Changes in Makefile

ead5d1f4d877e92c051e1a1ade623d0d30e71619 - Merge branch 'master' into for-next

Tue, 01 Sep 2020 14:19:48 +0200

Merge branch 'master' into for-nextSync with Linus' branch in order to be able to apply fixupsof more recent patches. List of files: /linux/security/bpf/Makefile

9e8238020c5beba64e7ffafbb7ea0fb02fe68270 - Merge branch 'next' into for-linus

Sat, 08 Aug 2020 01:41:01 +0200

Merge branch 'next' into for-linusPrepare input updates for 5.9 merge window. List of files: /linux/security/bpf/Makefile

9b031c86506cef9acae45e61339fcf9deaabb793 - Merge branch 'elan-i2c' into next

Wed, 22 Jul 2020 04:02:33 +0200

Merge branch 'elan-i2c' into nextBring in update to Elan touchpad driver to support newer touchpads withhigher resolution. List of files: /linux/security/bpf/Makefile

d053cf0d771f6547cb0537759a9af63cf402908d - Merge branch 'for-5.8' into for-linus

Mon, 01 Jun 2020 10:15:16 +0200

Merge branch 'for-5.8' into for-linus List of files: /linux/security/bpf/Makefile

1f422417945d08731e2915e0addb976f11b3a85a - Merge branch 'timers/drivers/timer-ti' into timers/drivers/next

Sat, 23 May 2020 00:01:13 +0200

Merge branch 'timers/drivers/timer-ti' into timers/drivers/next List of files: /linux/security/bpf/Makefile

68f0f2690e183306b52671a9ad09fb31808b0500 - Merge branch 'for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into core/rcu

Mon, 11 May 2020 22:54:30 +0200

Merge branch 'for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into core/rcuPull RCU updates from Paul McKenney: 1. Miscellaneous fixes. 2. kfree_rcu() updates. 3. Remove scheduler locking restriction 4. RCU-tasks update, including addition of RCU Tasks Trace for BPF use and RCU Tasks Rude. (This branch is on top of #3 due to overlap of changed code.) 5. RCU CPU stall warning updates. 6. Torture-test updates. List of files: /linux/security/bpf/Makefile

4353dd3b70783ebbc83fcf12d9c0af3fbab0223b - Merge tag 'efi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi into efi/core

Sat, 25 Apr 2020 10:25:02 +0200

Merge tag 'efi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi into efi/corePull EFI changes for v5.8 from Ard Biesheuvel:"- preliminary changes for RISC-V - add support for setting the resolution on the EFI framebuffer - simplify kernel image loading for arm64 - Move .bss into .data via the linker script instead of relying on symbol annotations. - Get rid of __pure getters to access global variables - Clean up the config table matching arrays"Signed-off-by: Ingo Molnar List of files: /linux/security/bpf/Makefile

36dbae9945322e660795e73ffc8ed8ae4f25d13d - Merge branch 'topic/nhlt' into for-next

Fri, 24 Apr 2020 08:22:16 +0200

Merge branch 'topic/nhlt' into for-nextMerge NHLT init cleanup.Signed-off-by: Takashi Iwai List of files: /linux/security/bpf/Makefile

41d91ec3de8a90167159275bde7ed65768723556 - Merge tag 'tegra-for-5.7-asoc' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into asoc-5.7

Wed, 22 Apr 2020 09:51:44 +0200

Merge tag 'tegra-for-5.7-asoc' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into asoc-5.7ASoC: tegra: Fixes for v5.7-rc3This contains a couple of fixes that are needed to properly reconfigurethe audio clocks on older Tegra devices. List of files: /linux/security/bpf/Makefile

175ae3ad59ab3459652bd2ae3bbc1785aeba1bf3 - Merge branch 'fixes-v5.7' into fixes

Tue, 21 Apr 2020 18:36:03 +0200

Merge branch 'fixes-v5.7' into fixes List of files: /linux/security/bpf/Makefile

08d99b2c23dfa84ca5b5e5c194062a0550888b71 - Merge drm/drm-next into drm-misc-next

Fri, 17 Apr 2020 08:12:22 +0200

Merge drm/drm-next into drm-misc-nextBackmerging required to pull topic/phy-compliance.Signed-off-by: Thomas Zimmermann List of files: /linux/security/bpf/Makefile

2b703bbda2713fd2a7d98029ea6c44f9c3159f34 - Merge drm/drm-next into drm-intel-next-queued

Thu, 16 Apr 2020 13:35:16 +0200

Merge drm/drm-next into drm-intel-next-queuedBackmerging in order to pull "topic/phy-compliance".Signed-off-by: Joonas Lahtinen List of files: /linux/security/bpf/Makefile

a4721ced760684d1776bf31f7925aa41bb3f4846 - Merge v5.7-rc1 into drm-misc-fixes

Tue, 14 Apr 2020 09:19:50 +0200

Merge v5.7-rc1 into drm-misc-fixesStart the new drm-misc-fixes cycle.Signed-off-by: Maxime Ripard List of files: /linux/security/bpf/Makefile

3b02a051d25d9600e9d403ad3043aed7de00160e - Merge tag 'v5.7-rc1' into locking/kcsan, to resolve conflicts and refresh

Mon, 13 Apr 2020 09:44:39 +0200

Merge tag 'v5.7-rc1' into locking/kcsan, to resolve conflicts and refreshResolve these conflicts: arch/x86/Kconfig arch/x86/kernel/MakefileDo a minor "evil merge" to move the KCSAN entry up a bit by a few linesin the Kconfig to reduce the probability of future conflicts.Signed-off-by: Ingo Molnar List of files: /linux/security/bpf/Makefile

29d9f30d4ce6c7a38745a54a8cddface10013490 - Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

Wed, 01 Apr 2020 02:29:33 +0200

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-nextPull networking updates from David Miller: "Highlights: 1) Fix the iwlwifi regression, from Johannes Berg. 2) Support BSS coloring and 802.11 encapsulation offloading in hardware, from John Crispin. 3) Fix some potential Spectre issues in qtnfmac, from Sergey Matyukevich. 4) Add TTL decrement action to openvswitch, from Matteo Croce. 5) Allow paralleization through flow_action setup by not taking the RTNL mutex, from Vlad Buslov. 6) A lot of zero-length array to flexible-array conversions, from Gustavo A. R. Silva. 7) Align XDP statistics names across several drivers for consistency, from Lorenzo Bianconi. 8) Add various pieces of infrastructure for offloading conntrack, and make use of it in mlx5 driver, from Paul Blakey. 9) Allow using listening sockets in BPF sockmap, from Jakub Sitnicki. 10) Lots of parallelization improvements during configuration changes in mlxsw driver, from Ido Schimmel. 11) Add support to devlink for generic packet traps, which report packets dropped during ACL processing. And use them in mlxsw driver. From Jiri Pirko. 12) Support bcmgenet on ACPI, from Jeremy Linton. 13) Make BPF compatible with RT, from Thomas Gleixnet, Alexei Starovoitov, and your's truly. 14) Support XDP meta-data in virtio_net, from Yuya Kusakabe. 15) Fix sysfs permissions when network devices change namespaces, from Christian Brauner. 16) Add a flags element to ethtool_ops so that drivers can more simply indicate which coalescing parameters they actually support, and therefore the generic layer can validate the user's ethtool request. Use this in all drivers, from Jakub Kicinski. 17) Offload FIFO qdisc in mlxsw, from Petr Machata. 18) Support UDP sockets in sockmap, from Lorenz Bauer. 19) Fix stretch ACK bugs in several TCP congestion control modules, from Pengcheng Yang. 20) Support virtual functiosn in octeontx2 driver, from Tomasz Duszynski. 21) Add region operations for devlink and use it in ice driver to dump NVM contents, from Jacob Keller. 22) Add support for hw offload of MACSEC, from Antoine Tenart. 23) Add support for BPF programs that can be attached to LSM hooks, from KP Singh. 24) Support for multiple paths, path managers, and counters in MPTCP. From Peter Krystad, Paolo Abeni, Florian Westphal, Davide Caratti, and others. 25) More progress on adding the netlink interface to ethtool, from Michal Kubecek"* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2121 commits) net: ipv6: rpl_iptunnel: Fix potential memory leak in rpl_do_srh_inline cxgb4/chcr: nic-tls stats in ethtool net: dsa: fix oops while probing Marvell DSA switches net/bpfilter: remove superfluous testing message net: macb: Fix handling of fixed-link node net: dsa: ksz: Select KSZ protocol tag netdevsim: dev: Fix memory leak in nsim_dev_take_snapshot_write net: stmmac: add EHL 2.5Gbps PCI info and PCI ID net: stmmac: add EHL PSE0 & PSE1 1Gbps PCI info and PCI ID net: stmmac: create dwmac-intel.c to contain all Intel platform net: dsa: bcm_sf2: Support specifying VLAN tag egress rule net: dsa: bcm_sf2: Add support for matching VLAN TCI net: dsa: bcm_sf2: Move writing of CFP_DATA(5) into slicing functions net: dsa: bcm_sf2: Check earlier for FLOW_EXT and FLOW_MAC_EXT net: dsa: bcm_sf2: Disable learning for ASP port net: dsa: b53: Deny enslaving port 7 for 7278 into a bridge net: dsa: b53: Prevent tagged VLAN on port 7 for 7278 net: dsa: b53: Restore VLAN entries upon (re)configuration net: dsa: bcm_sf2: Fix overflow checks hv_netvsc: Remove unnecessary round_up for recv_completion_cnt ... List of files: /linux/security/bpf/Makefile

ed52f2c608c9451fa2bad298b2ab927416105d65 - Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

Tue, 31 Mar 2020 04:52:37 +0200

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-nextSigned-off-by: David S. Miller List of files: /linux/security/bpf/Makefile

641cd7b06c911c5935c34f24850ea18690649917 - Merge branch 'bpf-lsm'

Mon, 30 Mar 2020 01:35:55 +0200

Merge branch 'bpf-lsm'KP Singh says:====================** MotivationGoogle does analysis of rich runtime security data to detect and thwartthreats in real-time. Currently, this is done in custom kernel modulesbut we would like to replace this with something that's upstream anduseful to others.The current kernel infrastructure for providing telemetry (Audit, Perfetc.) is disjoint from access enforcement (i.e. LSMs). Augmenting theinformation provided by audit requires kernel changes to audit, itspolicy language and user-space components. Furthermore, building a MACpolicy based on the newly added telemetry data requires changes tovarious LSMs and their respective policy languages.This patchset allows BPF programs to be attached to LSM hooks Thisfacilitates a unified and dynamic (not requiring re-compilation of thekernel) audit and MAC policy.** Why an LSM?Linux Security Modules target security behaviours rather than thekernel's API. For example, it's easy to miss out a newly added systemcall for executing processes (eg. execve, execveat etc.) but the LSMframework ensures that all process executions trigger the relevant hooksirrespective of how the process was executed.Allowing users to implement LSM hooks at runtime also benefits the LSMeco-system by enabling a quick feedback loop from the security communityabout the kind of behaviours that the LSM Framework should be targeting.** How does it work?The patchset introduces a new eBPF (https://docs.cilium.io/en/v1.6/bpf/)program type BPF_PROG_TYPE_LSM which can only be attached to LSM hooks.Loading and attachment of BPF programs requires CAP_SYS_ADMIN.The new LSM registers nop functions (bpf_lsm_) as LSM hookcallbacks. Their purpose is to provide a definite point where BPFprograms can be attached as BPF_TRAMP_MODIFY_RETURN trampoline programsfor hooks that return an int, and BPF_TRAMP_FEXIT trampoline programsfor void LSM hooks.Audit logs can be written using a format chosen by the eBPF program tothe perf events buffer or to global eBPF variables or maps and can befurther processed in user-space.** BTF Based DesignThe current design uses BTF: * https://facebookmicrosites.github.io/bpf/blog/2018/11/14/btf-enhancement.html * https://lwn.net/Articles/803258which allows verifiable read-only structure accesses by field namesrather than fixed offsets. This allows accessing the hook parametersusing a dynamically created context which provides a certain degree ofABI stability: // Only declare the structure and fields intended to be used // in the program struct vm_area_struct { unsigned long vm_start; } __attribute__((preserve_access_index)); // Declare the eBPF program mprotect_audit which attaches to // to the file_mprotect LSM hook and accepts three arguments. SEC("lsm/file_mprotect") int BPF_PROG(mprotect_audit, struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot, int ret) { unsigned long vm_start = vma->vm_start; return 0; }By relocating field offsets, BTF makes a large portion of kernel datastructures readily accessible across kernel versions without requiring alarge corpus of BPF helper functions and requiring recompilation withevery kernel version. The BTF type information is also used by the BPFverifier to validate memory accesses within the BPF program and alsoprevents arbitrary writes to the kernel memory.The limitations of BTF compatibility are described in BPF Co-Re(http://vger.kernel.org/bpfconf2019_talks/bpf-core.pdf, i.e. fieldrenames, #defines and changes to the signature of LSM hooks). Thisdesign imposes that the MAC policy (eBPF programs) be updated when theinspected kernel structures change outside of BTF compatibilityguarantees. In practice, this is only required when a structure fieldused by a current policy is removed (or renamed) or when the used LSMhooks change. We expect the maintenance cost of these changes to beacceptable as compared to the design presented in the RFC.(https://lore.kernel.org/bpf/20190910115527.5235-1-kpsingh@chromium.org/).** Usage ExamplesA simple example and some documentation is included in the patchset.In order to better illustrate the capabilities of the framework somemore advanced prototype (not-ready for review) code has also beenpublished separately:* Logging execution events (including environment variables and arguments) https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.c* Detecting deletion of running executables: https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_detect_exec_unlink.c* Detection of writes to /proc//mem: https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.cWe have updated Google's internal telemetry infrastructure and havestarted deploying this LSM on our Linux Workstations. This gives us moreconfidence in the real-world applications of such a system.** Changelog:- v8 -> v9: https://lore.kernel.org/bpf/20200327192854.31150-1-kpsingh@chromium.org/* Fixed a selftest crash when CONFIG_LSM doesn't have "bpf".* Added James' Ack.* Rebase.- v7 -> v8: https://lore.kernel.org/bpf/20200326142823.26277-1-kpsingh@chromium.org/* Removed CAP_MAC_ADMIN check from bpf_lsm_verify_prog. LSMs can add it in their own bpf_prog hook. This can be revisited as a separate patch.* Added Andrii and James' Ack/Review tags.* Fixed an indentation issue and missing newlines in selftest error a cases.* Updated a comment as suggested by Alexei.* Updated the documentation to use the newer libbpf API and some other fixes.* Rebase- v6 -> v7: https://lore.kernel.org/bpf/20200325152629.6904-1-kpsingh@chromium.org/* Removed __weak from the LSM attachment nops per Kees' suggestion. Will send a separate patch (if needed) to update the noinline definition in include/linux/compiler_attributes.h.* waitpid to wait specifically for the forked child in selftests.* Comment format fixes in security/... as suggested by Casey.* Added Acks from Kees and Andrii and Casey's Reviewed-by: tags to the respective patches.* Rebase- v5 -> v6: https://lore.kernel.org/bpf/20200323164415.12943-1-kpsingh@chromium.org/* Updated LSM_HOOK macro to define a default value and cleaned up the BPF LSM hook declarations.* Added Yonghong's Acks and Kees' Reviewed-by tags.* Simplification of the selftest code.* Rebase and fixes suggested by Andrii and Yonghong and some other minor fixes noticed in internal review.- v4 -> v5: https://lore.kernel.org/bpf/20200220175250.10795-1-kpsingh@chromium.org/* Removed static keys and special casing of BPF calls from the LSM framework.* Initialized the BPF callbacks (nops) as proper LSM hooks.* Updated to using the newly introduced BPF_TRAMP_MODIFY_RETURN trampolines in https://lkml.org/lkml/2020/3/4/877* Addressed Andrii's feedback and rebased.- v3 -> v4:* Moved away from allocating a separate security_hook_heads and adding a new special case for arch_prepare_bpf_trampoline to using BPF fexit trampolines called from the right place in the LSM hook and toggled by static keys based on the discussion in: https://lore.kernel.org/bpf/CAG48ez25mW+_oCxgCtbiGMX07g_ph79UOJa07h=o_6B6+Q-u5g@mail.gmail.com/* Since the code does not deal with security_hook_heads anymore, it goes from "being a BPF LSM" to "BPF program attachment to LSM hooks".* Added a new test case which ensures that the BPF programs' return value is reflected by the LSM hook.- v2 -> v3 does not change the overall design and has some minor fixes:* LSM_ORDER_LAST is introduced to represent the behaviour of the BPF LSM* Fixed the inadvertent clobbering of the LSM Hook error codes* Added GPL license requirement to the commit log* The lsm_hook_idx is now the more conventional 0-based index* Some changes were split into a separate patch ("Load btf_vmlinux only once per object") https://lore.kernel.org/bpf/20200117212825.11755-1-kpsingh@chromium.org/* Addressed Andrii's feedback on the BTF implementation* Documentation update for using generated vmlinux.h to simplify programs* Rebase- Changes since v1: https://lore.kernel.org/bpf/20191220154208.15895-1-kpsingh@chromium.org* Eliminate the requirement to maintain LSM hooks separately in security/bpf/hooks.h Use BPF trampolines to dynamically allocate security hooks* Drop the use of securityfs as bpftool provides the required introspection capabilities. Update the tests to use the bpf_skeleton and global variables* Use O_CLOEXEC anonymous fds to represent BPF attachment in line with the other BPF programs with the possibility to use bpf program pinning in the future to provide "permanent attachment".* Drop the logic based on prog names for handling re-attachment.* Drop bpf_lsm_event_output from this series and send it as a separate patch.====================Signed-off-by: Daniel Borkmann List of files: /linux/security/bpf/Makefile

520b7aa00d8cd8e411ecc09f63a2acd90feb6d29 - bpf: lsm: Initialize the BPF LSM hooks

Sun, 29 Mar 2020 01:43:53 +0100

bpf: lsm: Initialize the BPF LSM hooks* The hooks are initialized using the definitions in include/linux/lsm_hook_defs.h.* The LSM can be enabled / disabled with CONFIG_BPF_LSM.Signed-off-by: KP Singh Signed-off-by: Daniel Borkmann Reviewed-by: Brendan Jackman Reviewed-by: Florent Revest Acked-by: Kees Cook Acked-by: James Morris Link: https://lore.kernel.org/bpf/20200329004356.27286-6-kpsingh@chromium.org List of files: /linux/security/bpf/Makefile