• Andrii Nakryiko's avatar
    bpf,lsm: Refactor bpf_prog_alloc/bpf_prog_free LSM hooks · 1b67772e
    Andrii Nakryiko authored
    Based on upstream discussion ([0]), rework existing
    bpf_prog_alloc_security LSM hook. Rename it to bpf_prog_load and instead
    of passing bpf_prog_aux, pass proper bpf_prog pointer for a full BPF
    program struct. Also, we pass bpf_attr union with all the user-provided
    arguments for BPF_PROG_LOAD command.  This will give LSMs as much
    information as we can basically provide.
    
    The hook is also BPF token-aware now, and optional bpf_token struct is
    passed as a third argument. bpf_prog_load LSM hook is called after
    a bunch of sanity checks were performed, bpf_prog and bpf_prog_aux were
    allocated and filled out, but right before performing full-fledged BPF
    verification step.
    
    bpf_prog_free LSM hook is now accepting struct bpf_prog argument, for
    consistency. SELinux code is adjusted to all new names, types, and
    signatures.
    
    Note, given that bpf_prog_load (previously bpf_prog_alloc) hook can be
    used by some LSMs to allocate extra security blob, but also by other
    LSMs to reject BPF program loading, we need to make sure that
    bpf_prog_free LSM hook is called after bpf_prog_load/bpf_prog_alloc one
    *even* if the hook itself returned error. If we don't do that, we run
    the risk of leaking memory. This seems to be possible today when
    combining SELinux and BPF LSM, as one example, depending on their
    relative ordering.
    
    Also, for BPF LSM setup, add bpf_prog_load and bpf_prog_free to
    sleepable LSM hooks list, as they are both executed in sleepable
    context. Also drop bpf_prog_load hook from untrusted, as there is no
    issue with refcount or anything else anymore, that originally forced us
    to add it to untrusted list in c0c852dd ("bpf: Do not mark certain LSM
    hook arguments as trusted"). We now trigger this hook much later and it
    should not be an issue anymore.
    
      [0] https://lore.kernel.org/bpf/9fe88aef7deabbe87d3fc38c4aea3c69.paul@paul-moore.com/Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarPaul Moore <paul@paul-moore.com>
    Link: https://lore.kernel.org/bpf/20240124022127.2379740-10-andrii@kernel.org
    1b67772e
syscall.c 145 KB