Re: [PATCH bpf-next v5 3/4] selftests/bpf: Integrate the socket_cookie test to test_progs

2021-01-20 Thread KP Singh
astly > simplifies its logic by: > - rewriting the loading code with BPF skeletons > - rewriting the server/client code with network helpers > - rewriting the cgroup code with test__join_cgroup > - rewriting the error handling code with CHECKs > > Signed-off-by: Florent Revest Acked-by: KP Singh

Re: [PATCH bpf-next v5 2/4] bpf: Expose bpf_get_socket_cookie to tracing programs

2021-01-20 Thread KP Singh
On Tue, Jan 19, 2021 at 5:00 PM Florent Revest wrote: > > This needs a new helper that: > - can work in a sleepable context (using sock_gen_cookie) > - takes a struct sock pointer and checks that it's not NULL > > Signed-off-by: Florent Revest Acked-by: KP Singh

Re: [PATCH bpf-next v5 4/4] selftests/bpf: Add a selftest for the tracing bpf_get_socket_cookie

2021-01-20 Thread KP Singh
art of the test. > > Adding a tracing program to the existing objects requires a different > attachment strategy and different headers. > > Signed-off-by: Florent Revest Acked-by: KP Singh (one minor note, doesn't really need fixing as a part of this though) > --- > .../selftests/

Re: [PATCH] bpf: put file handler if no storage found

2021-01-20 Thread KP Singh
tag when you resubmit) Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes") Acked-by: KP Singh > > --- > > kernel/bpf/bpf_inode_storage.c | 6 +- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/kernel/bpf/bpf_i

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-22 Thread KP Singh
LED unresolved symbol bpf_lsm_socket_socketpair > > To fix the error, conditionally add the networking LSM hooks to the > sleepable set. > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > Signed-off-by: Mikko Ylinen Thanks! Acked-by: KP Singh

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-22 Thread KP Singh
On Fri, Jan 22, 2021 at 11:33 PM KP Singh wrote: > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > wrote: > > > > Networking LSM hooks are conditionally enabled and when building the new > > sleepable BPF LSM hooks with the networking LSM hooks disabled, the >

Re: [PATCH v2] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-25 Thread KP Singh
LED unresolved symbol bpf_lsm_socket_socketpair > > To fix the error, conditionally add the relevant networking/keys > LSM hooks to the sleepable set. > > Fixes: 423f16108c9d8 ("bpf: Augment the set of sleepable LSM hooks") > Signed-off-by: Mikko Ylinen Acked-by: KP Singh

Re: [PATCH] bpf: Drop disabled LSM hooks from the sleepable set

2021-01-25 Thread KP Singh
On Mon, Jan 25, 2021 at 7:55 AM Mikko Ylinen wrote: > > On Sat, Jan 23, 2021 at 12:50:21AM +0100, KP Singh wrote: > > On Fri, Jan 22, 2021 at 11:33 PM KP Singh wrote: > > > > > > On Fri, Jan 22, 2021 at 1:32 PM Mikko Ylinen > > > wrote: > > >

Re: [PATCH bpf v2 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill

2021-01-13 Thread KP Singh
= ACCEPT part. I think it is correct > by checking code. > > Acked-by: Yonghong Song Thanks for the description! Acked-by: KP Singh

Re: [PATCH bpf v2 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling

2021-01-13 Thread KP Singh
atch was partially contributed by CyberArk Software, Inc. > > Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for > it") > Suggested-by: Yonghong Song > Signed-off-by: Gilad Reti Acked-by: KP Singh

[PATCH v3] ima: Fix NULL pointer dereference in ima_file_hash

2020-09-16 Thread KP Singh
From: KP Singh ima_file_hash can be called when there is no iint->ima_hash available even though the inode exists in the integrity cache. It is fairly common for a file to not have a hash. (e.g. an mknodat, prior to the file being closed). Another example where this can happen (sugges

[PATCH] ima: Fix NULL pointer dereference in ima_file_hash

2020-09-16 Thread KP Singh
From: KP Singh ima_file_hash can be called when there is no iint->ima_hash available even though the inode exists in the integrity cache. An example where this can happen (suggested by Jann Horn): Process A does: while(1) { unlink("/tmp/imafoo");

Re: [PATCH v2] ima: Fix NULL pointer dereference in ima_file_hash

2020-09-16 Thread KP Singh
On Wed, Sep 16, 2020 at 6:00 PM Mimi Zohar wrote: > > On Wed, 2020-09-16 at 14:49 +0200, KP Singh wrote: > > From: KP Singh > > > > ima_file_hash can be called when there is no iint->ima_hash available > > even though the inode exists in the integrity cache.

Re: [PATCH] ima: Fix NULL pointer dereference in ima_file_hash

2020-09-16 Thread KP Singh
> On Wed, 2020-09-16 at 12:05 +0000, KP Singh wrote: > > From: KP Singh > > > > ima_file_hash can be called when there is no iint->ima_hash available > > even though the inode exists in the integrity cache. > > > > An example where this can happ

[PATCH v2] ima: Fix NULL pointer dereference in ima_file_hash

2020-09-16 Thread KP Singh
From: KP Singh ima_file_hash can be called when there is no iint->ima_hash available even though the inode exists in the integrity cache. An example where this can happen (suggested by Jann Horn): Process A does: while(1) { unlink("/tmp/imafoo");

Re: [PATCH bpf-next v7 5/7] bpf: Implement bpf_local_storage for inodes

2020-08-03 Thread KP Singh
On 31.07.20 21:02, Martin KaFai Lau wrote: > On Fri, Jul 31, 2020 at 02:08:55PM +0200, KP Singh wrote: > [ ... ] >>>> +const struct bpf_map_ops inode_storage_map_ops = { [...] >> >> btf dump file /sys/kernel/btf/vmlinux | grep "STRUCT 'inode'" &

[PATCH bpf-next v8 1/7] A purely mechanical change to split the renaming from the actual generalization.

2020-08-03 Thread KP Singh
From: KP Singh Flags/consts: SK_STORAGE_CREATE_FLAG_MASK BPF_LOCAL_STORAGE_CREATE_FLAG_MASK BPF_SK_STORAGE_CACHE_SIZE BPF_LOCAL_STORAGE_CACHE_SIZE MAX_VALUE_SIZEBPF_LOCAL_STORAGE_MAX_VALUE_SIZE Structs: bucketbpf_local_storage_map_bucket

[PATCH bpf-next v8 0/7] Generalizing bpf_local_storage

2020-08-03 Thread KP Singh
From: KP Singh # v7 -> v8 - Fixed an issue with BTF IDs for helpers and added bpf_<>_storage_delete to selftests to catch this issue. - Update comments about refcounts and grabbed a refcount to the open file for userspace inode helpers. - Rebase. # v6 -> v7 - Updated the s

[PATCH bpf-next v8 4/7] bpf: Split bpf_local_storage to bpf_sk_storage

2020-08-03 Thread KP Singh
From: KP Singh A purely mechanical change: bpf_sk_storage.c = bpf_sk_storage.c + bpf_local_storage.c bpf_sk_storage.h = bpf_sk_storage.h + bpf_local_storage.h Signed-off-by: KP Singh --- include/linux/bpf_local_storage.h | 163 include/net/bpf_sk_storage.h | 61

[PATCH bpf-next v8 7/7] bpf: Add selftests for local_storage

2020-08-03 Thread KP Singh
From: KP Singh inode_local_storage: * Hook to the file_open and inode_unlink LSM hooks. * Create and unlink a temporary file. * Store some information in the inode's bpf_local_storage during file_open. * Verify that this information exists when the file is unlinked. sk_local_storage: * Hook

[PATCH bpf-next v8 5/7] bpf: Implement bpf_local_storage for inodes

2020-08-03 Thread KP Singh
From: KP Singh Similar to bpf_local_storage for sockets, add local storage for inodes. The life-cycle of storage is managed with the life-cycle of the inode. i.e. the storage is destroyed along with the owning inode. The BPF LSM allocates an __rcu pointer to the bpf_local_storage

[PATCH bpf-next v8 2/7] bpf: Generalize caching for sk_storage.

2020-08-03 Thread KP Singh
From: KP Singh Provide the a ability to define local storage caches on a per-object type basis. The caches and caching indices for different objects should not be inter-mixed as suggested in: https://lore.kernel.org/bpf/20200630193441.kdwnkestulg5e...@kafai-mbp.dhcp.thefacebook.com

[PATCH bpf-next v8 3/7] bpf: Generalize bpf_sk_storage

2020-08-03 Thread KP Singh
From: KP Singh Refactor the functionality in bpf_sk_storage.c so that concept of storage linked to kernel objects can be extended to other objects like inode, task_struct etc. Each new local storage will still be a separate map and provide its own set of helpers. This allows for future object

[PATCH bpf-next v8 6/7] bpf: Allow local storage to be used from LSM programs

2020-08-03 Thread KP Singh
From: KP Singh Adds support for both bpf_{sk, inode}_storage_{get, delete} to be used in LSM programs. These helpers are not used for tracing programs (currently) as their usage is tied to the life-cycle of the object and should only be used where the owning object won't be freed (when

Re: [PATCH bpf-next v8 0/7] Generalizing bpf_local_storage

2020-08-03 Thread KP Singh
On 8/3/20 6:46 PM, KP Singh wrote: > From: KP Singh > > # v7 -> v8 > > - Fixed an issue with BTF IDs for helpers and added > bpf_<>_storage_delete to selftests to catch this issue. > - Update comments about refcounts and grabbed a refcount to the open >

[PATCH bpf-next v9 4/7] bpf: Split bpf_local_storage to bpf_sk_storage

2020-08-23 Thread KP Singh
From: KP Singh A purely mechanical change: bpf_sk_storage.c = bpf_sk_storage.c + bpf_local_storage.c bpf_sk_storage.h = bpf_sk_storage.h + bpf_local_storage.h Signed-off-by: KP Singh --- include/linux/bpf_local_storage.h | 163 include/net/bpf_sk_storage.h | 61

[PATCH bpf-next v9 6/7] bpf: Allow local storage to be used from LSM programs

2020-08-23 Thread KP Singh
From: KP Singh Adds support for both bpf_{sk, inode}_storage_{get, delete} to be used in LSM programs. These helpers are not used for tracing programs (currently) as their usage is tied to the life-cycle of the object and should only be used where the owning object won't be freed (when

[PATCH bpf-next v9 0/7] Generalizing bpf_local_storage

2020-08-23 Thread KP Singh
From: KP Singh # v8 -> v9 - Fixed reference count logic for files for inode maps. - Other fixes suggested by Martin - Rebase # v7 -> v8 - Fixed an issue with BTF IDs for helpers and added bpf_<>_storage_delete to selftests to catch this issue. - Update comments about refcounts

[PATCH bpf-next v9 3/7] bpf: Generalize bpf_sk_storage

2020-08-23 Thread KP Singh
From: KP Singh Refactor the functionality in bpf_sk_storage.c so that concept of storage linked to kernel objects can be extended to other objects like inode, task_struct etc. Each new local storage will still be a separate map and provide its own set of helpers. This allows for future object

[PATCH bpf-next v9 5/7] bpf: Implement bpf_local_storage for inodes

2020-08-23 Thread KP Singh
From: KP Singh Similar to bpf_local_storage for sockets, add local storage for inodes. The life-cycle of storage is managed with the life-cycle of the inode. i.e. the storage is destroyed along with the owning inode. The BPF LSM allocates an __rcu pointer to the bpf_local_storage

[PATCH bpf-next v9 1/7] bpf: Renames in preparation for bpf_local_storage

2020-08-23 Thread KP Singh
From: KP Singh A purely mechanical change to split the renaming from the actual generalization. Flags/consts: SK_STORAGE_CREATE_FLAG_MASK BPF_LOCAL_STORAGE_CREATE_FLAG_MASK BPF_SK_STORAGE_CACHE_SIZE BPF_LOCAL_STORAGE_CACHE_SIZE MAX_VALUE_SIZE

[PATCH bpf-next v9 7/7] bpf: Add selftests for local_storage

2020-08-23 Thread KP Singh
From: KP Singh inode_local_storage: * Hook to the file_open and inode_unlink LSM hooks. * Create and unlink a temporary file. * Store some information in the inode's bpf_local_storage during file_open. * Verify that this information exists when the file is unlinked. sk_local_storage: * Hook

[PATCH bpf-next v9 2/7] bpf: Generalize caching for sk_storage.

2020-08-23 Thread KP Singh
From: KP Singh Provide the a ability to define local storage caches on a per-object type basis. The caches and caching indices for different objects should not be inter-mixed as suggested in: https://lore.kernel.org/bpf/20200630193441.kdwnkestulg5e...@kafai-mbp.dhcp.thefacebook.com

[PATCH bpf-next 1/5] bpf: Implement task local storage

2020-10-27 Thread KP Singh
From: KP Singh Similar to bpf_local_storage for sockets and inodes add local storage for task_struct. The life-cycle of storage is managed with the life-cycle of the task_struct. i.e. the storage is destroyed along with the owning task with a callback to the bpf_task_storage_free from

[PATCH bpf-next 2/5] bpf: Implement get_current_task_btf and RET_PTR_TO_BTF_ID

2020-10-27 Thread KP Singh
From: KP Singh The currently available bpf_get_current_task returns an unsigned integer which can be used along with BPF_CORE_READ to read data from the task_struct but still cannot be used as an input argument to a helper that accepts an ARG_PTR_TO_BTF_ID of type task_struct. In order

[PATCH bpf-next 5/5] bpf: Add tests for task_local_storage

2020-10-27 Thread KP Singh
From: KP Singh The test implements a simple MAC policy which denies an executable from unlinking itself. The LSM program bprm_committed_creds sets a task_local_storage with a pointer to the inode. This is then used to detect if the task is trying to unlink itself in the inode_unlink LSM hook

[PATCH bpf-next 4/5] bpf: Update selftests for local_storage to use vmlinux.h

2020-10-27 Thread KP Singh
From: KP Singh With the fixing of BTF pruning of embedded types being fixed, the test can be simplified to use vmlinux.h Signed-off-by: KP Singh --- .../selftests/bpf/progs/local_storage.c | 20 +-- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/tools

[PATCH bpf-next 3/5] bpf: Fix tests for local_storage

2020-10-27 Thread KP Singh
From: KP Singh The {inode,sk}_storage_result checking if the correct value was retrieved was being clobbered unconditionally by the return value of the bpf_{inode,sk}_storage_delete call. Fixes: cd324d7abb3d ("bpf: Add selftests for local_storage") Signed-off-by: KP Singh --- .

[PATCH bpf-next 0/5] Implement task_local_storage

2020-10-27 Thread KP Singh
From: KP Singh We already have socket and inode local storage since [1] This patch series: * Implements bpf_local_storage for task_struct. * Implements the bpf_get_current_task_btf helper which returns a BTF pointer to the current task. Not only is this generally cleaner (reading from

Re: [PATCH bpf-next v4 2/4] bpf: Expose bpf_get_socket_cookie to tracing programs

2020-12-09 Thread KP Singh
d to > check it for NULLness. > > This helper could also be useful to other BPF program types such as LSM. > > Signed-off-by: Florent Revest Acked-by: KP Singh

[PATCH bpf-next 1/2] bpf: Augment the set of sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Update the set of sleepable hooks with the ones that do not trigger a warning with might_fault() when exercised with the correct kernel config options enabled, i.e. DEBUG_ATOMIC_SLEEP=y LOCKDEP=y PROVE_LOCKING=y This means that a sleepable LSM eBPF

[PATCH bpf-next 2/2] bpf: Expose bpf_d_path helper to sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Sleepable hooks are never called from an NMI/interrupt context, so it is safe to use the bpf_d_path helper in LSM programs attaching to these hooks. The helper is not restricted to sleepable programs and merely uses the list of sleeable hooks as the initial subset of LSM hooks

Re: [PATCH bpf-next 1/2] bpf: Augment the set of sleepable LSM hooks

2020-11-12 Thread KP Singh
On Thu, Nov 12, 2020 at 7:48 PM Andrii Nakryiko wrote: > > On Thu, Nov 12, 2020 at 9:20 AM KP Singh wrote: > > > > From: KP Singh > > > > Update the set of sleepable hooks with the ones that do not trigger > > a warning with might_fault() when exercise

[PATCH bpf-next v2 2/2] bpf: Expose bpf_d_path helper to sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Sleepable hooks are never called from an NMI/interrupt context, so it is safe to use the bpf_d_path helper in LSM programs attaching to these hooks. The helper is not restricted to sleepable programs and merely uses the list of sleeable hooks as the initial subset of LSM hooks

[PATCH bpf-next v2 1/2] bpf: Augment the set of sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Update the set of sleepable hooks with the ones that do not trigger a warning with might_fault() when exercised with the correct kernel config options enabled, i.e. DEBUG_ATOMIC_SLEEP=y LOCKDEP=y PROVE_LOCKING=y This means that a sleepable LSM eBPF

[PATCH bpf-next v2 0/2] Sleepable LSM Hooks

2020-11-12 Thread KP Singh
From: KP Singh # v1 -> v2 * Fixed typos and formatting errors. * Added Andrii's ack. KP Singh (2): bpf: Augment the set of sleepable LSM hooks bpf: Expose bpf_d_path helper to sleepable LSM hooks include/linux/bpf_lsm.h | 7 +++ kernel/bpf/bpf_lsm.c |

Re: [PATCH bpf-next v2 0/2] Sleepable LSM Hooks

2020-11-12 Thread KP Singh
On Thu, Nov 12, 2020 at 9:03 PM KP Singh wrote: > > From: KP Singh > > # v1 -> v2 > > * Fixed typos and formatting errors. > * Added Andrii's ack. Oops, I sent an older patch file which does not have Andrii's ack.

Re: [PATCH bpf-next v2 1/2] bpf: Augment the set of sleepable LSM hooks

2020-11-12 Thread KP Singh
On Thu, Nov 12, 2020 at 11:35 PM Daniel Borkmann wrote: > > On 11/12/20 9:03 PM, KP Singh wrote: > > From: KP Singh > > > > Update the set of sleepable hooks with the ones that do not trigger > > a warning with might_fault() when exercised with the correct kernel &

Re: [PATCH v2 1/5] net: Remove the err argument from sock_from_file

2020-11-19 Thread KP Singh
I think you meant to send these as [PATCH bpf-next] for bpf-next. I guess we can do a round of reviews and update the next revision (if any) with the correct prefixes. On Thu, Nov 19, 2020 at 5:27 PM Florent Revest wrote: > > From: Florent Revest > > Currently, the sock_from_file prototype

Re: [PATCH v2 2/5] bpf: Add a bpf_sock_from_file helper

2020-11-19 Thread KP Singh
do this a new helper > wrapping sock_from_file is added. > > This is useful to tracing programs but also other program types > inheriting this set of helpers such as iterators or LSM programs. > > Signed-off-by: Florent Revest Acked-by: KP Singh Some minor comments. >

Re: [PATCH v2 3/5] bpf: Expose bpf_sk_storage_* to iterator programs

2020-11-19 Thread KP Singh
On Thu, Nov 19, 2020 at 5:27 PM Florent Revest wrote: > > From: Florent Revest > > Iterators are currently used to expose kernel information to userspace > over fast procfs-like files but iterators could also be used to > manipulate local storage. For example, the task_file iterator could be >

Re: [PATCH v2 5/5] bpf: Add an iterator selftest for bpf_sk_storage_get

2020-11-19 Thread KP Singh
On Fri, Nov 20, 2020 at 1:32 AM Martin KaFai Lau wrote: > > On Thu, Nov 19, 2020 at 05:26:54PM +0100, Florent Revest wrote: > > From: Florent Revest > > > > The eBPF program iterates over all files and tasks. For all socket > > files, it stores the tgid of the last task it encountered with a

[PATCH bpf-next v3 0/2] Sleepable LSM Hooks

2020-11-12 Thread KP Singh
From: KP Singh # v2 -> v3 * Remove the list of non-sleepable hooks, will send a separate patch to the lsm list based on the discussion with Daniel. * Add Andrii's ack for real # v1 -> v2 * Fixed typos and formatting errors. * Added Andrii's ack. KP Singh (2): bpf: A

[PATCH bpf-next v3 2/2] bpf: Expose bpf_d_path helper to sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Sleepable hooks are never called from an NMI/interrupt context, so it is safe to use the bpf_d_path helper in LSM programs attaching to these hooks. The helper is not restricted to sleepable programs and merely uses the list of sleeable hooks as the initial subset of LSM hooks

[PATCH bpf-next v3 1/2] bpf: Augment the set of sleepable LSM hooks

2020-11-12 Thread KP Singh
From: KP Singh Update the set of sleepable hooks with the ones that do not trigger a warning with might_fault() when exercised with the correct kernel config options enabled, i.e. DEBUG_ATOMIC_SLEEP=y LOCKDEP=y PROVE_LOCKING=y This means that a sleepable LSM eBPF

Re: [PATCH bpf-next 1/5] bpf: Implement task local storage

2020-10-30 Thread KP Singh
Thanks for taking a look! On Wed, Oct 28, 2020 at 2:13 AM Martin KaFai Lau wrote: > > On Tue, Oct 27, 2020 at 06:03:13PM +0100, KP Singh wrote: > [ ... ] > > > diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c > > new file mode 100644 > > in

Re: [PATCH bpf-next 1/5] bpf: Implement task local storage

2020-10-30 Thread KP Singh
On Fri, Oct 30, 2020 at 12:12 AM Andrii Nakryiko wrote: > > On Wed, Oct 28, 2020 at 9:17 AM KP Singh wrote: > > > > From: KP Singh > > > > Similar to bpf_local_storage for sockets and inodes add local storage > > for task_struct. > > > > The life

Re: [PATCH bpf-next 1/5] bpf: Implement task local storage

2020-10-30 Thread KP Singh
" On Fri, Oct 30, 2020 at 12:28 AM Song Liu wrote: > > On Wed, Oct 28, 2020 at 9:17 AM KP Singh wrote: > > > > From: KP Singh > > > > Similar to bpf_local_storage for sockets and inodes add local storage > > for task_struct. > > > > The

[PATCH bpf-next 1/3] ima: Implement ima_inode_hash

2020-11-20 Thread KP Singh
From: KP Singh This is in preparation to add a helper for BPF LSM programs to use IMA hashes when attached to LSM hooks. There are LSM hooks like inode_unlink which do not have a struct file * argument and cannot use the existing ima_file_hash API. An inode based API is, therefore, useful

[PATCH bpf-next 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-20 Thread KP Singh
From: KP Singh - Update the IMA policy before executing the test binary (this is not an override of the policy, just an append that ensures that hashes are calculated on executions). - Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check if the call succeeded and a hash

[PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-20 Thread KP Singh
From: KP Singh Provide a wrapper function to get the IMA hash of an inode. This helper is useful in fingerprinting files (e.g executables on execution) and using these fingerprints in detections like an executable unlinking itself. Since the ima_inode_hash can sleep, it's only allowed

Re: [PATCH bpf-next 1/3] ima: Implement ima_inode_hash

2020-11-20 Thread KP Singh
[...] > > > > diff --git a/scripts/bpf_helpers_doc.py b/scripts/bpf_helpers_doc.py > > index c5bc947a70ad..add7fcb32dcd 100755 > > --- a/scripts/bpf_helpers_doc.py > > +++ b/scripts/bpf_helpers_doc.py > > @@ -478,6 +478,7 @@ class PrinterHelpers(Printer): > > 'struct

Re: [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-20 Thread KP Singh
[...] > > + * long bpf_ima_inode_hash(struct inode *inode, void *dst, u32 size) > > + * Description > > + * Returns the stored IMA hash of the *inode* (if it's > > avaialable). > > + * If the hash is larger than *size*, then only *size* > > + * bytes will be

Re: [PATCH bpf-next 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-20 Thread KP Singh
On Fri, Nov 20, 2020 at 7:11 PM Yonghong Song wrote: > > > > On 11/20/20 5:17 AM, KP Singh wrote: > > From: KP Singh > > > > - Update the IMA policy before executing the test binary (this is not an > >override of the policy, just an append that ensur

[PATCH bpf-next v2 1/3] ima: Implement ima_inode_hash

2020-11-20 Thread KP Singh
From: KP Singh This is in preparation to add a helper for BPF LSM programs to use IMA hashes when attached to LSM hooks. There are LSM hooks like inode_unlink which do not have a struct file * argument and cannot use the existing ima_file_hash API. An inode based API is, therefore, useful

[PATCH bpf-next v2 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-20 Thread KP Singh
From: KP Singh Provide a wrapper function to get the IMA hash of an inode. This helper is useful in fingerprinting files (e.g executables on execution) and using these fingerprints in detections like an executable unlinking itself. Since the ima_inode_hash can sleep, it's only allowed

[PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-20 Thread KP Singh
From: KP Singh - Update the IMA policy before executing the test binary (this is not an override of the policy, just an append that ensures that hashes are calculated on executions). - Call the bpf_ima_inode_hash in the bprm_committed_creds hook and check if the call succeeded and a hash

[PATCH bpf-next v4 1/2] bpf: Add bpf_bprm_opts_set helper

2020-11-17 Thread KP Singh
From: KP Singh The helper allows modification of certain bits on the linux_binprm struct starting with the secureexec bit which can be updated using the BPF_F_BPRM_SECUREEXEC flag. secureexec can be set by the LSM for privilege gaining executions to set the AT_SECURE auxv for glibc. When set

[PATCH bpf-next v4 2/2] bpf: Add tests for bpf_bprm_opts_set helper

2020-11-17 Thread KP Singh
From: KP Singh The test forks a child process, updates the local storage to set/unset the securexec bit. The BPF program in the test attaches to bprm_creds_for_exec which checks the local storage of the current task to set the secureexec bit on the binary parameters (bprm). The child

Re: [PATCH bpf-next v3 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-17 Thread KP Singh
On Tue, Nov 17, 2020 at 11:41 PM Daniel Borkmann wrote: > > On 11/17/20 3:13 AM, KP Singh wrote: > > From: KP Singh > > > > The helper allows modification of certain bits on the linux_binprm > > struct starting with the secureexec bit which can be updated using the

[PATCH bpf-next 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

2020-11-16 Thread KP Singh
From: KP Singh The test forks a child process, updates the local storage to set/unset the securexec bit. The BPF program in the test attaches to bprm_creds_for_exec which checks the local storage of the current task to set the secureexec bit on the binary parameters (bprm). The child

[PATCH bpf-next 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
From: KP Singh The helper allows modification of certain bits on the linux_binprm struct starting with the secureexec bit which can be updated using the BPF_LSM_F_BPRM_SECUREEXEC flag. secureexec can be set by the LSM for privilege gaining executions to set the AT_SECURE auxv for glibc. When

Re: [PATCH bpf-next 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

2020-11-16 Thread KP Singh
[...] > + > +#include "vmlinux.h" > +#include > +#include > +#include > + > +char _license[] SEC("license") = "GPL"; > + > +struct { > + __uint(type, BPF_MAP_TYPE_TASK_STORAGE); > + __uint(map_flags, BPF_F_NO_PREALLOC); > + __type(key, int); > + __type(value, int); > +}

Re: [PATCH bpf-next 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
[...] > > > > +BPF_CALL_2(bpf_lsm_set_bprm_opts, struct linux_binprm *, bprm, u64, flags) > > +{ > > This should also reject invalid flags. I'd rather change this helper from > RET_VOID > to RET_INTEGER and throw -EINVAL for everything other than > BPF_LSM_F_BPRM_SECUREEXEC > passed in here

Re: [PATCH bpf-next 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
On Mon, Nov 16, 2020 at 11:48 PM KP Singh wrote: > > [...] > > > > > > > +BPF_CALL_2(bpf_lsm_set_bprm_opts, struct linux_binprm *, bprm, u64, > > > flags) > > > +{ > > > > This should also reject invalid flags. I'd rather change this helpe

[PATCH bpf-next v2 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
From: KP Singh The helper allows modification of certain bits on the linux_binprm struct starting with the secureexec bit which can be updated using the BPF_LSM_F_BPRM_SECUREEXEC flag. secureexec can be set by the LSM for privilege gaining executions to set the AT_SECURE auxv for glibc. When

[PATCH bpf-next v2 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

2020-11-16 Thread KP Singh
From: KP Singh The test forks a child process, updates the local storage to set/unset the securexec bit. The BPF program in the test attaches to bprm_creds_for_exec which checks the local storage of the current task to set the secureexec bit on the binary parameters (bprm). The child

Re: [PATCH bpf-next v2 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

2020-11-16 Thread KP Singh
On Tue, Nov 17, 2020 at 1:43 AM Martin KaFai Lau wrote: > > On Mon, Nov 16, 2020 at 11:25:36PM +0000, KP Singh wrote: > > From: KP Singh > > > > The test forks a child process, updates the local storage to set/unset > > the securexec bit. > > >

Re: [PATCH bpf-next v2 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
On Tue, Nov 17, 2020 at 1:11 AM Martin KaFai Lau wrote: > > On Mon, Nov 16, 2020 at 11:25:35PM +0000, KP Singh wrote: > > From: KP Singh > > > > The helper allows modification of certain bits on the linux_binprm > > struct starting with the secureexec

Re: [PATCH bpf-next v2 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
On Tue, Nov 17, 2020 at 3:03 AM KP Singh wrote: > > On Tue, Nov 17, 2020 at 1:11 AM Martin KaFai Lau wrote: > > > > On Mon, Nov 16, 2020 at 11:25:35PM +, KP Singh wrote: > > > From: KP Singh > > > > > > The helper allows modification of certain b

[PATCH bpf-next v3 2/2] bpf: Add tests for bpf_lsm_set_bprm_opts

2020-11-16 Thread KP Singh
From: KP Singh The test forks a child process, updates the local storage to set/unset the securexec bit. The BPF program in the test attaches to bprm_creds_for_exec which checks the local storage of the current task to set the secureexec bit on the binary parameters (bprm). The child

[PATCH bpf-next v3 1/2] bpf: Add bpf_lsm_set_bprm_opts helper

2020-11-16 Thread KP Singh
From: KP Singh The helper allows modification of certain bits on the linux_binprm struct starting with the secureexec bit which can be updated using the BPF_LSM_F_BPRM_SECUREEXEC flag. secureexec can be set by the LSM for privilege gaining executions to set the AT_SECURE auxv for glibc. When

Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-23 Thread KP Singh
On Mon, Nov 23, 2020 at 2:24 PM Mimi Zohar wrote: > > On Sat, 2020-11-21 at 00:50 +0000, KP Singh wrote: > > From: KP Singh > > > > - Update the IMA policy before executing the test binary (this is not an > > override of the policy, just an append that ensures th

Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-23 Thread KP Singh
[...] > > > > > > Even if a custom policy has been loaded, potentially additional > > > measurements unrelated to this test would be included the measurement > > > list. One way of limiting a rule to a specific test is by loopback > > > mounting a file system and defining a policy rule based on

Re: [PATCH bpf-next v2 3/3] bpf: Update LSM selftests for bpf_ima_inode_hash

2020-11-23 Thread KP Singh
On Mon, Nov 23, 2020 at 7:36 PM Yonghong Song wrote: > > > > On 11/23/20 10:27 AM, KP Singh wrote: > > [...] > > > >>>> > >>>> Even if a custom policy has been loaded, potentially additional > >>>> measurements unrelated

Re: [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-24 Thread KP Singh
On Tue, Nov 24, 2020 at 5:02 AM Alexei Starovoitov wrote: > > On Fri, Nov 20, 2020 at 01:17:07PM +0000, KP Singh wrote: > > + > > +static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog) > > +{ > > + return bpf_lsm_is_sleepable

Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash

2020-11-26 Thread KP Singh
[...] > > + exit(errno); > > Running test_progs-no-alu32, the test failed as: > > root@arch-fb-vm1:~/net-next/net-next/tools/testing/selftests/bpf > ./test_progs-no_alu32 -t test_ima Note to self: Also start testing test_progs-no_alu32 > > sh: ./ima_setup.sh: No such file or

Re: [PATCH bpf-next v3 3/6] bpf: Expose bpf_sk_storage_* to iterator programs

2020-11-26 Thread KP Singh
ialize a socket local storage with associations between > processes and sockets or to selectively delete local storage values. > > Signed-off-by: Florent Revest > Acked-by: Martin KaFai Lau Acked-by: KP Singh

Re: [PATCH bpf-next v3 1/6] net: Remove the err argument from sock_from_file

2020-11-26 Thread KP Singh
; > This patch simplifies the API by letting callers deduce the error based > on whether the returned socket is NULL or not. > > Suggested-by: Al Viro > Signed-off-by: Florent Revest Reviewed-by: KP Singh

Re: [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper

2020-11-26 Thread KP Singh
[...] > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index c3458ec1f30a..670998635eac 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -3817,6 +3817,21 @@ union bpf_attr { > * The **hash_algo** is returned on success, > *

Re: [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper

2020-11-27 Thread KP Singh
On Fri, Nov 27, 2020 at 8:35 AM Yonghong Song wrote: > > > > On 11/26/20 8:57 AM, Florent Revest wrote: > > This helper exposes the kallsyms_lookup function to eBPF tracing > > programs. This can be used to retrieve the name of the symbol at an > > address. For example, when hooking into

Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash

2020-11-27 Thread KP Singh
On Fri, Nov 27, 2020 at 5:29 AM Andrii Nakryiko wrote: > > On Tue, Nov 24, 2020 at 7:16 AM KP Singh wrote: > > > > From: KP Singh > > [...] > > > +cleanup() { > > +local tmp_dir="$1" > > +local mount_img="${tmp

Re: [PATCH bpf-next 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-24 Thread KP Singh
On Tue, Nov 24, 2020 at 12:04 PM KP Singh wrote: > > On Tue, Nov 24, 2020 at 5:02 AM Alexei Starovoitov > wrote: > > > > On Fri, Nov 20, 2020 at 01:17:07PM +, KP Singh wrote: > > > + > > > +static bool bpf_ima_inode_hash_allowed(const struct bpf_

[PATCH bpf-next v3 2/3] bpf: Add a BPF helper for getting the IMA hash of an inode

2020-11-24 Thread KP Singh
From: KP Singh Provide a wrapper function to get the IMA hash of an inode. This helper is useful in fingerprinting files (e.g executables on execution) and using these fingerprints in detections like an executable unlinking itself. Since the ima_inode_hash can sleep, it's only allowed

[PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash

2020-11-24 Thread KP Singh
From: KP Singh The test does the following: - Mounts a loopback filesystem and appends the IMA policy to measure executions only on this file-system. Restricting the IMA policy to a particular filesystem prevents a system-wide IMA policy change. - Executes an executable copied

[PATCH bpf-next v3 0/3] Implement bpf_ima_inode_hash

2020-11-24 Thread KP Singh
From: KP Singh # v2 -> v3 - Fixed an issue pointed out by Alexei, the helper should only be exposed to sleepable hooks. - Update the selftests to constrain the IMA policy udpate to a loopback filesystem specifically created for the test. Also, split this out from the LSM test. I drop

[PATCH bpf-next v3 1/3] ima: Implement ima_inode_hash

2020-11-24 Thread KP Singh
From: KP Singh This is in preparation to add a helper for BPF LSM programs to use IMA hashes when attached to LSM hooks. There are LSM hooks like inode_unlink which do not have a struct file * argument and cannot use the existing ima_file_hash API. An inode based API is, therefore, useful

Re: [PATCH bpf-next v3 3/3] bpf: Add a selftest for bpf_ima_inode_hash

2020-11-24 Thread KP Singh
On Wed, Nov 25, 2020 at 3:20 AM Mimi Zohar wrote: > > On Tue, 2020-11-24 at 15:12 +0000, KP Singh wrote: > > diff --git a/tools/testing/selftests/bpf/ima_setup.sh > > b/tools/testing/selftests/bpf/ima_setup.sh > > new file mode 100644 > > index ..

Re: [PATCH bpf-next v3 1/3] ima: Implement ima_inode_hash

2020-11-25 Thread KP Singh
On Tue, Nov 24, 2020 at 6:35 PM Yonghong Song wrote: > > > > On 11/24/20 7:12 AM, KP Singh wrote: > > From: KP Singh > > > > This is in preparation to add a helper for BPF LSM programs to use > > IMA hashes when attached to LSM hooks. There are LSM hooks lik

Re: [PATCH bpf-next v4 8/9] bpf: Add tests for task_local_storage

2020-11-05 Thread KP Singh
On Thu, Nov 5, 2020 at 11:03 PM Martin KaFai Lau wrote: > > On Thu, Nov 05, 2020 at 03:47:54PM +0100, KP Singh wrote: > > From: KP Singh > > > > The test exercises the syscall based map operations by creating a pidfd > > for the current process. > > [

  1   2   3   >