e kcmp() less required
> selftests/seccomp: Rename user_trap_syscall() to user_notif_syscall()
> seccomp: Switch addfd to Extensible Argument ioctl
> seccomp: Fix ioctl number for SECCOMP_IOCTL_NOTIF_ID_VALID
>
This looks much cleaner than the original patchset. Thanks
l_received_user(scm->fp->fp[i], cmsg_data + i,
> o_flags);
> - if (err)
> + if (err < 0)
> break;
> }
>
> diff --git a/net/core/scm.c b/net/core/scm.c
> index df190f1fdd28..b9a0442ebd26 100644
> --- a/net/core/scm.c
> +++ b/net/core/scm.c
> @@ -307,7 +307,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie
> *scm)
>
> for (i = 0; i < fdmax; i++) {
> err = fd_install_received_user(scm->fp->fp[i], cmsg_data + i,
> o_flags);
> - if (err)
> + if (err < 0)
> break;
> }
>
> --
> 2.25.1
>
Reviewed-by: Sargun Dhillon
On Mon, Jun 15, 2020 at 08:25:15PM -0700, Kees Cook wrote:
> In preparation for users of the "install a received file" logic outside
> of net/ (pidfd and seccomp), relocate and rename __scm_install_fd() from
> net/core/scm.c to __fd_install_received() in fs/file.c, and provide a
> wrapper named fd_
On Tue, Jun 09, 2020 at 09:52:14PM -0700, Kees Cook wrote:
> The sock counting (sock_update_netprioidx() and sock_update_classid())
> was missing from this implementation of fd installation, compared to
> SCM_RIGHTS. Use the new scm helper to get the work done, after adjusting
> it to return the in
This turns rpc_auth_create_args into a const as it gets passed through the
auth stack.
Signed-off-by: Sargun Dhillon
---
include/linux/sunrpc/auth.h| 5 +++--
net/sunrpc/auth.c | 2 +-
net/sunrpc/auth_gss/auth_gss.c | 9 +
net/sunrpc/auth_null.c | 2 +-
net
Today, sunrpc lives in net/sunrpc. As far as I can tell, the primary
production consumer of it is NFS. The RPC clients have the concept of
being tied back to a network namespace. On the other hand, NFS has its
own superblock with its own user namespace.
When sunrpc convert kuids to UIDs to send ov
On Tue, Mar 6, 2018 at 12:31 PM, Daniel Borkmann wrote:
> On 03/06/2018 05:02 PM, Sargun Dhillon wrote:
>> On Tue, Mar 6, 2018 at 3:26 AM, Daniel Borkmann wrote:
>>> On 03/06/2018 02:53 AM, Alexei Starovoitov wrote:
>>>> On Mon, Mar 05, 2018 at 05:46:51PM -0800,
On Mon, Mar 5, 2018 at 8:10 AM, Tycho Andersen wrote:
> Hi Andy,
>
> On Thu, Mar 01, 2018 at 10:05:47PM +, Andy Lutomirski wrote:
>> But Tycho: would hooking user notifiers in right here work for you?
>> As I see it, this would be the best justification for seccomp eBPF.
>
> Sorry for the dela
On Thu, Mar 1, 2018 at 1:59 PM, Andy Lutomirski wrote:
> On Thu, Mar 1, 2018 at 9:51 PM, Sargun Dhillon wrote:
>> On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote:
>>> On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann
>>> wrote:
>>>> On 02/28/2018 12
On Thu, Mar 1, 2018 at 9:44 AM, Andy Lutomirski wrote:
> On Wed, Feb 28, 2018 at 7:56 PM, Daniel Borkmann wrote:
>> On 02/28/2018 12:55 AM, chris hyser wrote:
On 02/27/2018 04:58 PM, Daniel Borkmann wrote: >> On 02/27/2018 05:59 PM,
chris hyser wrote:
>> On 02/27/2018 11:00 AM, Kee
On Mon, Feb 26, 2018 at 7:57 PM, Tycho Andersen wrote:
> On Mon, Feb 26, 2018 at 07:49:48PM -0800, Sargun Dhillon wrote:
>> On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote:
>> > On Mon, Feb 26, 2018 at 07:27:05AM +0000, Sargun Dhillon wrote:
>> >> +
On Mon, Feb 26, 2018 at 4:54 PM, Tycho Andersen wrote:
> On Mon, Feb 26, 2018 at 07:27:05AM +0000, Sargun Dhillon wrote:
>> +config SECCOMP_FILTER_EXTENDED
>> + bool "Extended BPF seccomp filters"
>> + depends on SECCOMP_FILTER && BPF_SYSCALL
On Mon, Feb 26, 2018 at 5:01 PM, Tycho Andersen wrote:
> On Mon, Feb 26, 2018 at 03:20:15PM -0800, Kees Cook wrote:
>> On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov
>> wrote:
>> > On Mon, Feb 26, 2018 at 07:26:54AM +, Sargun Dhillon wrote:
>> >> This
On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov
wrote:
> On Mon, Feb 26, 2018 at 07:26:54AM +0000, Sargun Dhillon wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although, this
>> patchset doesn't introduce much of the functionality enabled by
This adds a sample program that uses seccomp-eBPF, called
seccomp1. It shows the simple ability to code seccomp filters
in C.
Signed-off-by: Sargun Dhillon
---
samples/bpf/Makefile| 5 +
samples/bpf/bpf_load.c | 9 ++--
samples/bpf/test_seccomp_kern.c | 41
cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
include/uapi/linux/bpf.h | 2
er, not a separate command
* Remove printk helper
* Remove ptrace patch / restore filter / sample
* Add some safe helpers
Sargun Dhillon (2):
bpf, seccomp: Add eBPF filter capabilities
bpf: Add eBPF seccomp sample programs
arch/Kconfig| 8 ++
include/linux/bpf_t
On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann wrote:
> On 02/19/2018 05:22 PM, Sargun Dhillon wrote:
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
>> to be used for seccomp filters as an alternative to cBPF filters. The
>> program type h
On Mon, Feb 19, 2018 at 4:00 PM, Daniel Borkmann wrote:
> On 02/19/2018 05:22 PM, Sargun Dhillon wrote:
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
>> to be used for seccomp filters as an alternative to cBPF filters. The
>> program type h
cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
include/uapi/linux/bpf.h | 2
On Sat, Feb 17, 2018 at 9:58 AM, Randy Dunlap wrote:
> On 02/16/2018 11:36 PM, Sargun Dhillon wrote:
>> + close(111);
>> + assert(errno == EBADF);
>> + close(999);
>> + assert(errno = EPERM);
>
> should that be == ?
>
Woops. Embarassin
cBPF one. Verification occurs at program load time,
so the user should only receive errors related to attachment.
Signed-off-by: Sargun Dhillon
---
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
include/uapi/linux/bpf.h | 2
emove ptrace patch / restore filter / sample
* Add some safe helpers
Sargun Dhillon (2):
bpf, seccomp: Add eBPF filter capabilities
bpf: Add eBPF seccomp sample programs
arch/Kconfig | 8 +++
include/linux/bpf_types.h| 3 +
include/linux/seccomp.h | 3 +-
includ
This adds a sample program that uses seccomp-eBPF, called
seccomp1. It shows the simple ability to code seccomp filters
in C.
Signed-off-by: Sargun Dhillon
---
samples/bpf/Makefile| 5 +
samples/bpf/bpf_load.c | 9 +++--
samples/bpf/seccomp1_kern.c | 43
On Tue, Feb 13, 2018 at 12:34 PM, Kees Cook wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>> From: Sargun Dhillon
>>
>> This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
>> to be used for seccomp filters as an alternative to c
On Wed, Feb 14, 2018 at 8:30 PM, Alexei Starovoitov
wrote:
> On Wed, Feb 14, 2018 at 10:32:22AM -0700, Tycho Andersen wrote:
>> > >
>> > > What's the reason for adding eBPF support? seccomp shouldn't need it,
>> > > and it only makes the code more complex. I'd rather stick with cBPF
>> > > until w
On Tue, Feb 13, 2018 at 9:02 AM, Jessie Frazelle wrote:
> On Tue, Feb 13, 2018 at 11:29 AM, Sargun Dhillon wrote:
>> On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
>>> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>>>> This patchset enables seccomp
On Tue, Feb 13, 2018 at 7:47 AM, Kees Cook wrote:
> On Tue, Feb 13, 2018 at 7:42 AM, Sargun Dhillon wrote:
>> This patchset enables seccomp filters to be written in eBPF. Although,
>> this patchset doesn't introduce much of the functionality enabled by
>> eBPF, it l
From: Sargun Dhillon
This adds two sample programs:
seccomp1: A simple eBPF seccomp filter
seccomp2: A program which installs an eBPF filter
and then retrieves it via ptrace to show
checkpoint / restore capability.
Signed-off-by: Sargun Dhillon
---
samples/bpf/Makefile
ss, if we come
to an agreement, this can be in a follow-up patchset.
Sargun Dhillon (3):
bpf, seccomp: Add eBPF filter capabilities
seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp
filters
bpf: Add eBPF seccomp sample programs
arch/Kconfig |
From: Sargun Dhillon
This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant
to be used for seccomp filters as an alternative to cBPF filters. The
program type has relatively limited capabilities in terms of helpers,
but that can be extended later on.
It also introduces a new
From: Sargun Dhillon
This extends the the ptrace API to allow fetching eBPF seccomp filters
attached to programs. This is to enable checkpoint / restore cases.
The user will have to use the traditional PTRACE_SECCOMP_GET_FILTER
API call, and if they get an invalid medium type error they can
On Fri, Dec 2, 2016 at 4:20 PM, Alexei Starovoitov
wrote:
> On Fri, Dec 02, 2016 at 11:42:15AM -0800, John Fastabend wrote:
>> >> As far as pattern search for DNS packets...
>> >> it was requested by Cloudflare guys back in March:
>> >> https://github.com/iovisor/bcc/issues/471
>> >> and it is use
This patch modifies test_current_task_under_cgroup_user. The test has
several helpers around creating a temporary environment for cgroup
testing, and moving the current task around cgroups. This set of
helpers can then be used in other tests.
Signed-off-by: Sargun Dhillon
---
samples/bpf
ls is enabled,
this test will fail.
Signed-off-by: Sargun Dhillon
---
samples/bpf/Makefile | 2 +
samples/bpf/test_cgrp2_attach2.c | 132 +++
2 files changed, 134 insertions(+)
create mode 100644 samples/bpf/test_cgrp2_attach2.c
diff --git a/sample
With this code, we're able
to pretty easily add an automated test for future cgroupsv2 functionality.
Sargun Dhillon (2):
samples, bpf: Refactor test_current_task_under_cgroup - separate out
helpers
samples, bpf: Add automated test for cgroup filter attachments
sample
On Mon, Nov 28, 2016 at 7:50 PM, Alexei Starovoitov
wrote:
> On Mon, Nov 28, 2016 at 02:52:42PM -0800, Sargun Dhillon wrote:
>> This patch modifies test_cgrp2_attach to use getopt so we can use standard
>> command line parsing.
>>
>> It also adds an option to run the
then attach. It relies
on the 'hotswap' behaviour of CGroup BPF programs to be able to change
in-place. If detach-then-attach behaviour needs to be tested, the example
can be run in detach only mode prior to attachment.
Signed-off-by: Sargun Dhillon
---
samples/bpf/test_cgrp2_att
ivileges. Moreover, a
>> Landlock eBPF program could come from outside a process (e.g. passed through
>> a
>> UNIX socket). It is then useful to differentiate the creation/load of
>> Landlock
>> eBPF programs via bpf(2), from rule enforcing via seccomp(2).
>>
&g
On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote:
>
> On 15/09/2016 06:48, Alexei Starovoitov wrote:
> > On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote:
> >> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov
> >> wrote:
> >>> On Wed, Sep 14, 2016 at 09:08:57PM -07
I'm fine giving up the Checmate name. Landlock seems easy enough to
Google. I haven't gotten a chance to look through the entire patchset
yet, but it does seem like they are somewhat similar.
On Mon, Sep 19, 2016 at 5:12 PM, Alexei Starovoitov
wrote:
> On Thu, Sep 15, 2016 at 11:25:10PM +0200, Mi
On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote:
> Hi,
>
> On 09/16/2016 09:57 PM, Sargun Dhillon wrote:
> > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
>
> >> I have no idea what makes you think this is limited to systemd. As I
> >
On Fri, Sep 16, 2016 at 12:57:29PM -0700, Sargun Dhillon wrote:
> On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
> > Hi Pablo,
> >
> > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote:
> > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:
On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote:
> Hi Pablo,
>
> On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote:
> > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote:
> >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote:
> >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200, Danie
On Mon, Sep 05, 2016 at 04:49:26PM +0200, Daniel Mack wrote:
> Hi,
>
> On 08/30/2016 01:04 AM, Sargun Dhillon wrote:
> > On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote:
> >> This patch adds two sets of eBPF program pointers to struct cgroup.
> >> One
On Mon, Aug 29, 2016 at 02:49:17PM -0700, Alexei Starovoitov wrote:
> On 8/29/16 12:24 PM, Tejun Heo wrote:
> >Hello, Sargun.
> >
> >On Mon, Aug 29, 2016 at 11:49:07AM -0700, Sargun Dhillon wrote:
> >>It would be a separate hook per LSM hook. Why wouldn't we wa
On Fri, Aug 26, 2016 at 09:58:48PM +0200, Daniel Mack wrote:
> This patch adds two sets of eBPF program pointers to struct cgroup.
> One for such that are directly pinned to a cgroup, and one for such
> that are effective for it.
>
> To illustrate the logic behind that, assume the following exampl
On Tue, Aug 30, 2016 at 12:03:23AM +0200, Daniel Borkmann wrote:
> On 08/26/2016 09:58 PM, Daniel Mack wrote:
> >If the cgroup associated with the receiving socket has an eBPF
> >programs installed, run them from __dev_queue_xmit().
> >
> >eBPF programs used in this context are expected to either r
On Mon, Aug 29, 2016 at 01:01:18PM -0400, Tejun Heo wrote:
> Hello,
>
> On Mon, Aug 29, 2016 at 04:47:07AM -0700, Sargun Dhillon wrote:
> > This patch adds a minor LSM, Checmate. Checmate is a flexible programmable,
> > extensible minor LSM that's coupled with cgroups
easier.
This patch is used in follow on samples.
Signed-off-by: Sargun Dhillon
---
samples/bpf/Makefile | 2 +-
samples/bpf/cgroup_helpers.c | 103 ++
samples/bpf/cgroup_helpers.h | 15
samples/bpf
for not refcnting 2-tuples using atomic counters is the lack of
a safe free mechanism.
In order to run this program, you may need to bump your ulimit -l.
2) remap_bind
This program rewrites binds from 6789 to 12345. It is meant to mimic
the usage of DNAT.
Signed-off-by: Sargun Dhillon
This adds documentation on how to operate, and develop against the
Checmate LSM and Cgroup controller.
Signed-off-by: Sargun Dhillon
---
Documentation/security/Checmate.txt | 54 +
1 file changed, 54 insertions(+)
create mode 100644 Documentation/security
This patch exposes the current_task_under_cgroup helper to Checmate
programs. It can be used to implement exemptions for certain policies
when using Checmate programs by wrapping a pre-compiled policy
in a tail call along with this helper.
Signed-off-by: Sargun Dhillon
---
include/linux/bpf.h
D
API for introspecting sockets (getpeername) still works.
Signed-off-by: Sargun Dhillon
---
include/uapi/linux/bpf.h | 11
security/checmate/checmate_bpf.c | 55
2 files changed, 66 insertions(+)
diff --git a/include/uapi/linux/bpf.h b/in
chestrator
complex policies can be installed on the cgroup hierarchy.
These cgroup programs are tied to the kernel ABI version. If one tries
to load a BPF program compiled against a different kernel version,
an error will be thrown.
Signed-off-by: Sargun Dhillon
---
include/linux/cgroup_subsys.
This patch changes the order of allocations / calls to allocate the
sock_cgroup_data before calling security_sk_alloc. In addition, this
patch also reorders the deallocation when calling security_sk_free
so that LSMs can examine the cgroup that a particular sk belongs to.
Signed-off-by: Sarguun Dh
This patch moves cgroup_parent into cgroup.h as a static inline helper
function so that others can use it. Although this pattern is easy
to implement, having it in one place simplifies the creation
of new cgroup controllers.
Signed-off-by: Sargun Dhillon
---
include/linux/cgroup.h | 16
This patch moves bpf_probe_read and bpf_get_current_task to be the shared
cgroup infrastructure. These are useful outside of the context of just
tracing, but also inspection of a process memory during security
policy enforcement.
Signed-off-by: Sargun Dhillon
---
include/linux/bpf.h | 2
at.
2) API
The API right now tightly ties programs to the kernel version. I don't see a
good way around this unless we decide that a subset of the lsm hooks API is
immutable. That's a question for the LSM maintainers.
Thanks to Alexei, Daniel B, and Daniel Mack, and Tejun for input.
On Tue, Aug 23, 2016 at 10:27:28AM +0200, Daniel Mack wrote:
> On 08/22/2016 07:20 PM, Sargun Dhillon wrote:
> > On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:
> >> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:
>
> >>> This patchset also needs an
On Mon, Aug 22, 2016 at 06:22:20PM +0200, Daniel Mack wrote:
> On 08/22/2016 06:06 PM, Pablo Neira Ayuso wrote:
> > On Fri, Aug 19, 2016 at 07:07:39PM +0200, Thomas Graf wrote:
>
> >> You brought up multiple tables which reflect the cumulative approach.
> >> This sometimes works but has its issues
On Wed, Aug 17, 2016 at 04:00:47PM +0200, Daniel Mack wrote:
> If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the
> receiving socket has an eBPF programs installed, run them from
> sk_filter_trim_cap().
>
> eBPF programs used in this context are expected to either return 1 to
> le
On Mon, Aug 15, 2016 at 12:59:13PM +0200, Mickaël Salaün wrote:
>
> On 15/08/2016 05:09, Sargun Dhillon wrote:
> > On Mon, Aug 15, 2016 at 12:57:44AM +0200, Mickaël Salaün wrote:
> >> Our approaches have some common points (i.e. use eBPF in an LSM, stacked
> >>
getpeername.
I'm curious about your filesystem access limiter. Do you have a way to make it
so
that a given container can only write, say, 100mb of data to disk?
> Mickaël
>
>
> [1] http://www.openwall.com/lists/kernel-hardening/2016/03/24/2
>
>
>
> On 09/0
defs out of *.c files, add an "integration" test
v3->v4: De-genercize arraymap fetching function;
rename helper from in_cgroup to under_cgroup (makes much more sense)
Split adding cgroups task_under_cgroup_hierarchy function
v4->v5: Fix formatti
p prior to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
---
samples/bpf/Makefile | 5 +
s
it'll return an error. The helper is primarily to be used in debugging
activities for containers, where you may have multiple programs running in
a given top-level "container".
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
Acked-by: Tejun H
This commit adds an inline function to cgroup.h to check whether a given
task is under a given cgroup hierarchy. This is to avoid having to put
ifdefs in .c files to gate access to cgroups. When cgroups are disabled
this always returns true.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
On Fri, Aug 12, 2016 at 09:16:07AM +0200, Daniel Borkmann wrote:
> On 08/12/2016 06:50 AM, Sargun Dhillon wrote:
> >I realize that in_cgroup is more consistent, but under_cgroup makes
> >far more sense to me. I think it's more intuitive.
> >
> >On Thu, Aug 11, 201
I realize that in_cgroup is more consistent, but under_cgroup makes
far more sense to me. I think it's more intuitive.
On Thu, Aug 11, 2016 at 9:48 PM, Alexei Starovoitov
wrote:
> On Thu, Aug 11, 2016 at 08:14:56PM -0700, Sargun Dhillon wrote:
>> This adds a bpf helper that&#x
p prior to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
---
samples/bpf/Makefile | 5 +
s
it'll return an error. The helper is primarily to be used in debugging
activities for containers, where you may have multiple programs running in
a given top-level "container".
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
---
include/u
This commit adds an inline function to cgroup.h to check whether a given
task is under a given cgroup hierarchy. This is to avoid having to put
ifdefs in .c files to gate access to cgroups. When cgroups are disabled
this always returns true.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
defs out of *.c files, add an "integration" test
v3->v4: De-genercize arraymap fetching function;
rename helper from in_cgroup to under_cgroup (makes much more sense)
Split adding cgroups task_under_cgroup_hierarchy function
Sargun Dhillon (3):
cgroup: Add task_un
p prior to execution in userspace. This means
that the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
---
samples/bpf/Makefile | 4 +
s
helper.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Tejun Heo
---
include/linux/bpf.h | 22 ++
include/linux/cgroup.h | 23 +++
include/uapi/linux/bpf.h | 11 +++
kernel/bpf/arraymap.c| 2 +-
kernel/bp
of *.c files, add an "integration" test
Sargun Dhillon (2):
bpf: Add bpf_current_task_in_cgroup helper
samples/bpf: Add test_current_task_in_cgroup test
include/linux/bpf.h| 22
include/linux/cgroup.h | 23
include/uapi/linux/bp
On Tue, Aug 09, 2016 at 08:52:01PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 08:40:05PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote:
>
On Tue, Aug 09, 2016 at 08:27:32PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 06:26:37PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote:
>
On Tue, Aug 09, 2016 at 06:02:34PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 05:55:26PM -0700, Sargun Dhillon wrote:
> > On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote:
&
On Tue, Aug 09, 2016 at 05:23:50PM -0700, Alexei Starovoitov wrote:
> On Tue, Aug 09, 2016 at 05:00:12PM -0700, Sargun Dhillon wrote:
> > This adds a bpf helper that's similar to the skb_in_cgroup helper to check
> > whether the probe is currently executing in the context of a
t the program must be run in the same cgroups namespace as the programs
that are being traced.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
samples/bpf/Makefile | 4 +++
samples/bpf/bpf_helpers.h | 2 ++
samples/bpf/trace_opensnoop_kern.c
helper.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
include/linux/bpf.h | 24
include/uapi/linux/bpf.h | 11 +++
kernel/bpf/arraymap.c| 2 +-
kernel/bpf/verifier.c| 4 +++-
kernel/tr
t supply a specific
cgroup in the hierarchy, and it'll print out all files being opened under it.
v1->v2: Add better example code -- OpenSnoop, clean up
Sargun Dhillon (2):
bpf: Add bpf_current_task_in_cgroup helper
samples/bpf: Add opensnoop example that uses current_task_in
On Mon, Aug 08, 2016 at 04:44:02PM -0700, Kees Cook wrote:
> On Thu, Aug 4, 2016 at 12:11 AM, Sargun Dhillon wrote:
> > I distributed this patchset to linux-security-mod...@vger.kernel.org
> > earlier,
> > but based on the fact that the archive is down, and this is a fair
On Mon, Aug 08, 2016 at 11:27:32AM +0200, Daniel Borkmann wrote:
> On 08/08/2016 05:52 AM, Alexei Starovoitov wrote:
> >On Sun, Aug 07, 2016 at 08:08:19PM -0700, Sargun Dhillon wrote:
> >>Thanks for your feedback Alexei,
> >>I really appreciate it.
> >>
> >
Thanks for your feedback Alexei,
I really appreciate it.
On Sun, Aug 07, 2016 at 05:52:36PM -0700, Alexei Starovoitov wrote:
> On Sat, Aug 06, 2016 at 09:56:06PM -0700, Sargun Dhillon wrote:
> > On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote:
> > > On Sat,
On Sat, Aug 06, 2016 at 09:32:05PM -0700, Alexei Starovoitov wrote:
> On Sat, Aug 06, 2016 at 09:06:53PM -0700, Sargun Dhillon wrote:
> > This patchset includes a helper and an example to determine whether the
> > kprobe
> > is currently executing in the context of a speci
This is a simple trace example that shows programs connecting,
but only if they're in a chosen cgroup.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
samples/bpf/Makefile | 4 ++
samples/bpf/bpf_helpers.h | 2 +
sa
This patchset includes a helper and an example to determine whether the kprobe
is currently executing in the context of a specific cgroup based on a cgroup
bpf map / array.
Sargun Dhillon (2):
bpf: Add bpf_current_in_cgroup helper
samples/bpf: Add example using current_in_cgroup
include
This adds a kprobe helper that's similar to the skb_in_cgroup helper. It
checks whether the probe is currently executing in the context of the
cgroup at the given index a CGROUP_ARRAY.
Signed-off-by: Sargun Dhillon
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
include/linux/bpf.h
On Thu, Aug 04, 2016 at 05:34:32PM +0800, zhuyj wrote:
> Sure.
> Is it better to add
> #ifndef CONFIG_PREEMPT_RCU ?
>
> On Thu, Aug 4, 2016 at 4:28 PM, Eric Dumazet wrote:
> > Please do not top post
> >
> > On Thu, 2016-08-04 at 16:08 +0800, zhuyj wrote:
> >> +void register_checmate_prog_ops(vo
On Thu, Aug 04, 2016 at 11:45:08AM +0200, Daniel Borkmann wrote:
> Hi Sargun,
>
> On 08/04/2016 09:11 AM, Sargun Dhillon wrote:
> [...]
> >[It's a] minor LSM. My particular use case is one in which containers are
> >being
> >dynamically deployed to machines by
On Thu, Aug 04, 2016 at 10:41:17AM +0200, Richard Weinberger wrote:
> Sargun,
>
> On Thu, Aug 4, 2016 at 9:11 AM, Sargun Dhillon wrote:
> > I distributed this patchset to linux-security-mod...@vger.kernel.org
> > earlier,
> > but based on the fact that the archive is
I think it makes sense to restrict Checmate to loading programs that have been
compiled with the current kernel ABI. We can further stabilize the ABI, and
perhaps lift this restriction later.
Signed-off-by: Sargun Dhillon
---
kernel/bpf/syscall.c | 2 +-
samples/bpf/checmate1_kern.c
nforcing a hook.
BPF programs also have access to maps, which somewhat works around
the need for security blobs in some cases.
I would love to know what y'all think.
Sargun Dhillon (4):
bpf: move tracing helpers to shared helpers
bpf, security: Add Checmate
security/checmate: Add Checma
t the user would lock
their hooks.
Signed-off-by: Sargun Dhillon
---
include/linux/checmate.h | 38 +
include/uapi/linux/Kbuild| 1 +
include/uapi/linux/bpf.h | 1 +
include/uapi/linux/checmate.h| 65 +
include/uapi/linux/prctl.h
Move bpf_probe_read and bpf_get_current_task to the shared helpers
so that Checmate can use them.
Signed-off-by: Sargun Dhillon
---
include/linux/bpf.h | 2 ++
kernel/bpf/helpers.c | 34 ++
kernel/trace/bpf_trace.c | 33
The Checmate sample installs a policy barring new AF_INET connections
to port 1. We install the hook, and show an example of connect
returning EPERM, and then reset the policy.
If this is running concurrently with other policy engines, bad things
could happen.
Signed-off-by: Sargun Dhillon
Rename bpf_probe_write -> bpf_probe_write_user
v6->v7: More formatting cleanup.
Clarifying a few comments
Clarified log message
Sargun Dhillon (2):
bpf: Add bpf_probe_write_user BPF helper to be called in tracers
samples/bpf: Add test/example of using bpf_probe_write_us
1 - 100 of 131 matches
Mail list logo
