bpf: Add _kernel suffix to internal lockdown_bpf_read

author Daniel Borkmann <daniel@iogearbox.net>

Mon, 9 Aug 2021 19:45:32 +0000 (21:45 +0200)

committer Daniel Borkmann <daniel@iogearbox.net>

Mon, 9 Aug 2021 19:50:41 +0000 (21:50 +0200)
author Daniel Borkmann <daniel@iogearbox.net>
Mon, 9 Aug 2021 19:45:32 +0000 (21:45 +0200)
committer Daniel Borkmann <daniel@iogearbox.net>
Mon, 9 Aug 2021 19:50:41 +0000 (21:50 +0200)
diff --git a/include/linux/security.h b/include/linux/security.h

index 24eda04221e9934a482d42ffbc937a454a22fc06..724d7a4a0c9138f76de841c0c93cbf2fc549491b 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -123,7 +123,7 @@ enum lockdown_reason {
         LOCKDOWN_INTEGRITY_MAX,
         LOCKDOWN_KCORE,
         LOCKDOWN_KPROBES,
-       LOCKDOWN_BPF_READ,
+       LOCKDOWN_BPF_READ_KERNEL,
         LOCKDOWN_PERF,
         LOCKDOWN_TRACEFS,
         LOCKDOWN_XMON_RW,
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c

index 62cf0038391040e20520b5a9bb04f20ae50db5f1..0b04553e8c447cd757a117f8065373ba9dd5defe 100644 (file)
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1070,12 +1070,12 @@ bpf_base_func_proto(enum bpf_func_id func_id)
         case BPF_FUNC_probe_read_user:
                 return &bpf_probe_read_user_proto;
         case BPF_FUNC_probe_read_kernel:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_kernel_proto;
         case BPF_FUNC_probe_read_user_str:
                 return &bpf_probe_read_user_str_proto;
         case BPF_FUNC_probe_read_kernel_str:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_kernel_str_proto;
         case BPF_FUNC_snprintf_btf:
                 return &bpf_snprintf_btf_proto;
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c

index b4916ef388ad1fbdd476e04de9e6e45c0e3e369b..1836591197a50072772a643797d3e53b5b59017b 100644 (file)
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -999,19 +999,19 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
         case BPF_FUNC_probe_read_user:
                 return &bpf_probe_read_user_proto;
         case BPF_FUNC_probe_read_kernel:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_kernel_proto;
         case BPF_FUNC_probe_read_user_str:
                 return &bpf_probe_read_user_str_proto;
         case BPF_FUNC_probe_read_kernel_str:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_kernel_str_proto;
  #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
         case BPF_FUNC_probe_read:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_compat_proto;
         case BPF_FUNC_probe_read_str:
-               return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
+               return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
                        NULL : &bpf_probe_read_compat_str_proto;
  #endif
  #ifdef CONFIG_CGROUPS
diff --git a/security/security.c b/security/security.c

index 09533cbb7221db776753b62d70699b1b1b22a606..6b83ab4e9d66f3b954280c249e59010ef9e0892a 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -61,7 +61,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
         [LOCKDOWN_INTEGRITY_MAX] = "integrity",
         [LOCKDOWN_KCORE] = "/proc/kcore access",
         [LOCKDOWN_KPROBES] = "use of kprobes",
-       [LOCKDOWN_BPF_READ] = "use of bpf to read kernel RAM",
+       [LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",
         [LOCKDOWN_PERF] = "unsafe use of perf",
         [LOCKDOWN_TRACEFS] = "use of tracefs",
         [LOCKDOWN_XMON_RW] = "xmon read and write access",
author	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 9 Aug 2021 19:45:32 +0000 (21:45 +0200)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 9 Aug 2021 19:50:41 +0000 (21:50 +0200)
include/linux/security.h		patch \| blob \| history
kernel/bpf/helpers.c		patch \| blob \| history
kernel/trace/bpf_trace.c		patch \| blob \| history
security/security.c		patch \| blob \| history