From: KP Singh <[email protected]> The LSM can be enabled by:
- Enabling CONFIG_SECURITY_KRSI. - Adding "krsi" to the CONFIG_LSM string. Signed-off-by: KP Singh <[email protected]> --- MAINTAINERS | 5 +++++ security/Kconfig | 1 + security/Makefile | 2 ++ security/krsi/Kconfig | 22 ++++++++++++++++++++++ security/krsi/Makefile | 1 + security/krsi/krsi.c | 24 ++++++++++++++++++++++++ 6 files changed, 55 insertions(+) create mode 100644 security/krsi/Kconfig create mode 100644 security/krsi/Makefile create mode 100644 security/krsi/krsi.c diff --git a/MAINTAINERS b/MAINTAINERS index 9cbcf167bdd0..8e0364391d8b 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9002,6 +9002,11 @@ F: include/linux/kprobes.h F: include/asm-generic/kprobes.h F: kernel/kprobes.c +KRSI SECURITY MODULE +M: KP Singh <[email protected]> +S: Supported +F: security/krsi/ + KS0108 LCD CONTROLLER DRIVER M: Miguel Ojeda Sandonis <[email protected]> S: Maintained diff --git a/security/Kconfig b/security/Kconfig index 0d65594b5196..febf7953803f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -236,6 +236,7 @@ source "security/tomoyo/Kconfig" source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" source "security/yama/Kconfig" +source "security/krsi/Kconfig" source "security/safesetid/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index c598b904938f..25779ce89bf2 100644 --- a/security/Makefile +++ b/security/Makefile @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama +subdir-$(CONFIG_SECURITY_KRSI) += krsi subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid @@ -25,6 +26,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ +obj-$(CONFIG_SECURITY_KRSI) += krsi/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o diff --git a/security/krsi/Kconfig b/security/krsi/Kconfig new file mode 100644 index 000000000000..bf5eab4355af --- /dev/null +++ b/security/krsi/Kconfig @@ -0,0 +1,22 @@ +config SECURITY_KRSI + bool "Runtime Security Instrumentation (BPF-based MAC and audit policy)" + depends on SECURITY + depends on SECURITYFS + depends on BPF + depends on BPF_SYSCALL + help + This selects the Kernel Runtime Security Instrumentation + LSM which allows dynamic instrumentation of the security hooks with + eBPF programs. The LSM creates per-hook files in securityfs to which + eBPF programs can be attached. + + If you are unsure how to answer this question, answer N. + +config SECURITY_KRSI_ENFORCE + bool "Deny operations based on the evaluation of the attached programs" + depends on SECURITY_KRSI + help + eBPF programs attached to hooks can be used for both auditing and + enforcement. Enabling enforcement implies that the evaluation result + from the attached eBPF programs will allow and deny the operation + guarded by the security hook. diff --git a/security/krsi/Makefile b/security/krsi/Makefile new file mode 100644 index 000000000000..73320e8d16f8 --- /dev/null +++ b/security/krsi/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_KRSI) := krsi.o diff --git a/security/krsi/krsi.c b/security/krsi/krsi.c new file mode 100644 index 000000000000..9ce4f56fb78d --- /dev/null +++ b/security/krsi/krsi.c @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/lsm_hooks.h> + +static int krsi_process_execution(struct linux_binprm *bprm) +{ + return 0; +} + +static struct security_hook_list krsi_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(bprm_check_security, krsi_process_execution), +}; + +static int __init krsi_init(void) +{ + security_add_hooks(krsi_hooks, ARRAY_SIZE(krsi_hooks), "krsi"); + pr_info("eBPF and LSM are friends now.\n"); + return 0; +} + +DEFINE_LSM(krsi) = { + .name = "krsi", + .init = krsi_init, +}; -- 2.20.1
