lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f1816e37-56f5-43de-8a52-129a2952c355@schaufler-ca.com>
Date: Wed, 16 Jul 2025 10:44:43 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>,
 Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>,
 "Serge E. Hallyn" <serge@...lyn.com>,
 Stephen Smalley <stephen.smalley.work@...il.com>,
 Ondrej Mosnacek <omosnace@...hat.com>,
 John Johansen <john.johansen@...onical.com>,
 Christian Göttsche <cgzones@...glemail.com>,
 linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
 selinux@...r.kernel.org, bpf@...r.kernel.org,
 Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH] lsm,selinux: Add LSM blob support for BPF objects

On 7/15/2025 3:25 PM, Blaise Boscaccy wrote:
> This patch introduces LSM blob support for BPF maps, programs, and
> tokens to enable LSM stacking and multiplexing of LSM modules that
> govern BPF objects. Additionally, the existing BPF hooks used by
> SELinux have been updated to utilize the new blob infrastructure,
> removing the assumption of exclusive ownership of the security
> pointer.
>
> Signed-off-by: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
> ---
>  include/linux/lsm_hooks.h         |   3 +
>  security/security.c               | 120 +++++++++++++++++++++++++++++-
>  security/selinux/hooks.c          |  56 +++-----------
>  security/selinux/include/objsec.h |  17 +++++
>  4 files changed, 147 insertions(+), 49 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 090d1d3e19fed..79ec5a2bdcca7 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -116,6 +116,9 @@ struct lsm_blob_sizes {
>  	int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
>  	int lbs_tun_dev;
>  	int lbs_bdev;
> +	int lbs_bpf_map;
> +	int lbs_bpf_prog;
> +	int lbs_bpf_token;
>  };
>  
>  /*
> diff --git a/security/security.c b/security/security.c
> index 596d418185773..8c413b84f33db 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -283,6 +283,9 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
>  	lsm_set_blob_size(&needed->lbs_xattr_count,
>  			  &blob_sizes.lbs_xattr_count);
>  	lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);
> +	lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map);
> +	lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog);
> +	lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token);
>  }
>  
>  /* Prepare LSM for initialization. */
> @@ -480,6 +483,9 @@ static void __init ordered_lsm_init(void)
>  	init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);
>  	init_debug("xattr slots          = %d\n", blob_sizes.lbs_xattr_count);
>  	init_debug("bdev blob size       = %d\n", blob_sizes.lbs_bdev);
> +	init_debug("bpf map blob size    = %d\n", blob_sizes.lbs_bpf_map);
> +	init_debug("bpf prog blob size   = %d\n", blob_sizes.lbs_bpf_prog);
> +	init_debug("bpf token blob size  = %d\n", blob_sizes.lbs_bpf_token);
>  
>  	/*
>  	 * Create any kmem_caches needed for blobs
> @@ -835,6 +841,72 @@ static int lsm_bdev_alloc(struct block_device *bdev)
>  	return 0;
>  }
>  
> +/**
> + * lsm_bpf_map_alloc - allocate a composite bpf_map blob
> + * @map: the bpf_map that needs a blob
> + *
> + * Allocate the bpf_map blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_bpf_map_alloc(struct bpf_map *map)
> +{
> +	if (blob_sizes.lbs_bpf_map == 0) {
> +		map->security = NULL;
> +		return 0;
> +	}
> +
> +	map->security = kzalloc(blob_sizes.lbs_bpf_map, GFP_KERNEL);

Some of the blobs use kmem_cache_alloc(). You should consider if that
might be right for you.

> +	if (!map->security)
> +		return -ENOMEM;
> +
> +	return 0;
> +}
> +
> +/**
> + * lsm_bpf_prog_alloc - allocate a composite bpf_prog blob
> + * @prog: the bpf_prog that needs a blob
> + *
> + * Allocate the bpf_prog blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_bpf_prog_alloc(struct bpf_prog *prog)
> +{
> +	if (blob_sizes.lbs_bpf_prog == 0) {
> +		prog->aux->security = NULL;
> +		return 0;
> +	}
> +
> +	prog->aux->security = kzalloc(blob_sizes.lbs_bpf_prog, GFP_KERNEL);
> +	if (!prog->aux->security)
> +		return -ENOMEM;
> +
> +	return 0;
> +}
> +
> +/**
> + * lsm_bpf_token_alloc - allocate a composite bpf_token blob
> + * @token: the bpf_token that needs a blob
> + *
> + * Allocate the bpf_token blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_bpf_token_alloc(struct bpf_token *token)
> +{
> +	if (blob_sizes.lbs_bpf_token == 0) {
> +		token->security = NULL;
> +		return 0;
> +	}
> +
> +	token->security = kzalloc(blob_sizes.lbs_bpf_token, GFP_KERNEL);
> +	if (!token->security)
> +		return -ENOMEM;
> +
> +	return 0;
> +}
> +
>  /**
>   * lsm_early_task - during initialization allocate a composite task blob
>   * @task: the task that needs a blob
> @@ -5684,7 +5756,16 @@ int security_bpf_prog(struct bpf_prog *prog)
>  int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
>  			    struct bpf_token *token, bool kernel)
>  {
> -	return call_int_hook(bpf_map_create, map, attr, token, kernel);
> +	int rc = 0;
> +
> +	rc = lsm_bpf_map_alloc(map);
> +	if (unlikely(rc))
> +		return rc;
> +
> +	rc = call_int_hook(bpf_map_create, map, attr, token, kernel);
> +	if (unlikely(rc))
> +		security_bpf_map_free(map);
> +	return rc;
>  }
>  
>  /**
> @@ -5703,7 +5784,16 @@ int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
>  int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
>  			   struct bpf_token *token, bool kernel)
>  {
> -	return call_int_hook(bpf_prog_load, prog, attr, token, kernel);
> +	int rc = 0;
> +
> +	rc = lsm_bpf_prog_alloc(prog);
> +	if (unlikely(rc))
> +		return rc;
> +
> +	rc = call_int_hook(bpf_prog_load, prog, attr, token, kernel);
> +	if (unlikely(rc))
> +		security_bpf_prog_free(prog);
> +	return rc;
>  }
>  
>  /**
> @@ -5720,7 +5810,16 @@ int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
>  int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
>  			      const struct path *path)
>  {
> -	return call_int_hook(bpf_token_create, token, attr, path);
> +	int rc = 0;
> +
> +	rc = lsm_bpf_token_alloc(token);
> +	if (unlikely(rc))
> +		return rc;
> +
> +	rc = call_int_hook(bpf_token_create, token, attr, path);
> +	if (unlikely(rc))
> +		security_bpf_token_free(token);
> +	return rc;
>  }
>  
>  /**
> @@ -5763,7 +5862,12 @@ int security_bpf_token_capable(const struct bpf_token *token, int cap)
>   */
>  void security_bpf_map_free(struct bpf_map *map)
>  {
> +	if (!map->security)
> +		return;
> +
>  	call_void_hook(bpf_map_free, map);
> +	kfree(map->security);
> +	map->security = NULL;
>  }
>  
>  /**
> @@ -5774,7 +5878,12 @@ void security_bpf_map_free(struct bpf_map *map)
>   */
>  void security_bpf_prog_free(struct bpf_prog *prog)
>  {
> +	if (!prog->aux->security)
> +		return;
> +
>  	call_void_hook(bpf_prog_free, prog);
> +	kfree(prog->aux->security);
> +	prog->aux->security = NULL;
>  }
>  
>  /**
> @@ -5785,7 +5894,12 @@ void security_bpf_prog_free(struct bpf_prog *prog)
>   */
>  void security_bpf_token_free(struct bpf_token *token)
>  {
> +	if (!token->security)
> +		return;
> +
>  	call_void_hook(bpf_token_free, token);
> +	kfree(token->security);
> +	token->security = NULL;
>  }
>  #endif /* CONFIG_BPF_SYSCALL */
>  
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 595ceb314aeb3..8052fb5fafc4d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -7038,14 +7038,14 @@ static int bpf_fd_pass(const struct file *file, u32 sid)
>  
>  	if (file->f_op == &bpf_map_fops) {
>  		map = file->private_data;
> -		bpfsec = map->security;
> +		bpfsec = selinux_bpf_map_security(map);
>  		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
>  				   bpf_map_fmode_to_av(file->f_mode), NULL);
>  		if (ret)
>  			return ret;
>  	} else if (file->f_op == &bpf_prog_fops) {
>  		prog = file->private_data;
> -		bpfsec = prog->aux->security;
> +		bpfsec = selinux_bpf_prog_security(prog);
>  		ret = avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
>  				   BPF__PROG_RUN, NULL);
>  		if (ret)
> @@ -7059,7 +7059,7 @@ static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
>  	u32 sid = current_sid();
>  	struct bpf_security_struct *bpfsec;
>  
> -	bpfsec = map->security;
> +	bpfsec = selinux_bpf_map_security(map);
>  	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
>  			    bpf_map_fmode_to_av(fmode), NULL);
>  }
> @@ -7069,7 +7069,7 @@ static int selinux_bpf_prog(struct bpf_prog *prog)
>  	u32 sid = current_sid();
>  	struct bpf_security_struct *bpfsec;
>  
> -	bpfsec = prog->aux->security;
> +	bpfsec = selinux_bpf_prog_security(prog);
>  	return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF,
>  			    BPF__PROG_RUN, NULL);
>  }
> @@ -7079,69 +7079,33 @@ static int selinux_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
>  {
>  	struct bpf_security_struct *bpfsec;
>  
> -	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
> -	if (!bpfsec)
> -		return -ENOMEM;
> -
> +	bpfsec = selinux_bpf_map_security(map);
>  	bpfsec->sid = current_sid();
> -	map->security = bpfsec;
>  
>  	return 0;
>  }
>  
> -static void selinux_bpf_map_free(struct bpf_map *map)
> -{
> -	struct bpf_security_struct *bpfsec = map->security;
> -
> -	map->security = NULL;
> -	kfree(bpfsec);
> -}
> -
>  static int selinux_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
>  				 struct bpf_token *token, bool kernel)
>  {
>  	struct bpf_security_struct *bpfsec;
>  
> -	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
> -	if (!bpfsec)
> -		return -ENOMEM;
> -
> +	bpfsec = selinux_bpf_prog_security(prog);
>  	bpfsec->sid = current_sid();
> -	prog->aux->security = bpfsec;
>  
>  	return 0;
>  }
>  
> -static void selinux_bpf_prog_free(struct bpf_prog *prog)
> -{
> -	struct bpf_security_struct *bpfsec = prog->aux->security;
> -
> -	prog->aux->security = NULL;
> -	kfree(bpfsec);
> -}
> -
>  static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
>  				    const struct path *path)
>  {
>  	struct bpf_security_struct *bpfsec;
>  
> -	bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
> -	if (!bpfsec)
> -		return -ENOMEM;
> -
> +	bpfsec = selinux_bpf_token_security(token);
>  	bpfsec->sid = current_sid();
> -	token->security = bpfsec;
>  
>  	return 0;
>  }
> -
> -static void selinux_bpf_token_free(struct bpf_token *token)
> -{
> -	struct bpf_security_struct *bpfsec = token->security;
> -
> -	token->security = NULL;
> -	kfree(bpfsec);
> -}
>  #endif
>  
>  struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
> @@ -7159,6 +7123,9 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
>  	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
>  	.lbs_tun_dev = sizeof(struct tun_security_struct),
>  	.lbs_ib = sizeof(struct ib_security_struct),
> +	.lbs_bpf_map = sizeof(struct bpf_security_struct),
> +	.lbs_bpf_prog = sizeof(struct bpf_security_struct),
> +	.lbs_bpf_token = sizeof(struct bpf_security_struct),
>  };
>  
>  #ifdef CONFIG_PERF_EVENTS
> @@ -7510,9 +7477,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(bpf, selinux_bpf),
>  	LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
>  	LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
> -	LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
> -	LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
> -	LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
>  #endif
>  
>  #ifdef CONFIG_PERF_EVENTS
> diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
> index 6ee7dc4dfd6e0..9f935ed9a761f 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -26,6 +26,7 @@
>  #include <linux/lsm_hooks.h>
>  #include <linux/msg.h>
>  #include <net/net_namespace.h>
> +#include <linux/bpf.h>
>  #include "flask.h"
>  #include "avc.h"
>  
> @@ -237,4 +238,20 @@ selinux_perf_event(void *perf_event)
>  	return perf_event + selinux_blob_sizes.lbs_perf_event;
>  }
>  
> +#ifdef CONFIG_BPF_SYSCALL
> +static inline struct bpf_security_struct *selinux_bpf_map_security(struct bpf_map *map)
> +{
> +	return map->security + selinux_blob_sizes.lbs_bpf_map;
> +}
> +
> +static inline struct bpf_security_struct *selinux_bpf_prog_security(struct bpf_prog *prog)
> +{
> +	return prog->aux->security + selinux_blob_sizes.lbs_bpf_prog;
> +}
> +
> +static inline struct bpf_security_struct *selinux_bpf_token_security(struct bpf_token *token)
> +{
> +	return token->security + selinux_blob_sizes.lbs_bpf_token;
> +}
> +#endif /* CONFIG_BPF_SYSCALL */
>  #endif /* _SELINUX_OBJSEC_H_ */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ