Commit 71330842 authored by Daniel Borkmann's avatar Daniel Borkmann
Browse files

bpf: Add _kernel suffix to internal lockdown_bpf_read 



Rename LOCKDOWN_BPF_READ into LOCKDOWN_BPF_READ_KERNEL so we have naming
more consistent with a LOCKDOWN_BPF_WRITE_USER option that we are adding.

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parent d09c548d

include/linux/security.h

+1 −1
Original line number Diff line number Diff line
@@ -123,7 +123,7 @@ enum lockdown_reason { 
	LOCKDOWN_INTEGRITY_MAX,

	LOCKDOWN_KCORE,

	LOCKDOWN_KPROBES,

	LOCKDOWN_BPF_READ,

	LOCKDOWN_BPF_READ_KERNEL,

	LOCKDOWN_PERF,

	LOCKDOWN_TRACEFS,

	LOCKDOWN_XMON_RW,

kernel/bpf/helpers.c

+2 −2
Original line number Diff line number Diff line
@@ -1070,12 +1070,12 @@ bpf_base_func_proto(enum bpf_func_id func_id) 
	case BPF_FUNC_probe_read_user:

		return &bpf_probe_read_user_proto;

	case BPF_FUNC_probe_read_kernel:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_kernel_proto;

	case BPF_FUNC_probe_read_user_str:

		return &bpf_probe_read_user_str_proto;

	case BPF_FUNC_probe_read_kernel_str:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_kernel_str_proto;

	case BPF_FUNC_snprintf_btf:

		return &bpf_snprintf_btf_proto;

kernel/trace/bpf_trace.c

+4 −4
Original line number Diff line number Diff line
@@ -999,19 +999,19 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 
	case BPF_FUNC_probe_read_user:

		return &bpf_probe_read_user_proto;

	case BPF_FUNC_probe_read_kernel:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_kernel_proto;

	case BPF_FUNC_probe_read_user_str:

		return &bpf_probe_read_user_str_proto;

	case BPF_FUNC_probe_read_kernel_str:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_kernel_str_proto;

#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE

	case BPF_FUNC_probe_read:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_compat_proto;

	case BPF_FUNC_probe_read_str:

		return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?

		return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?

		       NULL : &bpf_probe_read_compat_str_proto;

#endif

#ifdef CONFIG_CGROUPS

security/security.c

+1 −1
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { 
	[LOCKDOWN_INTEGRITY_MAX] = "integrity",

	[LOCKDOWN_KCORE] = "/proc/kcore access",

	[LOCKDOWN_KPROBES] = "use of kprobes",

	[LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",

	[LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",

	[LOCKDOWN_PERF] = "unsafe use of perf",

	[LOCKDOWN_TRACEFS] = "use of tracefs",

	[LOCKDOWN_XMON_RW] = "xmon read and write access",