[PATCH bpf-next v3 03/10] bpf: lsm: Introduce types for eBPF based LSM

Alexei Starovoitov alexei.starovoitov at gmail.com
Mon Feb 10 23:58:12 UTC 2020


On Thu, Jan 23, 2020 at 07:24:33AM -0800, KP Singh wrote:
> +
> +static const struct bpf_func_proto *get_bpf_func_proto(
> +	enum bpf_func_id func_id, const struct bpf_prog *prog)
> +{
> +	switch (func_id) {
> +	case BPF_FUNC_map_lookup_elem:
> +		return &bpf_map_lookup_elem_proto;
> +	case BPF_FUNC_get_current_pid_tgid:
> +		return &bpf_get_current_pid_tgid_proto;
> +	default:
> +		return NULL;
> +	}
> +}
> +
> +const struct bpf_verifier_ops lsm_verifier_ops = {
> +	.get_func_proto = get_bpf_func_proto,
> +};

Why artificially limit it like this?
It will cause a lot of churn in the future. Like allowing map update and
delete, in addition to lookup, will be an obvious next step.
I think allowing tracing_func_proto() from the start is cleaner.



More information about the Linux-security-module-archive mailing list