From patchwork Thu Aug 4 07:12:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sargun Dhillon X-Patchwork-Id: 655694 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3s4h3b6NdXz9t0t for ; Thu, 4 Aug 2016 17:12:59 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=sargun.me header.i=@sargun.me header.b=jFTgpkZz; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932329AbcHDHMf (ORCPT ); Thu, 4 Aug 2016 03:12:35 -0400 Received: from mail-it0-f44.google.com ([209.85.214.44]:36436 "EHLO mail-it0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932165AbcHDHMc (ORCPT ); Thu, 4 Aug 2016 03:12:32 -0400 Received: by mail-it0-f44.google.com with SMTP id f6so315060729ith.1 for ; Thu, 04 Aug 2016 00:12:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=0sVkfHwiO4BSv1y5/mR1oMe51eYk/8sU9gjX0BTihbE=; b=jFTgpkZz7wXN7a24VGW61Zb7bmIry+E5RjvMry/jrtMhX3EbVxy9JDlAmVHT202BGe pqNO58fz8NniTjt89INQkJV21oPgejPjZz0NAk/4GMKO+gSMinmWY7mHnvm4UdzWhfNN QgtcdIScAq7RbakYvwtvAYCu0Bzbj5Q4xzXEM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=0sVkfHwiO4BSv1y5/mR1oMe51eYk/8sU9gjX0BTihbE=; b=CIcPI/MyDhadYFkQ9ygJ0wy4sCeysJFDt19UYh7WE9flD1ebQVVP9OBlaTU+jD35rI +6XJpgBHJyitxAhJffl3SUqqNxZrq2FvSmP21Ii8rYpDnix8NlwroddnLXgmf9GdDShW fO4NsPJNJYOU0OYqNou/B+jgsNhwMZ9Ew3UoSkqXg9wxR01pFdtfNjeqjPQ5s8rX51YF JXgPFb0CC3RBurHHqNEd9qxJiZNAfexFw6+2iUE359RSkVngSyAZ33Cho0CjIT39mr67 OQpyS/RxD8qUBZr9aagtwQLCNGeEgTGZvN9r2fVciwd8ltOw7bsHBjs9scjSpoeI+xyt iT5w== X-Gm-Message-State: AEkoouvXtmdUDPHPSrcRo5xcFPABhGISZqanKN9APU2AvTBACA2OTRwlMN9rFR7QniqTnA== X-Received: by 10.36.58.8 with SMTP id m8mr30334257itm.95.1470294751233; Thu, 04 Aug 2016 00:12:31 -0700 (PDT) Received: from ircssh.c.rugged-nimbus-611.internal (55.145.251.23.bc.googleusercontent.com. [23.251.145.55]) by smtp.gmail.com with ESMTPSA id 65sm1052709itl.16.2016.08.04.00.12.30 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Thu, 04 Aug 2016 00:12:30 -0700 (PDT) Date: Thu, 4 Aug 2016 00:12:29 -0700 From: Sargun Dhillon To: linux-kernel@vger.kernel.org Cc: alexei.starovoitov@gmail.com, daniel@iogearbox.net, linux-security-module@vger.kernel.org, netdev@vger.kernel.org Subject: [RFC 4/4] bpf: Restrict Checmate bpf programs to current kernel ABI Message-ID: <20160804071227.GA19135@ircssh.c.rugged-nimbus-611.internal> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org I think it makes sense to restrict Checmate to loading programs that have been compiled with the current kernel ABI. We can further stabilize the ABI, and perhaps lift this restriction later. Signed-off-by: Sargun Dhillon --- kernel/bpf/syscall.c | 2 +- samples/bpf/checmate1_kern.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 228f962..2a37b4d 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -741,7 +741,7 @@ static int bpf_prog_load(union bpf_attr *attr) if (attr->insn_cnt >= BPF_MAXINSNS) return -EINVAL; - if (type == BPF_PROG_TYPE_KPROBE && + if ((type & (BPF_PROG_TYPE_KPROBE | BPF_PROG_TYPE_CHECMATE)) && attr->kern_version != LINUX_VERSION_CODE) return -EINVAL; diff --git a/samples/bpf/checmate1_kern.c b/samples/bpf/checmate1_kern.c index f78b66b..d4ec1fa 100644 --- a/samples/bpf/checmate1_kern.c +++ b/samples/bpf/checmate1_kern.c @@ -3,6 +3,7 @@ #include #include #include "bpf_helpers.h" +#include SEC("checmate") int prog(struct checmate_ctx *ctx) @@ -24,4 +25,4 @@ int prog(struct checmate_ctx *ctx) } char _license[] SEC("license") = "GPL"; - +u32 _version SEC("version") = LINUX_VERSION_CODE;