[PATCH bpf-next v1 07/13] bpf: lsm: Implement attach, detach and execution.

Andrii Nakryiko andrii.nakryiko at gmail.com
Tue Dec 24 05:48:14 UTC 2019


On Fri, Dec 20, 2019 at 7:43 AM KP Singh <kpsingh at chromium.org> wrote:
>
> From: KP Singh <kpsingh at google.com>
>
> A user space program can attach an eBPF program by:
>
>   hook_fd = open("/sys/kernel/security/bpf/bprm_check_security",
>                  O_RDWR|O_CLOEXEC)
>   prog_fd = bpf(BPF_PROG_LOAD, ...)
>   bpf(BPF_PROG_ATTACH, hook_fd, prog_fd)
>
> The following permissions are required to attach a program to a hook:
>
> - CAP_SYS_ADMIN to load eBPF programs
> - CAP_MAC_ADMIN (to update the policy of an LSM)
> - The securityfs file being a valid hook and writable (O_RDWR)
>
> When such an attach call is received, the attachment logic looks up the
> dentry and appends the program to the bpf_prog_array.
>
> The BPF programs are stored in a bpf_prog_array and writes to the array
> are guarded by a mutex. The eBPF programs are executed as a part of the
> LSM hook they are attached to. If any of the eBPF programs return
> an error (-ENOPERM) the action represented by the hook is denied.
>
> Signed-off-by: KP Singh <kpsingh at google.com>
> ---

Acked-by: Andrii Nakryiko <andriin at fb.com>

>  MAINTAINERS             |   1 +
>  include/linux/bpf_lsm.h |  13 ++++
>  kernel/bpf/syscall.c    |   5 +-
>  security/bpf/lsm_fs.c   |  19 +++++-
>  security/bpf/ops.c      | 134 ++++++++++++++++++++++++++++++++++++++++
>  5 files changed, 169 insertions(+), 3 deletions(-)
>

[...]



More information about the Linux-security-module-archive mailing list