[PATCH] bpf: lsm: Disable or enable BPF LSM at boot time

Lorenzo Fontana fontanalorenz at gmail.com
Mon Jul 6 16:57:10 UTC 2020


This option adds a kernel parameter 'bpf_lsm',
which allows the BPF LSM to be disabled at boot.
The purpose of this option is to allow a single kernel
image to be distributed with the BPF LSM built in,
but not necessarily enabled.

Signed-off-by: Lorenzo Fontana <fontanalorenz at gmail.com>
---
 Documentation/admin-guide/kernel-parameters.txt |  8 ++++++++
 init/Kconfig                                    | 12 ++++++++++++
 security/bpf/hooks.c                            | 16 ++++++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index fb95fad81c79..c0d5955279d7 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4575,6 +4575,14 @@
 			1 -- enable.
 			Default value is set via kernel config option.
 
+	bpf_lsm=	[BPF_LSM] Disable or enable LSM Instrumentation
+			with BPF at boot time.
+			Format: { "0" | "1" }
+			See init/Kconfig help text.
+			0 -- disable.
+			1 -- enable.
+			Default value is 1.
+
 	serialnumber	[BUGS=X86-32]
 
 	shapers=	[NET]
diff --git a/init/Kconfig b/init/Kconfig
index a46aa8f3174d..410547e4342e 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1659,6 +1659,18 @@ config BPF_LSM
 
 	  If you are unsure how to answer this question, answer N.
 
+config BPF_LSM_BOOTPARAM
+	bool "LSM Instrumentation with BPF boot parameter"
+	depends on BPF_LSM
+	help
+	  This option adds a kernel parameter 'bpf_lsm', which allows LSM
+	  instrumentation with BPF to be disabled at boot.
+	  If this option is selected, the BPF LSM
+	  functionality can be disabled with bpf_lsm=0 on the kernel
+	  command line.  The purpose of this option is to allow a single
+	  kernel image to be distributed with the BPF LSM built in, but not
+	  necessarily enabled.
+
 config BPF_SYSCALL
 	bool "Enable bpf() system call"
 	select BPF
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 32d32d485451..6a4b4f63976c 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -3,9 +3,24 @@
 /*
  * Copyright (C) 2020 Google LLC.
  */
+
+#include <linux/init.h>
 #include <linux/lsm_hooks.h>
 #include <linux/bpf_lsm.h>
 
+int bpf_lsm_enabled_boot __initdata = 1;
+#ifdef CONFIG_BPF_LSM_BOOTPARAM
+static int __init bpf_lsm_enabled_setup(char *str)
+{
+	unsigned long enabled;
+
+	if (!kstrtoul(str, 0, &enabled))
+		bpf_lsm_enabled_boot = enabled ? 1 : 0;
+	return 1;
+}
+__setup("bpf_lsm=", bpf_lsm_enabled_setup);
+#endif
+
 static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
 	#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
 	LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
@@ -23,4 +38,5 @@ static int __init bpf_lsm_init(void)
 DEFINE_LSM(bpf) = {
 	.name = "bpf",
 	.init = bpf_lsm_init,
+	.enabled = &bpf_lsm_enabled_boot,
 };
-- 
2.27.0



More information about the Linux-security-module-archive mailing list