forked from torvalds/linux
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bpf-preload: Do kernel mount to ensure that pinned objects don't disa…
…ppear One of the differences between traditional LSMs in the security subsystem and LSMs implemented as eBPF programs is that for the latter category it cannot be guaranteed that they cannot be stopped. If a pinned program is unpinned, its execution will be stopped and will not enforce anymore its policy. For traditional LSMs this problem does not arise as, once they are invoked by the kernel, only the LSMs themselves decide whether or not they could be stopped. Solve this problem by mounting the bpf filesystem from the kernel, so that an object cannot be unpinned (a kernel mount is not accessible to user space). This will ensure that the LSM will run until the very end of the kernel lifecycle. Delay the kernel mount until the security subsystem (e.g. IMA) is fully initialized (e.g. keys loaded), so that the security subsystem can evaluate kernel modules loaded by populate_bpffs(). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
- Loading branch information
1 parent
bdcbabb
commit eddbb1e
Showing
4 changed files
with
17 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters