[PATCH bpf-next v1 07/13] bpf: lsm: Implement attach, detach and execution.
Andrii Nakryiko
andrii.nakryiko at gmail.com
Tue Dec 24 05:48:14 UTC 2019
On Fri, Dec 20, 2019 at 7:43 AM KP Singh <kpsingh at chromium.org> wrote:
>
> From: KP Singh <kpsingh at google.com>
>
> A user space program can attach an eBPF program by:
>
> hook_fd = open("/sys/kernel/security/bpf/bprm_check_security",
> O_RDWR|O_CLOEXEC)
> prog_fd = bpf(BPF_PROG_LOAD, ...)
> bpf(BPF_PROG_ATTACH, hook_fd, prog_fd)
>
> The following permissions are required to attach a program to a hook:
>
> - CAP_SYS_ADMIN to load eBPF programs
> - CAP_MAC_ADMIN (to update the policy of an LSM)
> - The securityfs file being a valid hook and writable (O_RDWR)
>
> When such an attach call is received, the attachment logic looks up the
> dentry and appends the program to the bpf_prog_array.
>
> The BPF programs are stored in a bpf_prog_array and writes to the array
> are guarded by a mutex. The eBPF programs are executed as a part of the
> LSM hook they are attached to. If any of the eBPF programs return
> an error (-ENOPERM) the action represented by the hook is denied.
>
> Signed-off-by: KP Singh <kpsingh at google.com>
> ---
Acked-by: Andrii Nakryiko <andriin at fb.com>
> MAINTAINERS | 1 +
> include/linux/bpf_lsm.h | 13 ++++
> kernel/bpf/syscall.c | 5 +-
> security/bpf/lsm_fs.c | 19 +++++-
> security/bpf/ops.c | 134 ++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 169 insertions(+), 3 deletions(-)
>
[...]
More information about the Linux-security-module-archive
mailing list