[PATCH -next v1 0/9] Add BPF LSM return value range check, BPF part
Xu Kuohai
xukuohai at huaweicloud.com
Fri Jul 19 08:17:40 UTC 2024
From: Xu Kuohai <xukuohai at huawei.com>
LSM BPF prog may make kernel panic when returning an unexpected value,
such as returning positive value on hook file_alloc_security.
To fix it, series [1] refactored LSM hook return values and added
BPF return value check on top of that. Since the refactoring of LSM
hooks and checking BPF prog return value patches is not closely related,
this series separates BPF-related patches from [1].
Changes to [1]:
1. Extend LSM disabled list to include hooks refactored in [1] to avoid
dependency on the hooks return value refactoring patches.
2. Replace the special case patch for bitwise AND on [-1, 0] with Shung-Hsi's
general bitwise AND improvement patch [2].
3. Remove unused patches.
[1] https://lore.kernel.org/bpf/20240711111908.3817636-1-xukuohai@huaweicloud.com
https://lore.kernel.org/bpf/20240711113828.3818398-1-xukuohai@huaweicloud.com
[2] https://lore.kernel.org/bpf/ykuhustu7vt2ilwhl32kj655xfdgdlm2xkl5rff6tw2ycksovp@ss2n4gpjysnw
Shung-Hsi Yu (1):
bpf, verifier: improve signed ranges inference for BPF_AND
Xu Kuohai (8):
bpf, lsm: Add disabled BPF LSM hook list
bpf, lsm: Add check for BPF LSM return value
bpf: Prevent tail call between progs attached to different hooks
bpf: Fix compare error in function retval_range_within
selftests/bpf: Avoid load failure for token_lsm.c
selftests/bpf: Add return value checks for failed tests
selftests/bpf: Add test for lsm tail call
selftests/bpf: Add verifier tests for bpf lsm
include/linux/bpf.h | 2 +
include/linux/bpf_lsm.h | 8 +
kernel/bpf/bpf_lsm.c | 65 ++++++-
kernel/bpf/btf.c | 5 +-
kernel/bpf/core.c | 21 ++-
kernel/bpf/verifier.c | 138 ++++++++++----
.../selftests/bpf/prog_tests/test_lsm.c | 46 ++++-
.../selftests/bpf/prog_tests/verifier.c | 2 +
tools/testing/selftests/bpf/progs/err.h | 10 +
.../selftests/bpf/progs/lsm_tailcall.c | 34 ++++
.../selftests/bpf/progs/test_sig_in_xattr.c | 4 +
.../bpf/progs/test_verify_pkcs7_sig.c | 8 +-
tools/testing/selftests/bpf/progs/token_lsm.c | 4 +-
.../bpf/progs/verifier_global_subprogs.c | 7 +-
.../selftests/bpf/progs/verifier_lsm.c | 178 ++++++++++++++++++
15 files changed, 485 insertions(+), 47 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/lsm_tailcall.c
create mode 100644 tools/testing/selftests/bpf/progs/verifier_lsm.c
--
2.30.2
More information about the Linux-security-module-archive
mailing list