[RFC PATCH bpf-next seccomp 08/12] seccomp-ebpf: restrict filter to almost cBPF if LSM request such
YiFei Zhu
zhuyifei1999 at gmail.com
Mon May 10 17:22:45 UTC 2021
From: YiFei Zhu <yifeifz2 at illinois.edu>
If LSM hook security_seccomp_extended returns non-zero, seccomp-eBPF
filters are not permitted to use eBPF maps or helpers.
Signed-off-by: YiFei Zhu <yifeifz2 at illinois.edu>
---
kernel/seccomp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 8550ae885245..b9ed9951a05b 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -2441,6 +2441,9 @@ static bool seccomp_is_valid_access(int off, int size,
static const struct bpf_func_proto *
seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
+ if (security_seccomp_extended())
+ return NULL;
+
switch (func_id) {
case BPF_FUNC_get_current_uid_gid:
return &bpf_get_current_uid_gid_proto;
@@ -2459,9 +2462,15 @@ seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
const struct bpf_prog_ops seccomp_prog_ops = {
};
+static bool seccomp_map_access(enum bpf_access_type type)
+{
+ return !security_seccomp_extended();
+}
+
const struct bpf_verifier_ops seccomp_verifier_ops = {
.get_func_proto = seccomp_func_proto,
.is_valid_access = seccomp_is_valid_access,
+ .map_access = seccomp_map_access,
};
#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */
--
2.31.1
More information about the Linux-security-module-archive
mailing list