subject:"\[PATCH\] bpf\: Drop disabled LSM hooks from the sleepable set"

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-25 Thread KP Singh

On Mon, Jan 25, 2021 at 7:55 AM Mikko Ylinen
 wrote:
>
> On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote:
> > On Fri, Jan 22, 2021 at 11:33 PM KP Singh  wrote:
> > >
> > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
> > >  wrote:
> > > >
> > > > Networking LSM hooks are conditionally enabled and when building the new
> > > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > > > following build error occurs:
> > > >
> > > > BTFIDS  vmlinux
> > > > FAILED unresolved symbol bpf_lsm_socket_socketpair
> > > >

[...]

>
> Agree, a way to get the set automatically created makes sense. But the
> extra parameter to LSM_HOOK macro would be BPF specific, right?
>

The information about whether the hook "must not sleep" has been
mentioned sporadically in comments and

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n920
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hooks.h#n594

I think it would be generally useful for the framework to actually provide this
in the definition in the hook and then ensure (by calling
might_sleep() for hooks
that can sleep).

- KP

> -- Regards, Mikko

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-24 Thread Mikko Ylinen

On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote:
> On Fri, Jan 22, 2021 at 11:33 PM KP Singh  wrote:
> >
> > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
> >  wrote:
> > >
> > > Networking LSM hooks are conditionally enabled and when building the new
> > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > > following build error occurs:
> > >
> > > BTFIDS  vmlinux
> > > FAILED unresolved symbol bpf_lsm_socket_socketpair
> > >
> > > To fix the error, conditionally add the networking LSM hooks to the
> > > sleepable set.
> > >
> > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> > > Signed-off-by: Mikko Ylinen 
> >
> > Thanks!
> >
> > Acked-by: KP Singh 
> 
> Btw, I was noticing that there's another hook that is surrounded by ifdefs:
> 
> diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
> index 70e5e0b6d69d..f7f7754e938d 100644
> --- a/kernel/bpf/bpf_lsm.c
> +++ b/kernel/bpf/bpf_lsm.c
> @@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink)
>  BTF_ID(func, bpf_lsm_inode_unlink)
>  BTF_ID(func, bpf_lsm_kernel_module_request)
>  BTF_ID(func, bpf_lsm_kernfs_init_security)
> +
> +#ifdef CONFIG_KEYS
>  BTF_ID(func, bpf_lsm_key_free)
> +#endif
> +
>  BTF_ID(func, bpf_lsm_mmap_file)
>  BTF_ID(func, bpf_lsm_netlink_send)
>  BTF_ID(func, bpf_lsm_path_notify)
> 
> It would be great if you can also add this to your patch :)

Thanks for noticing! I cross-checked the sleepable set but somehow
missed this. Just posted v2.

> I guess the cleanest solution to never let this happen would be to
> incorporate this in
> lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an
> extra parameter to the LSM_HOOK macro and then only generate the BTF IDs
> based on this macro parameter.

Agree, a way to get the set automatically created makes sense. But the
extra parameter to LSM_HOOK macro would be BPF specific, right?

-- Regards, Mikko

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-22 Thread KP Singh

On Fri, Jan 22, 2021 at 11:33 PM KP Singh  wrote:
>
> On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
>  wrote:
> >
> > Networking LSM hooks are conditionally enabled and when building the new
> > sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> > following build error occurs:
> >
> > BTFIDS  vmlinux
> > FAILED unresolved symbol bpf_lsm_socket_socketpair
> >
> > To fix the error, conditionally add the networking LSM hooks to the
> > sleepable set.
> >
> > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> > Signed-off-by: Mikko Ylinen 
>
> Thanks!
>
> Acked-by: KP Singh 

Btw, I was noticing that there's another hook that is surrounded by ifdefs:

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 70e5e0b6d69d..f7f7754e938d 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -166,7 +166,11 @@ BTF_ID(func, bpf_lsm_inode_symlink)
 BTF_ID(func, bpf_lsm_inode_unlink)
 BTF_ID(func, bpf_lsm_kernel_module_request)
 BTF_ID(func, bpf_lsm_kernfs_init_security)
+
+#ifdef CONFIG_KEYS
 BTF_ID(func, bpf_lsm_key_free)
+#endif
+
 BTF_ID(func, bpf_lsm_mmap_file)
 BTF_ID(func, bpf_lsm_netlink_send)
 BTF_ID(func, bpf_lsm_path_notify)

It would be great if you can also add this to your patch :)

I guess the cleanest solution to never let this happen would be to
incorporate this in
lsm_hook_defs.h and mark hooks as SLEEPABLE and NON_SLEEPABLE with an
extra parameter to the LSM_HOOK macro and then only generate the BTF IDs
based on this macro parameter.

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-22 Thread KP Singh

On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen
 wrote:
>
> Networking LSM hooks are conditionally enabled and when building the new
> sleepable BPF LSM hooks with the networking LSM hooks disabled, the
> following build error occurs:
>
> BTFIDS  vmlinux
> FAILED unresolved symbol bpf_lsm_socket_socketpair
>
> To fix the error, conditionally add the networking LSM hooks to the
> sleepable set.
>
> Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
> Signed-off-by: Mikko Ylinen 

Thanks!

Acked-by: KP Singh

[PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-22 Thread Mikko Ylinen

Networking LSM hooks are conditionally enabled and when building the new
sleepable BPF LSM hooks with the networking LSM hooks disabled, the
following build error occurs:

BTFIDS  vmlinux
FAILED unresolved symbol bpf_lsm_socket_socketpair

To fix the error, conditionally add the networking LSM hooks to the
sleepable set.

Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks")
Signed-off-by: Mikko Ylinen 
---
 kernel/bpf/bpf_lsm.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 70e5e0b6d69d..5041dd35f2a6 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -149,7 +149,11 @@ BTF_ID(func, bpf_lsm_file_ioctl)
 BTF_ID(func, bpf_lsm_file_lock)
 BTF_ID(func, bpf_lsm_file_open)
 BTF_ID(func, bpf_lsm_file_receive)
+
+#ifdef CONFIG_SECURITY_NETWORK
 BTF_ID(func, bpf_lsm_inet_conn_established)
+#endif /* CONFIG_SECURITY_NETWORK */
+
 BTF_ID(func, bpf_lsm_inode_create)
 BTF_ID(func, bpf_lsm_inode_free_security)
 BTF_ID(func, bpf_lsm_inode_getattr)
@@ -181,6 +185,8 @@ BTF_ID(func, bpf_lsm_sb_show_options)
 BTF_ID(func, bpf_lsm_sb_statfs)
 BTF_ID(func, bpf_lsm_sb_umount)
 BTF_ID(func, bpf_lsm_settime)
+
+#ifdef CONFIG_SECURITY_NETWORK
 BTF_ID(func, bpf_lsm_socket_accept)
 BTF_ID(func, bpf_lsm_socket_bind)
 BTF_ID(func, bpf_lsm_socket_connect)
@@ -195,6 +201,8 @@ BTF_ID(func, bpf_lsm_socket_recvmsg)
 BTF_ID(func, bpf_lsm_socket_sendmsg)
 BTF_ID(func, bpf_lsm_socket_shutdown)
 BTF_ID(func, bpf_lsm_socket_socketpair)
+#endif /* CONFIG_SECURITY_NETWORK */
+
 BTF_ID(func, bpf_lsm_syslog)
 BTF_ID(func, bpf_lsm_task_alloc)
 BTF_ID(func, bpf_lsm_task_getsecid)
-- 
2.17.1

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

[PATCH] bpf: Drop disabled LSM hooks from the sleepable set

5 matches

Site Navigation

Mail list logo

Footer information