security: bpf: Add LSM hooks for bpf object related syscall
authorChenbo Feng <fengc@google.com>
Wed, 18 Oct 2017 20:00:24 +0000 (13:00 -0700)
committerDavid S. Miller <davem@davemloft.net>
Fri, 20 Oct 2017 12:32:59 +0000 (13:32 +0100)
commitafdb09c720b62b8090584c11151d856df330e57d
tree61e44af438b458ffd16624c5337f65ab76c94912
parente043325b308745d6968673e7b53080bd7cc39f08
security: bpf: Add LSM hooks for bpf object related syscall

Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the right priviliges can
read/write to a specific map or use a specific eBPF program. Besides
that, a general security hook is added before the multiplexer of bpf
syscall to check the cmd and the attribute used for the command. The
actual security module can decide which command need to be checked and
how the cmd should be checked.

Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/bpf.h
include/linux/lsm_hooks.h
include/linux/security.h
kernel/bpf/syscall.c
security/security.c