/bpf_trace.c
LIBES_lathist += -lelf
HOSTLOADLIBES_offwaketime += -lelf
diff --git a/samples/bpf/test_probe_write_user_kern.c
b/samples/bpf/test_probe_write_user_kern.c
new file mode 100644
index 000..3a677c8
--- /dev/null
+++ b/samples/bpf/test_probe_write_user_kern.c
@@ -0,0 +1,52 @@
+/* Copyright (c) 2016 S
In kernel/bpf/syscall.c we restrict programs loading bpf kprobe programs so
attr.kern_version must be exactly equal to what the user is running at the
moment. This makes a lot of sense because kprobes can touch lots of
unstable bits of the kernel ABI.
Unfortunately, this makes it really difficu
I'm fine giving up the Checmate name. Landlock seems easy enough to
Google. I haven't gotten a chance to look through the entire patchset
yet, but it does seem like they are somewhat similar.
On Mon, Sep 19, 2016 at 5:12 PM, Alexei Starovoitov
wrote:
> On Thu, Sep 15, 2016 at 11:25:10PM +0200, Mi
On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote:
>
> On 15/09/2016 06:48, Alexei Starovoitov wrote:
> > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov
> >> wrote:
> >>> On Wed, Sep 14, 2016 at 09:08:57PM -07
On Thu, Aug 04, 2016 at 05:34:32PM +0800, zhuyj wrote:
> Sure.
> Is it better to add
> #ifndef CONFIG_PREEMPT_RCU ?
>
> On Thu, Aug 4, 2016 at 4:28 PM, Eric Dumazet wrote:
> > Please do not top post
> >
> > On Thu, 2016-08-04 at 16:08 +0800, zhuyj wrote:
> >> +void register_checmate_prog_ops(vo
On Mon, Aug 08, 2016 at 04:44:02PM -0700, Kees Cook wrote:
> On Thu, Aug 4, 2016 at 12:11 AM, Sargun Dhillon wrote:
> > I distributed this patchset to linux-security-mod...@vger.kernel.org
> > earlier,
> > but based on the fact that the archive is down, and this is a fair
This commit should have no functional change. It changes the security hook
list heads struct into an array. Additionally, it exposes all of the hooks
via an enum. This loses memory layout randomization as the enum is not
randomized.
Signed-off-by: Sargun Dhillon
---
include/linux/lsm_hooks.h
namic hooks, because
it is not read-only like the hooks which are loaded at runtime.
Some hooks are blacklisted, and attempting to load an LSM with any
of them in use will fail.
Signed-off-by: Sargun Dhillon
---
include/linux/lsm_hooks.h | 26 +-
security/Kconfig | 9 +++
security/in
l is fixed
* inode get/set security is removed
* xfrm singleton hook removed
Sargun Dhillon (3):
security: Refactor LSM hooks into an array and enum
security: Expose a mechanism to load lsm hooks dynamically at runtime
security: Add an example sample dynamic LSM
include/linux/lsm_hoo
This adds an example LSM that utilizes the features added by the
dynamically loadable LSMs patch. Once the module is unloaded, the
command is once again allowed. It prevents the user from running:
date --set="October 21 2015 16:29:00 PDT"
Signed-off-by: Sargun Dhillon
---
sampl
On Wed, Mar 7, 2018 at 9:45 AM, Casey Schaufler wrote:
> On 3/6/2018 11:23 PM, Sargun Dhillon wrote:
>> This commit should have no functional change. It changes the security hook
>> list heads struct into an array. Additionally, it exposes all of the hooks
>> via an enum. Thi
On Wed, Mar 7, 2018 at 9:59 AM, Casey Schaufler wrote:
> On 3/6/2018 11:23 PM, Sargun Dhillon wrote:
>> This patch adds dynamic security hooks. These hooks are designed to allow
>> for safe runtime loading.
>>
>> These hooks are only run after all built-in, and majo
On Wed, Mar 7, 2018 at 12:23 PM, Casey Schaufler wrote:
> On 3/7/2018 11:18 AM, Sargun Dhillon wrote:
>> On Wed, Mar 7, 2018 at 9:45 AM, Casey Schaufler
>> wrote:
>>> On 3/6/2018 11:23 PM, Sargun Dhillon wrote:
>>>> This commit should have no functional
On Thu, Apr 5, 2018 at 9:29 AM, Casey Schaufler wrote:
>
> On 4/5/2018 3:31 AM, Peter Dolding wrote:
> > On Thu, Apr 5, 2018 at 7:55 PM, Igor Stoppa wrote:
> >> On 01/04/18 08:41, Sargun Dhillon wrote:
> >>> The biggest security benefit of this patchset is th
isable NULL hook checking when uneeded
v1:
* Add SRCU to allow for code-unloading
* Add concurrency control around hook mutation
Sargun Dhillon (1):
security: Add mechanism to safely (un)load LSMs after boot time
include/linux/lsm_hooks.h | 36 ++--
security/Kconfig
hooks" which
is set to true by default, and if it is set to false, prevents the
LSM's LKM from being unloaded. It can also be set to false at runtime,
but once set to false, it cannot be reset to true.
Signed-off-by: Sargun Dhillon
Signed-off-by: Tetsuo Handa
---
include/linux/ls
On Sun, Apr 8, 2018 at 8:38 PM, Tetsuo Handa
wrote:
> Suggested changes on top of your patch:
>
> Replace "struct hlist_head *head" in "struct security_hook_list" with
> "const unsigned int offset" because there is no need to initialize with
> address of the immutable/mutable chains.
>
> R
On Sun, Apr 8, 2018 at 10:25 PM, Tetsuo Handa
wrote:
> Sargun Dhillon wrote:
>> > Remove SECURITY_HOOK_COUNT and "struct security_hook_list"->owner and
>> > the exception in randomize_layout_plugin.c because preventing module
>> > unloading won
We're seeing an issue introduced in 4.18, and that still persists in
4.19.12 (we upgraded from 4.9), where update_blocked_averages is
blocking. We're running a workload where a majority of our workloads
are confined by cgroups. This exhibits itself due to a softlockup on
a CPU which is waiting on
>
> We're seeing an issue introduced in 4.18, and that still persists in
> 4.19.12 (we upgraded from 4.9), where update_blocked_averages is
> blocking. We're running a workload where a majority of our workloads
> are confined by cgroups. This exhibits itself due to a softlockup on
> a CPU which is
q(struct
> > > > cfs_rq *cfs_rq)
> > > > static inline void list_del_leaf_cfs_rq(struct cfs_rq *cfs_rq)
> > > > {
> > > > if (cfs_rq->on_list) {
> > > > + struct rq *rq = rq_of(cfs_rq);
> > > > +
> > >
On Thu, Dec 27, 2018 at 1:15 PM Linus Torvalds
wrote:
>
> On Thu, Dec 27, 2018 at 9:02 AM Vincent Guittot
> wrote:
> >
> > In the original behavior, the cs_rq was removed from the list only
> > when the cgroup was removed.
> > patch a9e7f6544b9c (sched/fair: Fix O(nr_cgroups) in load balance
> >
rq->tmp_alone_branch == &rq->leaf_cfs_rq_list)
> list_del_leaf_cfs_rq(cfs_rq);
>
> /* Don't need periodic decay once load/util_avg are null */
Tested-by: Sargun Dhillon
We've deployed this patch to our test workload. We haven't seen a crash yet.
>
> But the lock should not be released during the build of a branch and
> tmp_alone_branch must always points to rq->leaf_cfs_rq_list at the end
> and before the lock is released
>
> I think that there is a bigger problem with commit a9e7f6544b9c and
> cfs_rq throttling:
> Let take the example of
This adds a helper which can iterate through a seccomp_filter to
find a notification matching an ID. It removes several replicated
chunks of code.
Signed-off-by: Sargun Dhillon
Acked-by: Christian Brauner
Reviewed-by: Tycho Andersen
Cc: Matt Denton
Cc: Kees Cook ,
Cc: Jann Horn ,
Cc: Robert
On Sat, May 30, 2020 at 9:07 AM Kees Cook wrote:
>
> On Sat, May 30, 2020 at 03:08:37PM +0100, Al Viro wrote:
> > On Fri, May 29, 2020 at 07:43:10PM -0700, Kees Cook wrote:
> >
> > > Can anyone clarify the expected failure mode from SCM_RIGHTS? Can we
> > > move the put_user() after instead? I thi
On Mon, May 18, 2020 at 02:53:25PM +0200, Christian Brauner wrote:
> On Sun, May 17, 2020 at 09:02:15AM -0600, Tycho Andersen wrote:
> > On Sun, May 17, 2020 at 08:46:03AM -0600, Tycho Andersen wrote:
> > > On Sun, May 17, 2020 at 04:33:11PM +0200, Christian Brauner wrote:
> > > > struct seccomp_no
On Tue, May 19, 2020 at 12:39:39AM +0200, Jann Horn wrote:
> > For user_notif, I think we need something in and around these options:
> >
> > - make a new API that explicitly follows EA struct design
> > (and while read()/write() might be easier[4], I tend to agree with
> > Jann and we need to
On Tue, May 19, 2020 at 3:26 AM Christian Brauner
wrote:
>
> On Mon, May 18, 2020 at 02:04:57PM -0700, Kees Cook wrote:
> > Hi!
> >
> > This is my attempt at a brain-dump on my plans for nearish-term seccomp
> > features. Welcome to my TED talk... ;)
> >
> > These are the things I've been thin
On Mon, May 18, 2020 at 02:04:57PM -0700, Kees Cook wrote:
> Hi!
>
> This is my attempt at a brain-dump on my plans for nearish-term seccomp
> features. Welcome to my TED talk... ;)
>
> These are the things I've been thinking about:
>
> - fd passing
> - deep argument inspection
> - changing stru
On Mon, Dec 28, 2020 at 9:26 AM Jeff Layton wrote:
>
> On Mon, 2020-12-28 at 15:56 +, Matthew Wilcox wrote:
> > On Mon, Dec 28, 2020 at 08:25:50AM -0500, Jeff Layton wrote:
> > > To be clear, the main thing you'll lose with the method above is the
> > > ability to see an unseen error on a newl
On Mon, Dec 21, 2020 at 02:50:55PM -0500, Vivek Goyal wrote:
> Currently syncfs() and fsync() seem to be two interfaces which check and
> return writeback errors on superblock to user space. fsync() should
> work fine with overlayfs as it relies on underlying filesystem to
> do the check and return
On Wed, Dec 23, 2020 at 06:50:44PM +, Matthew Wilcox wrote:
> On Wed, Dec 23, 2020 at 06:20:27PM +0000, Sargun Dhillon wrote:
> > I fail to see why this is neccessary if you incorporate error reporting
> > into the
> > sync_fs callback. Why is this separate from that ca
On Wed, Dec 23, 2020 at 08:07:46PM +, Matthew Wilcox wrote:
> On Wed, Dec 23, 2020 at 07:29:41PM +0000, Sargun Dhillon wrote:
> > On Wed, Dec 23, 2020 at 06:50:44PM +, Matthew Wilcox wrote:
> > > On Wed, Dec 23, 2020 at 06:20:27PM +0000, Sargun Dhillon wrote:
> > &g
On Thu, Dec 24, 2020 at 11:32:55AM +0200, Amir Goldstein wrote:
> On Wed, Dec 23, 2020 at 10:44 PM Matthew Wilcox wrote:
> >
> > On Wed, Dec 23, 2020 at 08:21:41PM +, Sargun Dhillon wrote:
> > > On Wed, Dec 23, 2020 at 08:07:46PM +, Matthew Wilcox wrote:
> >
09:09PM +0100, Christian Brauner wrote:
> > > > On Sat, Feb 20, 2021 at 01:31:57AM -0800, Sargun Dhillon wrote:
> > > > > We've run into a problem where attaching a filter can be quite messy
> > > > > business because the filter itself intercepts sendmsg,
ernel.org/lkml/20210220090502.7202-1-sar...@sargun.me/
[2]: https://lore.kernel.org/lkml/202012011322.26DCBC64F2@keescook/
Rodrigo Campos (1):
seccomp: Support atomic "addfd + send reply"
Sargun Dhillon (4):
seccomp: Refactor notification handler to prepare for new semantics
seccomp: A
This just adds a test to verify that when using the new introduced flag
to ADDFD, a valid fd is added and returned as the syscall result.
Signed-off-by: Rodrigo Campos
Signed-off-by: Sargun Dhillon
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 38 +++
1 file changed, 38
lore.kernel.org/lkml/202012011322.26DCBC64F2@keescook/
Signed-off-by: Rodrigo Campos
Signed-off-by: Sargun Dhillon
---
include/uapi/linux/seccomp.h | 1 +
kernel/seccomp.c | 49 +---
2 files changed, 46 insertions(+), 4 deletions(-)
diff --git a/include/uapi/linux
: Sargun Dhillon
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 64 +++
1 file changed, 64 insertions(+)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c
b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 26c72f2b61b1..48ad53030d5a 100644
--- a/tools/testing
only killable by terminating signals as opposed to all
signals. The process can still be terminated before the supervisor receives
the notification.
Signed-off-by: Sargun Dhillon
[1]: https://github.com/golang/go/issues/24543
---
.../userspace-api/seccomp_filter.rst | 15 +++---
include
addfd calls prior to returning to userspace.
Signed-off-by: Sargun Dhillon
---
kernel/seccomp.c | 30 --
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 952dc1c90229..b48fb0a29455 100644
--- a/kernel/seccomp.c
ernel.org/lkml/20210220090502.7202-1-sar...@sargun.me/
[2]: https://lore.kernel.org/lkml/202012011322.26DCBC64F2@keescook/
Rodrigo Campos (1):
seccomp: Support atomic "addfd + send reply"
Sargun Dhillon (4):
seccomp: Refactor notification handler to prepare for new semantics
seccomp: A
e
patch would be squashed down, but it's split out for easier review.
Sargun Dhillon (3):
seccomp: Refactor notification handler to prepare for new semantics
seccomp: Add wait_killable semantic to seccomp user notifier
selftests/seccomp: Add test for wait killable notifier
include/ua
addfd calls prior to returning to userspace.
Signed-off-by: Sargun Dhillon
---
kernel/seccomp.c | 30 --
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 952dc1c90229..b48fb0a29455 100644
--- a/kernel/seccomp.c
only killable by terminating signals as opposed to all
signals.
Signed-off-by: Sargun Dhillon
[1]: https://github.com/golang/go/issues/24543
---
include/uapi/linux/seccomp.h | 10 ++
kernel/seccomp.c | 35 +--
2 files changed, 39 insertions
: Sargun Dhillon
---
tools/testing/selftests/seccomp/seccomp_bpf.c | 60 +++
1 file changed, 60 insertions(+)
diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c
b/tools/testing/selftests/seccomp/seccomp_bpf.c
index 26c72f2b61b1..a8ef4558d673 100644
--- a/tools/testing
We've run into a problem where attaching a filter can be quite messy
business because the filter itself intercepts sendmsg, and other
syscalls related to exfiltrating the listener FD. I believe that this
problem set has been brought up before, and although there are
"simpler" methods of exfiltratin
On Mon, Nov 30, 2020 at 06:20:09PM -0500, Tycho Andersen wrote:
> Hi,
>
> On Thu, Nov 26, 2020 at 02:09:33PM +0100, Alban Crequy wrote:
> > Hi,
> >
> > With the addfd feature (added in “seccomp: Introduce addfd ioctl to
> > seccomp user notifier”, commit 7cf97b125455), the new file is
> > install
On Thu, Nov 12, 2020 at 02:09:50AM -0800, Sargun Dhillon wrote:
> Right now, it is possible to mount NFS with an non-matching super block
> user ns, and NFS sunrpc user ns. This (for the user) results in an awkward
> set of interactions if using anything other than auth_null, where
On Tue, Dec 01, 2020 at 07:41:05AM -0500, Tycho Andersen wrote:
> On Mon, Nov 30, 2020 at 06:20:09PM -0500, Tycho Andersen wrote:
> > Idea 1 sounds best to me, but maybe that's because it's the way I
> > originally did the fd support that never landed :)
> >
> > But here's an Idea 4: we add a way
e796391cc135283eb88.ca...@hammerspace.com/
[2]: https://lore.kernel.org/linux-nfs/20201112100952.3514-1-sar...@sargun.me/
Sargun Dhillon (2):
NFS: NFSv2/NFSv3: Use cred from fs_context during mount
NFSv4: Refactor to use user namespaces for nfs4idmap
fs/nfs/client.c | 4 ++--
fs/nfs/nfs4client.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--
2.25.1
d-off-by: Sargun Dhillon
Tested-by: Alban Crequy
---
fs/nfs/client.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 4b8cc93913f7..1e6f3b3ed445 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -571,7 +571,7 @@ stati
f the
container,
or safely triggered outside, with the requisite context to do the right
mapping. * Handle whatever refactoring needs to be done in net/sunrpc.
Signed-off-by: Sargun Dhillon
Tested-by: Alban Crequy
---
fs/nfs/nfs4client.c | 2 +-
1 file changed, 1 insertion(+), 1 del
I picked up c40f7d74c741a907cfaeb73a7697081881c497d0 sched/fair: Fix
infinite loop in update_blocked_averages() by reverting a9e7f6544b9c
and put it on top of 4.19.13. In addition to this, I uninlined
list_add_leaf_cfs_rq for debugging.
This revealed a new bug that we didn't get to because we kept
On Wed, Jan 9, 2019 at 2:14 PM Sargun Dhillon wrote:
>
> I picked up c40f7d74c741a907cfaeb73a7697081881c497d0 sched/fair: Fix
> infinite loop in update_blocked_averages() by reverting a9e7f6544b9c
> and put it on top of 4.19.13. In addition to this, I uninlined
> list_add_
ode-unloading
* Add concurrency control around hook mutation
Sargun Dhillon (1):
security: Add mechanism to safely (un)load LSMs after boot time
include/linux/lsm_hooks.h | 23 ++---
security/Kconfig | 2 +-
security/apparmor/lsm.c| 2 +-
security/commoncap.c |
able to be mutated (removed).
It also wraps the hook unloading, and execution with an SRCU. One
SRCU is used across all hooks, as the SRCU struct can be memory
intensive, and hook execution time in general should be relatively
short.
Signed-off-by: Sargun Dhillon
Signed-off-by: Tetsuo Handa
On Thu, Mar 29, 2018 at 02:37:10PM -0700, Casey Schaufler wrote:
> On 3/29/2018 2:14 PM, Sargun Dhillon wrote:
> > This patch introduces a mechanism to add mutable hooks and immutable
> > hooks to the callback chain. It adds an intermediary item to the
> > chain which
On Fri, Mar 30, 2018 at 2:39 PM, Casey Schaufler wrote:
> On 3/29/2018 7:33 PM, Sargun Dhillon wrote:
>> On Thu, Mar 29, 2018 at 02:37:10PM -0700, Casey Schaufler wrote:
>>> On 3/29/2018 2:14 PM, Sargun Dhillon wrote:
>>>> This patch introduces a mechanism to a
On Sat, Mar 31, 2018 at 7:40 PM, Sargun Dhillon wrote:
> This moves all of the LSM hooks type information into a separate file,
> lsm_hook_types.h. This enables us to use this file, along with macros
> to generate the security_hook_heads struct, as well as the security
> hooks u
d SRCU to allow for code-unloading
* Add concurrency control around hook mutation
Sargun Dhillon (1):
security: Add mechanism to safely (un)load LSMs after boot time
include/linux/lsm_hooks.h | 24 +--
security/Kconfig | 2 +-
security/security.c | 206
able to be mutated (removed).
It also wraps the hook unloading, and execution with an SRCU. One
SRCU is used across all hooks, as the SRCU struct can be memory
intensive, and hook execution time in general should be relatively
short.
Signed-off-by: Sargun Dhillon
Signed-off-by: Tetsuo Handa
security_settime was a wrapper around security_settime64. There are no more
users of it. Therefore it can be removed. It was removed in:
commit 4eb1bca17933 ("time: Use do_settimeofday64() internally")
Signed-off-by: Sargun Dhillon
---
include/linux/security.h | 14
we can follow up with, including:
* generation of security.h
* generation of datastructures such as static_keys for performance
enhancement
Sargun Dhillon (4):
security: Move hook definitions from lsm_hooks.h to lsm_hook_types.h
security: Refactor security hooks into structured hooks
:
VOID_HOOK(name, args...) -- for evaluation not returning anything
INT_HOOK(name, args...) -- for evaluation returning int
This should be a 0-functional, or logical change patch.
Signed-off-by: Sargun Dhillon
---
include/linux/lsm_hook_types.h | 524
This change makes it so rather than having to duplicate the list
of heads in struct security_hook_heads, the structure is generated
based upon the structured hooks in lsm_hook_types.h.
Signed-off-by: Sargun Dhillon
---
include/linux/lsm_hooks.h | 230
This replaces the old logic of casting the security hook heads struct to
an array, and then traversing it in order to initialize it. Instead,
it generates the code to set the security hook heads to null at start
time.
Signed-off-by: Sargun Dhillon
---
scripts/gcc-plugins
On Sun, Apr 1, 2018 at 10:32 AM, Casey Schaufler wrote:
>
> On 4/1/2018 3:17 AM, Sargun Dhillon wrote:
> > This moves all of the LSM hooks type information into a separate file,
> > lsm_hook_types.h. This enables us to use this file, along with macros
> > to generate
On Thu, 14 Jul 2016, Alexei Starovoitov wrote:
On Wed, Jul 13, 2016 at 01:31:57PM -0700, Sargun Dhillon wrote:
On Wed, 13 Jul 2016, Alexei Starovoitov wrote:
On Wed, Jul 13, 2016 at 03:36:11AM -0700, Sargun Dhillon wrote:
Provides BPF programs, attached to kprobes a safe way to write to
On Fri, 15 Jul 2016, Alexei Starovoitov wrote:
On Fri, Jul 15, 2016 at 07:16:01PM -0700, Sargun Dhillon wrote:
On Thu, 14 Jul 2016, Alexei Starovoitov wrote:
On Wed, Jul 13, 2016 at 01:31:57PM -0700, Sargun Dhillon wrote:
On Wed, 13 Jul 2016, Alexei Starovoitov wrote:
On Wed, Jul 13
On Sun, 17 Jul 2016, Alexei Starovoitov wrote:
On Sun, Jul 17, 2016 at 03:19:13AM -0700, Sargun Dhillon wrote:
+static u64 bpf_copy_to_user(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
+{
+ void *to = (void *) (long) r1;
+ void *from = (void *) (long) r2;
+ int size = (int) r3
Starovoitov for review, I've made changes based on his
recommendations.
---
v1->v2: restrict writing to user space, as opposed to globally
Sargun Dhillon (2):
Add bpf_copy_to_user BPF helper to be called in tracers (kprobes)
Add example of using bpf_copy_to_user in bpf kprobes
incl
limit the address space
the probe can write into by checking the space with access_ok.
This call shouldn't sleep on any architectures based on review.
It was tested with the tracex7 program on x86-64.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
---
include/uapi/linux/b
This example shows using a kprobe to act as a dnat mechanism to divert
traffic for arbitrary endpoints. It rewrite the arguments to a syscall
while they're still in userspace, and before the syscall has a chance
to copy the argument into kernel space.
Signed-off-by: Sargun Dhillon
Cc: A
Starovoitov for review, I've made changes based on his
recommendations.
---
v1->v2: restrict writing to user space, as opposed to globally
v2->v3: Fixed formatting issues
Sargun Dhillon (2):
bpf: Add bpf_copy_to_user BPF helper to be called in tracers (kprobes)
samples/bpf: Add examp
limit the address space
the probe can write into by checking the space with access_ok.
This call shouldn't sleep on any architectures based on review.
It was tested with the tracex7 program on x86-64.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
---
include/uapi/linux/b
This example shows using a kprobe to act as a dnat mechanism to divert
traffic for arbitrary endpoints. It rewrite the arguments to a syscall
while they're still in userspace, and before the syscall has a chance
to copy the argument into kernel space.
Signed-off-by: Sargun Dhillon
Cc: A
On Tue, 19 Jul 2016, Daniel Borkmann wrote:
Hi Sargun,
On 07/19/2016 11:32 AM, Sargun Dhillon wrote:
This allows user memory to be written to during the course of a kprobe.
It shouldn't be used to implement any kind of security mechanism
because of TOC-TOU attacks, but rather to
Provides BPF programs, attached to kprobes a safe way to write to
memory referenced by probes. This is done by making probe_kernel_write
accessible to bpf functions via the bpf_probe_write helper.
Signed-off-by: Sargun Dhillon
---
include/uapi/linux/bpf.h | 3 +++
kernel/trace/bpf_trace.c
On Wed, 13 Jul 2016, Alexei Starovoitov wrote:
> On Wed, Jul 13, 2016 at 03:36:11AM -0700, Sargun Dhillon wrote:
>> Provides BPF programs, attached to kprobes a safe way to write to
>> memory referenced by probes. This is done by making probe_kernel_write
>> accessible to
Rename bpf_probe_write -> bpf_probe_write_user
v6->v7: More formatting cleanup.
Clarifying a few comments
Clarified log message
Sargun Dhillon (2):
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
samples/bpf: Add test/example of using bpf_probe_write_us
ad.
Given this feature is meant for experiments, and it has a risk of
crashing the system, and running programs, we print a warning on
when a proglet that attempts to use this helper is installed,
along with the pid and process name.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Bor
LIBES_lathist += -lelf
HOSTLOADLIBES_offwaketime += -lelf
diff --git a/samples/bpf/test_probe_write_user_kern.c
b/samples/bpf/test_probe_write_user_kern.c
new file mode 100644
index 000..3a677c8
--- /dev/null
+++ b/samples/bpf/test_probe_write_user_kern.c
@@ -0,0 +1,52 @@
+/* Copyright (c) 2016 S
ivileges. Moreover, a
>> Landlock eBPF program could come from outside a process (e.g. passed through
>> a
>> UNIX socket). It is then useful to differentiate the creation/load of
>> Landlock
>> eBPF programs via bpf(2), from rule enforcing via seccomp(2).
>>
&g
Move bpf_probe_read and bpf_get_current_task to the shared helpers
so that Checmate can use them.
Signed-off-by: Sargun Dhillon
---
include/linux/bpf.h | 2 ++
kernel/bpf/helpers.c | 34 ++
kernel/trace/bpf_trace.c | 33
nforcing a hook.
BPF programs also have access to maps, which somewhat works around
the need for security blobs in some cases.
I would love to know what y'all think.
Sargun Dhillon (4):
bpf: move tracing helpers to shared helpers
bpf, security: Add Checmate
security/checmate: Add Checma
1 - 100 of 202 matches
Mail list logo
