lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Nov 2020 17:57:32 -0800 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: KP Singh <kpsingh@...omium.org> Cc: open list <linux-kernel@...r.kernel.org>, bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Paul Turner <pjt@...gle.com>, Jann Horn <jannh@...gle.com>, Hao Luo <haoluo@...gle.com> Subject: Re: [PATCH bpf-next v2 7/8] bpf: Add tests for task_local_storage On Tue, Nov 3, 2020 at 5:55 PM KP Singh <kpsingh@...omium.org> wrote: > > [...] > > > > > > > I saw the docs mention that these are not exposed to tracing programs due to > > > insufficient preemption checks. Do you think it would be okay to allow them > > > for LSM programs? > > > > hmm. Isn't it allowed already? > > The verifier does: > > if ((is_tracing_prog_type(prog_type) || > > prog_type == BPF_PROG_TYPE_SOCKET_FILTER) && > > map_value_has_spin_lock(map)) { > > verbose(env, "tracing progs cannot use bpf_spin_lock yet\n"); > > return -EINVAL; > > } > > > > BPF_PROG_TYPE_LSM is not in this list. > > The verifier does not have any problem, it's just that the helpers are not > exposed to LSM programs via bpf_lsm_func_proto. > > So all we need is: > > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 61f8cc52fd5b..93383df2140b 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -63,6 +63,10 @@ bpf_lsm_func_proto(enum bpf_func_id func_id, const > struct bpf_prog *prog) > return &bpf_task_storage_get_proto; > case BPF_FUNC_task_storage_delete: > return &bpf_task_storage_delete_proto; > + case BPF_FUNC_spin_lock: > + return &bpf_spin_lock_proto; > + case BPF_FUNC_spin_unlock: > + return &bpf_spin_unlock_proto; Ahh. Yes. That should do it. Right now I don't see concerns with safety of the bpf_spin_lock in bpf_lsm progs.
Powered by blists - more mailing lists