bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0bpf task local storage is now using task_struct->bpf_storage, sobpf_lsm_blob_sizes.lbs_task is no longer needed. Remove it to save somememory.Fixes
bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0bpf task local storage is now using task_struct->bpf_storage, sobpf_lsm_blob_sizes.lbs_task is no longer needed. Remove it to save somememory.Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs")Cc: stable@vger.kernel.orgCc: KP Singh <kpsingh@kernel.org>Cc: Matt Bobrowski <mattbobrowski@google.com>Signed-off-by: Song Liu <song@kernel.org>Acked-by: Matt Bobrowski <mattbobrowski@google.com>Link: https://lore.kernel.org/r/20240911055508.9588-1-song@kernel.orgSigned-off-by: Alexei Starovoitov <ast@kernel.org>
show more ...
lsm: mark the lsm_id variables are marked as staticAs the kernel test robot helpfully reminded us, all of the lsm_idinstances defined inside the various LSMs should be marked as static.The one ex
lsm: mark the lsm_id variables are marked as staticAs the kernel test robot helpfully reminded us, all of the lsm_idinstances defined inside the various LSMs should be marked as static.The one exception is Landlock which uses its lsm_id variable acrossmultiple source files with an extern declaration in a header file.Reported-by: kernel test robot <lkp@intel.com>Suggested-by: Casey Schaufler <casey@schaufler-ca.com>Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>Signed-off-by: Paul Moore <paul@paul-moore.com>
LSM: Identify modules by more than nameCreate a struct lsm_id to contain identifying information about LinuxSecurity Modules (LSMs). At inception this contains the name of themodule and an identi
LSM: Identify modules by more than nameCreate a struct lsm_id to contain identifying information about LinuxSecurity Modules (LSMs). At inception this contains the name of themodule and an identifier associated with the security module. Changethe security_add_hooks() interface to use this structure. Change theindividual modules to maintain their own struct lsm_id and pass it tosecurity_add_hooks().The values are for LSM identifiers are defined in a new UAPIheader file linux/lsm.h. Each existing LSM has been updated toinclude it's LSMID in the lsm_id.The LSM ID values are sequential, with the oldest moduleLSM_ID_CAPABILITY being the lowest value and the existing modulesnumbered in the order they were included in the main line kernel.This is an arbitrary convention for assigning the values, butnone better presents itself. The value 0 is defined as being invalid.The values 1-99 are reserved for any special case uses which mayarise in the future. This may include attributes of the LSMinfrastructure itself, possibly related to namespacing or networkattribute management. A special range is identified for such attributesto help reduce confusion for developers unfamiliar with LSMs.LSM attribute values are defined for the attributes presented bymodules that are available today. As with the LSM IDs, The value 0is defined as being invalid. The values 1-99 are reserved for anyspecial case uses which may arise in the future.Cc: linux-security-module <linux-security-module@vger.kernel.org>Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>Reviewed-by: Kees Cook <keescook@chromium.org>Reviewed-by: Serge Hallyn <serge@hallyn.com>Reviewed-by: Mickael Salaun <mic@digikod.net>Reviewed-by: John Johansen <john.johansen@canonical.com>Signed-off-by: Kees Cook <keescook@chromium.org>Nacked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>[PM: forward ported beyond v6.6 due merge window changes]Signed-off-by: Paul Moore <paul@paul-moore.com>
selinux: remove the runtime disable functionalityAfter working with the larger SELinux-based distros for severalyears, we're finally at a place where we can disable the SELinuxruntime disable fun
selinux: remove the runtime disable functionalityAfter working with the larger SELinux-based distros for severalyears, we're finally at a place where we can disable the SELinuxruntime disable functionality. The existing kernel deprecationnotice explains the functionality and why we want to remove it: The selinuxfs "disable" node allows SELinux to be disabled at runtime prior to a policy being loaded into the kernel. If disabled via this mechanism, SELinux will remain disabled until the system is rebooted. The preferred method of disabling SELinux is via the "selinux=0" boot parameter, but the selinuxfs "disable" node was created to make it easier for systems with primitive bootloaders that did not allow for easy modification of the kernel command line. Unfortunately, allowing for SELinux to be disabled at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature.It is that last sentence, mentioning the '__ro_after_init' hardening,which is the real motivation for this change, and if you look at thediffstat you'll see that the impact of this patch reaches across allthe different LSMs, helping prevent tampering at the LSM hook level.From a SELinux perspective, it is important to note that if youcontinue to disable SELinux via "/etc/selinux/config" it may appearthat SELinux is disabled, but it is simply in an uninitialized state.If you load a policy with `load_policy -i`, you will see SELinuxcome alive just as if you had loaded the policy during early-boot.It is also worth noting that the "/sys/fs/selinux/disable" file isalways writable now, regardless of the Kconfig settings, but writingto the file has no effect on the system, other than to display anerror on the console if a non-zero/true value is written.Finally, in the several years where we have been working ondeprecating this functionality, there has only been one instance ofsomeone mentioning any user visible breakage. In this particularcase it was an individual's kernel test system, and the workarounddocumented in the deprecation notice ("selinux=0" on the kernelcommand line) resolved the issue without problem.Acked-by: Casey Schaufler <casey@schaufler-ca.com>Signed-off-by: Paul Moore <paul@paul-moore.com>
bpf: Implement task local storageSimilar to bpf_local_storage for sockets and inodes add local storagefor task_struct.The life-cycle of storage is managed with the life-cycle of thetask_struct.
bpf: Implement task local storageSimilar to bpf_local_storage for sockets and inodes add local storagefor task_struct.The life-cycle of storage is managed with the life-cycle of thetask_struct. i.e. the storage is destroyed along with the owning taskwith a callback to the bpf_task_storage_free from the task_free LSMhook.The BPF LSM allocates an __rcu pointer to the bpf_local_storage inthe security blob which are now stackable and can co-exist with otherLSMs.The userspace map operations can be done by using a pid fd as a keypassed to the lookup, update and delete operations.Signed-off-by: KP Singh <kpsingh@google.com>Signed-off-by: Alexei Starovoitov <ast@kernel.org>Acked-by: Song Liu <songliubraving@fb.com>Acked-by: Martin KaFai Lau <kafai@fb.com>Link: https://lore.kernel.org/bpf/20201106103747.2780972-3-kpsingh@chromium.org
bpf: Implement bpf_local_storage for inodesSimilar to bpf_local_storage for sockets, add local storage for inodes.The life-cycle of storage is managed with the life-cycle of the inode.i.e. the st
bpf: Implement bpf_local_storage for inodesSimilar to bpf_local_storage for sockets, add local storage for inodes.The life-cycle of storage is managed with the life-cycle of the inode.i.e. the storage is destroyed along with the owning inode.The BPF LSM allocates an __rcu pointer to the bpf_local_storage in thesecurity blob which are now stackable and can co-exist with other LSMs.Signed-off-by: KP Singh <kpsingh@google.com>Signed-off-by: Alexei Starovoitov <ast@kernel.org>Link: https://lore.kernel.org/bpf/20200825182919.1118197-6-kpsingh@chromium.org
bpf: lsm: Initialize the BPF LSM hooks* The hooks are initialized using the definitions in include/linux/lsm_hook_defs.h.* The LSM can be enabled / disabled with CONFIG_BPF_LSM.Signed-off-by:
bpf: lsm: Initialize the BPF LSM hooks* The hooks are initialized using the definitions in include/linux/lsm_hook_defs.h.* The LSM can be enabled / disabled with CONFIG_BPF_LSM.Signed-off-by: KP Singh <kpsingh@google.com>Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>Reviewed-by: Brendan Jackman <jackmanb@google.com>Reviewed-by: Florent Revest <revest@google.com>Acked-by: Kees Cook <keescook@chromium.org>Acked-by: James Morris <jamorris@linux.microsoft.com>Link: https://lore.kernel.org/bpf/20200329004356.27286-6-kpsingh@chromium.org