| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220216001241.2239703-1-sdf@google.com>
Date: Tue, 15 Feb 2022 16:12:37 -0800
From: Stanislav Fomichev <sdf@...gle.com>
To: netdev@...r.kernel.org, bpf@...r.kernel.org
Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
Stanislav Fomichev <sdf@...gle.com>, kafai@...com,
kpsingh@...nel.org
Subject: [RFC bpf-next 0/4] bpf: cgroup_sock lsm flavor
This is an RFC proposal for a recent discussion about default socket
policy [0]. The series implements new lsm flavor for attaching
lsm-like programs to existing lsm hooks that operate on 'struct socket'
The actual requirement is that the first argument is of type 'struct
socket'. Later on we can add support 'struct sock' based hooks without
any user-visible changes.
For demonstration purposes only two hooks are included (can be extended
to more later). Also, for demonstration purposes, writes to sock->sk_priority
are exposed to lsm hooks (can cover more bpf_sock fields later).
The intended workflow is:
The users load lsm_cgroup_sock tracepoint into the system. This installs
generic fmod_ret trampoline that runs __cgroup_bpf_run_lsm_sock.
After that, bpf_prog_attach should be called to activate this program
for the particular cgroup. This interface uses exiting cgroup_bpf
functionality and should support all existing inheritance flags.
I'd like to get a generic feedback whether I'm going into the right
direction or not. The thing I'm not sure about is the way I'm
abusing jit generation (maybe fmod_ret should be automagically
installed instead?).
For non-socket specific hooks, we can add a similar BPF_LSM_CGROUP
attach point that looks at current->cgroup instead of socket->cgroup.
[0] https://lore.kernel.org/bpf/YgPz8akQ4+qBz7nf@google.com/
Cc: ast@...nel.org
Cc: daniel@...earbox.net
Cc: kafai@...com
Cc: kpsingh@...nel.org
Stanislav Fomichev (4):
bpf: cgroup_sock lsm flavor
bpf: allow writing to sock->sk_priority from lsm progtype
libbpf: add lsm_cgoup_sock type
selftest: lsm_cgroup_sock sample usage
arch/x86/net/bpf_jit_comp.c | 27 +++++--
include/linux/bpf-cgroup-defs.h | 4 +
include/linux/bpf.h | 2 +
include/uapi/linux/bpf.h | 1 +
kernel/bpf/bpf_lsm.c | 49 +++++++++++
kernel/bpf/btf.c | 10 +++
kernel/bpf/cgroup.c | 43 +++++++++-
kernel/bpf/syscall.c | 6 +-
kernel/bpf/trampoline.c | 1 +
kernel/bpf/verifier.c | 4 +-
tools/include/uapi/linux/bpf.h | 1 +
tools/lib/bpf/libbpf.c | 2 +
.../bpf/prog_tests/lsm_cgroup_sock.c | 81 +++++++++++++++++++
.../selftests/bpf/progs/lsm_cgroup_sock.c | 55 +++++++++++++
14 files changed, 273 insertions(+), 13 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_cgroup_sock.c
create mode 100644 tools/testing/selftests/bpf/progs/lsm_cgroup_sock.c
--
2.35.1.265.g69c8d7142f-goog
Powered by blists - more mailing lists