Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set
On Mon, Jan 25, 2021 at 7:55 AM Mikko Ylinen wrote: > > On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote: > > On Fri, Jan 22, 2021 at 11:33 PM KP Singh wrote: > > > > > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > > > wrote: > > > > > > > > Networking LSM hooks are conditionally enabled and when building the new > > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > > > following build error occurs: > > > > > > > > BTFIDS vmlinux > > > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > [...] > > Agree, a way to get the set automatically created makes sense. But the > extra parameter to LSM_HOOK macro would be BPF specific, right? > The information about whether the hook "must not sleep" has been mentioned sporadically in comments and https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n920 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n594 I think it would be generally useful for the framework to actually provide this in the definition in the hook and then ensure (by calling might_sleep() for hooks that can sleep). - KP > -- Regards, Mikko
Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set
On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote: > On Fri, Jan 22, 2021 at 11:33 PM KP Singh wrote: > > > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > > wrote: > > > > > > Networking LSM hooks are conditionally enabled and when building the new > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > > following build error occurs: > > > > > > BTFIDS vmlinux > > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > > > To fix the error, conditionally add the networking LSM hooks to the > > > sleepable set. > > > > > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > > > Signed-off-by: Mikko Ylinen > > > > Thanks! > > > > Acked-by: KP Singh > > Btw, I was noticing that there's another hook that is surrounded by ifdefs: > > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 70e5e0b6d69d..f7f7754e938d 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink) > BTF_ID(func, bpf_lsm_inode_unlink) > BTF_ID(func, bpf_lsm_kernel_module_request) > BTF_ID(func, bpf_lsm_kernfs_init_security) > + > +#ifdef CONFIG_KEYS > BTF_ID(func, bpf_lsm_key_free) > +#endif > + > BTF_ID(func, bpf_lsm_mmap_file) > BTF_ID(func, bpf_lsm_netlink_send) > BTF_ID(func, bpf_lsm_path_notify) > > It would be great if you can also add this to your patch :) Thanks for noticing! I cross-checked the sleepable set but somehow missed this. Just posted v2. > I guess the cleanest solution to never let this happen would be to > incorporate this in > lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an > extra parameter to the LSM_HOOK macro and then only generate the BTF IDs > based on this macro parameter. Agree, a way to get the set automatically created makes sense. But the extra parameter to LSM_HOOK macro would be BPF specific, right? -- Regards, Mikko
Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set
On Fri, Jan 22, 2021 at 11:33 PM KP Singh wrote: > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > wrote: > > > > Networking LSM hooks are conditionally enabled and when building the new > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > > following build error occurs: > > > > BTFIDS vmlinux > > FAILED unresolved symbol bpf_lsm_socket_socketpair > > > > To fix the error, conditionally add the networking LSM hooks to the > > sleepable set. > > > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > > Signed-off-by: Mikko Ylinen > > Thanks! > > Acked-by: KP Singh Btw, I was noticing that there's another hook that is surrounded by ifdefs: diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 70e5e0b6d69d..f7f7754e938d 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink) BTF_ID(func, bpf_lsm_inode_unlink) BTF_ID(func, bpf_lsm_kernel_module_request) BTF_ID(func, bpf_lsm_kernfs_init_security) + +#ifdef CONFIG_KEYS BTF_ID(func, bpf_lsm_key_free) +#endif + BTF_ID(func, bpf_lsm_mmap_file) BTF_ID(func, bpf_lsm_netlink_send) BTF_ID(func, bpf_lsm_path_notify) It would be great if you can also add this to your patch :) I guess the cleanest solution to never let this happen would be to incorporate this in lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an extra parameter to the LSM_HOOK macro and then only generate the BTF IDs based on this macro parameter.
Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set
On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen wrote: > > Networking LSM hooks are conditionally enabled and when building the new > sleepable BPF LSM hooks with the networking LSM hooks disabled, the > following build error occurs: > > BTFIDS vmlinux > FAILED unresolved symbol bpf_lsm_socket_socketpair > > To fix the error, conditionally add the networking LSM hooks to the > sleepable set. > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > Signed-off-by: Mikko Ylinen Thanks! Acked-by: KP Singh
[PATCH] bpf: Drop disabled LSM hooks from the sleepable set
Networking LSM hooks are conditionally enabled and when building the new sleepable BPF LSM hooks with the networking LSM hooks disabled, the following build error occurs: BTFIDS vmlinux FAILED unresolved symbol bpf_lsm_socket_socketpair To fix the error, conditionally add the networking LSM hooks to the sleepable set. Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") Signed-off-by: Mikko Ylinen --- kernel/bpf/bpf_lsm.c | 8 1 file changed, 8 insertions(+) diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 70e5e0b6d69d..5041dd35f2a6 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -149,7 +149,11 @@ BTF_ID(func, bpf_lsm_file_ioctl) BTF_ID(func, bpf_lsm_file_lock) BTF_ID(func, bpf_lsm_file_open) BTF_ID(func, bpf_lsm_file_receive) + +#ifdef CONFIG_SECURITY_NETWORK BTF_ID(func, bpf_lsm_inet_conn_established) +#endif /* CONFIG_SECURITY_NETWORK */ + BTF_ID(func, bpf_lsm_inode_create) BTF_ID(func, bpf_lsm_inode_free_security) BTF_ID(func, bpf_lsm_inode_getattr) @@ -181,6 +185,8 @@ BTF_ID(func, bpf_lsm_sb_show_options) BTF_ID(func, bpf_lsm_sb_statfs) BTF_ID(func, bpf_lsm_sb_umount) BTF_ID(func, bpf_lsm_settime) + +#ifdef CONFIG_SECURITY_NETWORK BTF_ID(func, bpf_lsm_socket_accept) BTF_ID(func, bpf_lsm_socket_bind) BTF_ID(func, bpf_lsm_socket_connect) @@ -195,6 +201,8 @@ BTF_ID(func, bpf_lsm_socket_recvmsg) BTF_ID(func, bpf_lsm_socket_sendmsg) BTF_ID(func, bpf_lsm_socket_shutdown) BTF_ID(func, bpf_lsm_socket_socketpair) +#endif /* CONFIG_SECURITY_NETWORK */ + BTF_ID(func, bpf_lsm_syslog) BTF_ID(func, bpf_lsm_task_alloc) BTF_ID(func, bpf_lsm_task_getsecid) -- 2.17.1