mirror of https://github.com/OpenIPC/firmware.git
80 lines
2.6 KiB
Diff
80 lines
2.6 KiB
Diff
diff -drupN a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
|
|
--- a/include/linux/lsm_hooks.h 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/include/linux/lsm_hooks.h 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -1328,7 +1328,40 @@
|
|
* @inode we wish to get the security context of.
|
|
* @ctx is a pointer in which to place the allocated security context.
|
|
* @ctxlen points to the place to put the length of @ctx.
|
|
- * This is the main security structure.
|
|
+ *
|
|
+ * Security hooks for using the eBPF maps and programs functionalities through
|
|
+ * eBPF syscalls.
|
|
+ *
|
|
+ * @bpf:
|
|
+ * Do a initial check for all bpf syscalls after the attribute is copied
|
|
+ * into the kernel. The actual security module can implement their own
|
|
+ * rules to check the specific cmd they need.
|
|
+ *
|
|
+ * @bpf_map:
|
|
+ * Do a check when the kernel generate and return a file descriptor for
|
|
+ * eBPF maps.
|
|
+ *
|
|
+ * @map: bpf map that we want to access
|
|
+ * @mask: the access flags
|
|
+ *
|
|
+ * @bpf_prog:
|
|
+ * Do a check when the kernel generate and return a file descriptor for
|
|
+ * eBPF programs.
|
|
+ *
|
|
+ * @prog: bpf prog that userspace want to use.
|
|
+ *
|
|
+ * @bpf_map_alloc_security:
|
|
+ * Initialize the security field inside bpf map.
|
|
+ *
|
|
+ * @bpf_map_free_security:
|
|
+ * Clean up the security information stored inside bpf map.
|
|
+ *
|
|
+ * @bpf_prog_alloc_security:
|
|
+ * Initialize the security field inside bpf program.
|
|
+ *
|
|
+ * @bpf_prog_free_security:
|
|
+ * Clean up the security information stored inside bpf prog.
|
|
+ *
|
|
*/
|
|
|
|
union security_list_options {
|
|
@@ -1652,6 +1685,17 @@ union security_list_options {
|
|
struct audit_context *actx);
|
|
void (*audit_rule_free)(void *lsmrule);
|
|
#endif /* CONFIG_AUDIT */
|
|
+
|
|
+#ifdef CONFIG_BPF_SYSCALL
|
|
+ int (*bpf)(int cmd, union bpf_attr *attr,
|
|
+ unsigned int size);
|
|
+ int (*bpf_map)(struct bpf_map *map, fmode_t fmode);
|
|
+ int (*bpf_prog)(struct bpf_prog *prog);
|
|
+ int (*bpf_map_alloc_security)(struct bpf_map *map);
|
|
+ void (*bpf_map_free_security)(struct bpf_map *map);
|
|
+ int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
|
|
+ void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
|
|
+#endif /* CONFIG_BPF_SYSCALL */
|
|
};
|
|
|
|
struct security_hook_heads {
|
|
@@ -1866,6 +1910,15 @@ struct security_hook_heads {
|
|
struct list_head audit_rule_match;
|
|
struct list_head audit_rule_free;
|
|
#endif /* CONFIG_AUDIT */
|
|
+#ifdef CONFIG_BPF_SYSCALL
|
|
+ struct list_head bpf;
|
|
+ struct list_head bpf_map;
|
|
+ struct list_head bpf_prog;
|
|
+ struct list_head bpf_map_alloc_security;
|
|
+ struct list_head bpf_map_free_security;
|
|
+ struct list_head bpf_prog_alloc_security;
|
|
+ struct list_head bpf_prog_free_security;
|
|
+#endif /* CONFIG_BPF_SYSCALL */
|
|
};
|
|
|
|
/*
|