[PATCH v5 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached
KP Singh
kpsingh at kernel.org
Thu Oct 5 13:27:35 UTC 2023
On Thu, Oct 5, 2023 at 3:26 PM KP Singh <kpsingh at kernel.org> wrote:
>
> On Thu, Oct 5, 2023 at 10:09 AM Jiri Olsa <olsajiri at gmail.com> wrote:
> >
> > On Thu, Sep 28, 2023 at 10:24:09PM +0200, KP Singh wrote:
> >
> > SNIP
> >
> > > diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
> > > index e97aeda3a86b..df9699bce372 100644
> > > --- a/kernel/bpf/trampoline.c
> > > +++ b/kernel/bpf/trampoline.c
> > > @@ -13,6 +13,7 @@
> > > #include <linux/bpf_verifier.h>
> > > #include <linux/bpf_lsm.h>
> > > #include <linux/delay.h>
> > > +#include <linux/bpf_lsm.h>
> > >
> > > /* dummy _ops. The verifier will operate on target program's ops. */
> > > const struct bpf_verifier_ops bpf_extension_verifier_ops = {
> > > @@ -514,7 +515,7 @@ static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link, struct bpf_tr
> > > {
> > > enum bpf_tramp_prog_type kind;
> > > struct bpf_tramp_link *link_exiting;
I think this is a typo here. It should be existing, no?
> > > - int err = 0;
> > > + int err = 0, num_lsm_progs = 0;
> > > int cnt = 0, i;
> > >
> > > kind = bpf_attach_type_to_tramp(link->link.prog);
> > > @@ -545,8 +546,14 @@ static int __bpf_trampoline_link_prog(struct bpf_tramp_link *link, struct bpf_tr
> > > continue;
> > > /* prog already linked */
> > > return -EBUSY;
> > > +
> > > + if (link_exiting->link.prog->type == BPF_PROG_TYPE_LSM)
> > > + num_lsm_progs++;
> >
> > this looks wrong, it's never reached.. seems like we should add separate
> > hlist_for_each_entry loop over trampoline's links for this check/init of
> > num_lsm_progs ?
> >
> > jirka
>
> Good catch, I missed this during my rebase, after
> https://lore.kernel.org/bpf/20220510205923.3206889-2-kuifeng@fb.com/
> this condition is basically never reached. I will do a general loop
> over to count LSM programs and toggle the hook to true (and same for
> unlink).
>
> - KP
>
> [...]
More information about the Linux-security-module-archive
mailing list