mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 9d31d23389
			
		
	
	
		9d31d23389
		
	
	
	
	
		
			
			Core:
 
  - bpf:
 	- allow bpf programs calling kernel functions (initially to
 	  reuse TCP congestion control implementations)
 	- enable task local storage for tracing programs - remove the
 	  need to store per-task state in hash maps, and allow tracing
 	  programs access to task local storage previously added for
 	  BPF_LSM
 	- add bpf_for_each_map_elem() helper, allowing programs to
 	  walk all map elements in a more robust and easier to verify
 	  fashion
 	- sockmap: support UDP and cross-protocol BPF_SK_SKB_VERDICT
 	  redirection
 	- lpm: add support for batched ops in LPM trie
 	- add BTF_KIND_FLOAT support - mostly to allow use of BTF
 	  on s390 which has floats in its headers files
 	- improve BPF syscall documentation and extend the use of kdoc
 	  parsing scripts we already employ for bpf-helpers
 	- libbpf, bpftool: support static linking of BPF ELF files
 	- improve support for encapsulation of L2 packets
 
  - xdp: restructure redirect actions to avoid a runtime lookup,
 	improving performance by 4-8% in microbenchmarks
 
  - xsk: build skb by page (aka generic zerocopy xmit) - improve
 	performance of software AF_XDP path by 33% for devices
 	which don't need headers in the linear skb part (e.g. virtio)
 
  - nexthop: resilient next-hop groups - improve path stability
 	on next-hops group changes (incl. offload for mlxsw)
 
  - ipv6: segment routing: add support for IPv4 decapsulation
 
  - icmp: add support for RFC 8335 extended PROBE messages
 
  - inet: use bigger hash table for IP ID generation
 
  - tcp: deal better with delayed TX completions - make sure we don't
 	give up on fast TCP retransmissions only because driver is
 	slow in reporting that it completed transmitting the original
 
  - tcp: reorder tcp_congestion_ops for better cache locality
 
  - mptcp:
 	- add sockopt support for common TCP options
 	- add support for common TCP msg flags
 	- include multiple address ids in RM_ADDR
 	- add reset option support for resetting one subflow
 
  - udp: GRO L4 improvements - improve 'forward' / 'frag_list'
 	co-existence with UDP tunnel GRO, allowing the first to take
 	place correctly	even for encapsulated UDP traffic
 
  - micro-optimize dev_gro_receive() and flow dissection, avoid
 	retpoline overhead on VLAN and TEB GRO
 
  - use less memory for sysctls, add a new sysctl type, to allow using
 	u8 instead of "int" and "long" and shrink networking sysctls
 
  - veth: allow GRO without XDP - this allows aggregating UDP
 	packets before handing them off to routing, bridge, OvS, etc.
 
  - allow specifing ifindex when device is moved to another namespace
 
  - netfilter:
 	- nft_socket: add support for cgroupsv2
 	- nftables: add catch-all set element - special element used
 	  to define a default action in case normal lookup missed
 	- use net_generic infra in many modules to avoid allocating
 	  per-ns memory unnecessarily
 
  - xps: improve the xps handling to avoid potential out-of-bound
 	accesses and use-after-free when XPS change race with other
 	re-configuration under traffic
 
  - add a config knob to turn off per-cpu netdev refcnt to catch
 	underflows in testing
 
 Device APIs:
 
  - add WWAN subsystem to organize the WWAN interfaces better and
    hopefully start driving towards more unified and vendor-
    -independent APIs
 
  - ethtool:
 	- add interface for reading IEEE MIB stats (incl. mlx5 and
 	  bnxt support)
 	- allow network drivers to dump arbitrary SFP EEPROM data,
 	  current offset+length API was a poor fit for modern SFP
 	  which define EEPROM in terms of pages (incl. mlx5 support)
 
  - act_police, flow_offload: add support for packet-per-second
 	policing (incl. offload for nfp)
 
  - psample: add additional metadata attributes like transit delay
 	for packets sampled from switch HW (and corresponding egress
 	and policy-based sampling in the mlxsw driver)
 
  - dsa: improve support for sandwiched LAGs with bridge and DSA
 
  - netfilter:
 	- flowtable: use direct xmit in topologies with IP
 	  forwarding, bridging, vlans etc.
 	- nftables: counter hardware offload support
 
  - Bluetooth:
 	- improvements for firmware download w/ Intel devices
 	- add support for reading AOSP vendor capabilities
 	- add support for virtio transport driver
 
  - mac80211:
 	- allow concurrent monitor iface and ethernet rx decap
 	- set priority and queue mapping for injected frames
 
  - phy: add support for Clause-45 PHY Loopback
 
  - pci/iov: add sysfs MSI-X vector assignment interface
 	to distribute MSI-X resources to VFs (incl. mlx5 support)
 
 New hardware/drivers:
 
  - dsa: mv88e6xxx: add support for Marvell mv88e6393x -
 	11-port Ethernet switch with 8x 1-Gigabit Ethernet
 	and 3x 10-Gigabit interfaces.
 
  - dsa: support for legacy Broadcom tags used on BCM5325, BCM5365
 	and BCM63xx switches
 
  - Microchip KSZ8863 and KSZ8873; 3x 10/100Mbps Ethernet switches
 
  - ath11k: support for QCN9074 a 802.11ax device
 
  - Bluetooth: Broadcom BCM4330 and BMC4334
 
  - phy: Marvell 88X2222 transceiver support
 
  - mdio: add BCM6368 MDIO mux bus controller
 
  - r8152: support RTL8153 and RTL8156 (USB Ethernet) chips
 
  - mana: driver for Microsoft Azure Network Adapter (MANA)
 
  - Actions Semi Owl Ethernet MAC
 
  - can: driver for ETAS ES58X CAN/USB interfaces
 
 Pure driver changes:
 
  - add XDP support to: enetc, igc, stmmac
  - add AF_XDP support to: stmmac
 
  - virtio:
 	- page_to_skb() use build_skb when there's sufficient tailroom
 	  (21% improvement for 1000B UDP frames)
 	- support XDP even without dedicated Tx queues - share the Tx
 	  queues with the stack when necessary
 
  - mlx5:
 	- flow rules: add support for mirroring with conntrack,
 	  matching on ICMP, GTP, flex filters and more
 	- support packet sampling with flow offloads
 	- persist uplink representor netdev across eswitch mode
 	  changes
 	- allow coexistence of CQE compression and HW time-stamping
 	- add ethtool extended link error state reporting
 
  - ice, iavf: support flow filters, UDP Segmentation Offload
 
  - dpaa2-switch:
 	- move the driver out of staging
 	- add spanning tree (STP) support
 	- add rx copybreak support
 	- add tc flower hardware offload on ingress traffic
 
  - ionic:
 	- implement Rx page reuse
 	- support HW PTP time-stamping
 
  - octeon: support TC hardware offloads - flower matching on ingress
 	and egress ratelimitting.
 
  - stmmac:
 	- add RX frame steering based on VLAN priority in tc flower
 	- support frame preemption (FPE)
 	- intel: add cross time-stamping freq difference adjustment
 
  - ocelot:
 	- support forwarding of MRP frames in HW
 	- support multiple bridges
 	- support PTP Sync one-step timestamping
 
  - dsa: mv88e6xxx, dpaa2-switch: offload bridge port flags like
 	learning, flooding etc.
 
  - ipa: add IPA v4.5, v4.9 and v4.11 support (Qualcomm SDX55, SM8350,
 	SC7280 SoCs)
 
  - mt7601u: enable TDLS support
 
  - mt76:
 	- add support for 802.3 rx frames (mt7915/mt7615)
 	- mt7915 flash pre-calibration support
 	- mt7921/mt7663 runtime power management fixes
 
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmCKFPIACgkQMUZtbf5S
 Irtw0g/+NA8bWdHNgG4H5rya0pv2z3IieLRmSdDfKRQQXcJpklawc5MKVVaTee/Q
 5/QqgPdCsu1LAU6JXBKsKmyDDaMlQKdWuKbOqDSiAQKoMesZStTEHf9d851ZzgxA
 Cdb6O7BD3lBl/IN+oxNG+KcmD1LKquTPKGySq2mQtEdLO12ekAsranzmj4voKffd
 q9tBShpXQ7Dq77DLYfiQXVCvsizNcbbJFuxX0o9Lpb9+61ZyYAbogZSa9ypiZZwR
 I/9azRBtJg7UV1aD/cLuAfy66Qh7t63+rCxVazs5Os8jVO26P/jQdisnnOe/x+p9
 wYEmKm3GSu0V4SAPxkWW+ooKusflCeqDoMIuooKt6kbP6BRj540veGw3Ww/m5YFr
 7pLQkTSP/tSjuGQIdBE1LOP5LBO8DZeC8Kiop9V0fzAW9hFSZbEq25WW0bPj8QQO
 zA4Z7yWlslvxcfY2BdJX3wD8klaINkl/8fDWZFFsBdfFX2VeLtm7Xfduw34BJpvU
 rYT3oWr6PhtkPAKR32SUcemSfeWgIVU41eSshzRz3kez1NngBUuLlSGGSEaKbes5
 pZVt6pYFFVByyf6MTHFEoQvafZfEw04JILZpo4R5V8iTHzom0kD3Py064sBiXEw2
 B6t+OW4qgcxGblpFkK2lD4kR2s1TPUs0ckVO6sAy1x8q60KKKjY=
 =vcbA
 -----END PGP SIGNATURE-----
Merge tag 'net-next-5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Pull networking updates from Jakub Kicinski:
 "Core:
   - bpf:
        - allow bpf programs calling kernel functions (initially to
          reuse TCP congestion control implementations)
        - enable task local storage for tracing programs - remove the
          need to store per-task state in hash maps, and allow tracing
          programs access to task local storage previously added for
          BPF_LSM
        - add bpf_for_each_map_elem() helper, allowing programs to walk
          all map elements in a more robust and easier to verify fashion
        - sockmap: support UDP and cross-protocol BPF_SK_SKB_VERDICT
          redirection
        - lpm: add support for batched ops in LPM trie
        - add BTF_KIND_FLOAT support - mostly to allow use of BTF on
          s390 which has floats in its headers files
        - improve BPF syscall documentation and extend the use of kdoc
          parsing scripts we already employ for bpf-helpers
        - libbpf, bpftool: support static linking of BPF ELF files
        - improve support for encapsulation of L2 packets
   - xdp: restructure redirect actions to avoid a runtime lookup,
     improving performance by 4-8% in microbenchmarks
   - xsk: build skb by page (aka generic zerocopy xmit) - improve
     performance of software AF_XDP path by 33% for devices which don't
     need headers in the linear skb part (e.g. virtio)
   - nexthop: resilient next-hop groups - improve path stability on
     next-hops group changes (incl. offload for mlxsw)
   - ipv6: segment routing: add support for IPv4 decapsulation
   - icmp: add support for RFC 8335 extended PROBE messages
   - inet: use bigger hash table for IP ID generation
   - tcp: deal better with delayed TX completions - make sure we don't
     give up on fast TCP retransmissions only because driver is slow in
     reporting that it completed transmitting the original
   - tcp: reorder tcp_congestion_ops for better cache locality
   - mptcp:
        - add sockopt support for common TCP options
        - add support for common TCP msg flags
        - include multiple address ids in RM_ADDR
        - add reset option support for resetting one subflow
   - udp: GRO L4 improvements - improve 'forward' / 'frag_list'
     co-existence with UDP tunnel GRO, allowing the first to take place
     correctly even for encapsulated UDP traffic
   - micro-optimize dev_gro_receive() and flow dissection, avoid
     retpoline overhead on VLAN and TEB GRO
   - use less memory for sysctls, add a new sysctl type, to allow using
     u8 instead of "int" and "long" and shrink networking sysctls
   - veth: allow GRO without XDP - this allows aggregating UDP packets
     before handing them off to routing, bridge, OvS, etc.
   - allow specifing ifindex when device is moved to another namespace
   - netfilter:
        - nft_socket: add support for cgroupsv2
        - nftables: add catch-all set element - special element used to
          define a default action in case normal lookup missed
        - use net_generic infra in many modules to avoid allocating
          per-ns memory unnecessarily
   - xps: improve the xps handling to avoid potential out-of-bound
     accesses and use-after-free when XPS change race with other
     re-configuration under traffic
   - add a config knob to turn off per-cpu netdev refcnt to catch
     underflows in testing
  Device APIs:
   - add WWAN subsystem to organize the WWAN interfaces better and
     hopefully start driving towards more unified and vendor-
     independent APIs
   - ethtool:
        - add interface for reading IEEE MIB stats (incl. mlx5 and bnxt
          support)
        - allow network drivers to dump arbitrary SFP EEPROM data,
          current offset+length API was a poor fit for modern SFP which
          define EEPROM in terms of pages (incl. mlx5 support)
   - act_police, flow_offload: add support for packet-per-second
     policing (incl. offload for nfp)
   - psample: add additional metadata attributes like transit delay for
     packets sampled from switch HW (and corresponding egress and
     policy-based sampling in the mlxsw driver)
   - dsa: improve support for sandwiched LAGs with bridge and DSA
   - netfilter:
        - flowtable: use direct xmit in topologies with IP forwarding,
          bridging, vlans etc.
        - nftables: counter hardware offload support
   - Bluetooth:
        - improvements for firmware download w/ Intel devices
        - add support for reading AOSP vendor capabilities
        - add support for virtio transport driver
   - mac80211:
        - allow concurrent monitor iface and ethernet rx decap
        - set priority and queue mapping for injected frames
   - phy: add support for Clause-45 PHY Loopback
   - pci/iov: add sysfs MSI-X vector assignment interface to distribute
     MSI-X resources to VFs (incl. mlx5 support)
  New hardware/drivers:
   - dsa: mv88e6xxx: add support for Marvell mv88e6393x - 11-port
     Ethernet switch with 8x 1-Gigabit Ethernet and 3x 10-Gigabit
     interfaces.
   - dsa: support for legacy Broadcom tags used on BCM5325, BCM5365 and
     BCM63xx switches
   - Microchip KSZ8863 and KSZ8873; 3x 10/100Mbps Ethernet switches
   - ath11k: support for QCN9074 a 802.11ax device
   - Bluetooth: Broadcom BCM4330 and BMC4334
   - phy: Marvell 88X2222 transceiver support
   - mdio: add BCM6368 MDIO mux bus controller
   - r8152: support RTL8153 and RTL8156 (USB Ethernet) chips
   - mana: driver for Microsoft Azure Network Adapter (MANA)
   - Actions Semi Owl Ethernet MAC
   - can: driver for ETAS ES58X CAN/USB interfaces
  Pure driver changes:
   - add XDP support to: enetc, igc, stmmac
   - add AF_XDP support to: stmmac
   - virtio:
        - page_to_skb() use build_skb when there's sufficient tailroom
          (21% improvement for 1000B UDP frames)
        - support XDP even without dedicated Tx queues - share the Tx
          queues with the stack when necessary
   - mlx5:
        - flow rules: add support for mirroring with conntrack, matching
          on ICMP, GTP, flex filters and more
        - support packet sampling with flow offloads
        - persist uplink representor netdev across eswitch mode changes
        - allow coexistence of CQE compression and HW time-stamping
        - add ethtool extended link error state reporting
   - ice, iavf: support flow filters, UDP Segmentation Offload
   - dpaa2-switch:
        - move the driver out of staging
        - add spanning tree (STP) support
        - add rx copybreak support
        - add tc flower hardware offload on ingress traffic
   - ionic:
        - implement Rx page reuse
        - support HW PTP time-stamping
   - octeon: support TC hardware offloads - flower matching on ingress
     and egress ratelimitting.
   - stmmac:
        - add RX frame steering based on VLAN priority in tc flower
        - support frame preemption (FPE)
        - intel: add cross time-stamping freq difference adjustment
   - ocelot:
        - support forwarding of MRP frames in HW
        - support multiple bridges
        - support PTP Sync one-step timestamping
   - dsa: mv88e6xxx, dpaa2-switch: offload bridge port flags like
     learning, flooding etc.
   - ipa: add IPA v4.5, v4.9 and v4.11 support (Qualcomm SDX55, SM8350,
     SC7280 SoCs)
   - mt7601u: enable TDLS support
   - mt76:
        - add support for 802.3 rx frames (mt7915/mt7615)
        - mt7915 flash pre-calibration support
        - mt7921/mt7663 runtime power management fixes"
* tag 'net-next-5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2451 commits)
  net: selftest: fix build issue if INET is disabled
  net: netrom: nr_in: Remove redundant assignment to ns
  net: tun: Remove redundant assignment to ret
  net: phy: marvell: add downshift support for M88E1240
  net: dsa: ksz: Make reg_mib_cnt a u8 as it never exceeds 255
  net/sched: act_ct: Remove redundant ct get and check
  icmp: standardize naming of RFC 8335 PROBE constants
  bpf, selftests: Update array map tests for per-cpu batched ops
  bpf: Add batched ops support for percpu array
  bpf: Implement formatted output helpers with bstr_printf
  seq_file: Add a seq_bprintf function
  sfc: adjust efx->xdp_tx_queue_count with the real number of initialized queues
  net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
  net: fix a concurrency bug in l2tp_tunnel_register()
  net/smc: Remove redundant assignment to rc
  mpls: Remove redundant assignment to err
  llc2: Remove redundant assignment to rc
  net/tls: Remove redundant initialization of record
  rds: Remove redundant assignment to nr_sig
  dt-bindings: net: mdio-gpio: add compatible for microchip,mdio-smi0
  ...
		
	
			
		
			
				
	
	
		
			227 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			227 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| 
 | |
| /*
 | |
|  * Copyright (C) 2020 Google LLC.
 | |
|  */
 | |
| 
 | |
| #include <linux/filter.h>
 | |
| #include <linux/bpf.h>
 | |
| #include <linux/btf.h>
 | |
| #include <linux/binfmts.h>
 | |
| #include <linux/lsm_hooks.h>
 | |
| #include <linux/bpf_lsm.h>
 | |
| #include <linux/kallsyms.h>
 | |
| #include <linux/bpf_verifier.h>
 | |
| #include <net/bpf_sk_storage.h>
 | |
| #include <linux/bpf_local_storage.h>
 | |
| #include <linux/btf_ids.h>
 | |
| #include <linux/ima.h>
 | |
| 
 | |
| /* For every LSM hook that allows attachment of BPF programs, declare a nop
 | |
|  * function where a BPF program can be attached.
 | |
|  */
 | |
| #define LSM_HOOK(RET, DEFAULT, NAME, ...)	\
 | |
| noinline RET bpf_lsm_##NAME(__VA_ARGS__)	\
 | |
| {						\
 | |
| 	return DEFAULT;				\
 | |
| }
 | |
| 
 | |
| #include <linux/lsm_hook_defs.h>
 | |
| #undef LSM_HOOK
 | |
| 
 | |
| #define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME)
 | |
| BTF_SET_START(bpf_lsm_hooks)
 | |
| #include <linux/lsm_hook_defs.h>
 | |
| #undef LSM_HOOK
 | |
| BTF_SET_END(bpf_lsm_hooks)
 | |
| 
 | |
| int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
 | |
| 			const struct bpf_prog *prog)
 | |
| {
 | |
| 	if (!prog->gpl_compatible) {
 | |
| 		bpf_log(vlog,
 | |
| 			"LSM programs must have a GPL compatible license\n");
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) {
 | |
| 		bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",
 | |
| 			prog->aux->attach_btf_id, prog->aux->attach_func_name);
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| /* Mask for all the currently supported BPRM option flags */
 | |
| #define BPF_F_BRPM_OPTS_MASK	BPF_F_BPRM_SECUREEXEC
 | |
| 
 | |
| BPF_CALL_2(bpf_bprm_opts_set, struct linux_binprm *, bprm, u64, flags)
 | |
| {
 | |
| 	if (flags & ~BPF_F_BRPM_OPTS_MASK)
 | |
| 		return -EINVAL;
 | |
| 
 | |
| 	bprm->secureexec = (flags & BPF_F_BPRM_SECUREEXEC);
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| BTF_ID_LIST_SINGLE(bpf_bprm_opts_set_btf_ids, struct, linux_binprm)
 | |
| 
 | |
| static const struct bpf_func_proto bpf_bprm_opts_set_proto = {
 | |
| 	.func		= bpf_bprm_opts_set,
 | |
| 	.gpl_only	= false,
 | |
| 	.ret_type	= RET_INTEGER,
 | |
| 	.arg1_type	= ARG_PTR_TO_BTF_ID,
 | |
| 	.arg1_btf_id	= &bpf_bprm_opts_set_btf_ids[0],
 | |
| 	.arg2_type	= ARG_ANYTHING,
 | |
| };
 | |
| 
 | |
| BPF_CALL_3(bpf_ima_inode_hash, struct inode *, inode, void *, dst, u32, size)
 | |
| {
 | |
| 	return ima_inode_hash(inode, dst, size);
 | |
| }
 | |
| 
 | |
| static bool bpf_ima_inode_hash_allowed(const struct bpf_prog *prog)
 | |
| {
 | |
| 	return bpf_lsm_is_sleepable_hook(prog->aux->attach_btf_id);
 | |
| }
 | |
| 
 | |
| BTF_ID_LIST_SINGLE(bpf_ima_inode_hash_btf_ids, struct, inode)
 | |
| 
 | |
| static const struct bpf_func_proto bpf_ima_inode_hash_proto = {
 | |
| 	.func		= bpf_ima_inode_hash,
 | |
| 	.gpl_only	= false,
 | |
| 	.ret_type	= RET_INTEGER,
 | |
| 	.arg1_type	= ARG_PTR_TO_BTF_ID,
 | |
| 	.arg1_btf_id	= &bpf_ima_inode_hash_btf_ids[0],
 | |
| 	.arg2_type	= ARG_PTR_TO_UNINIT_MEM,
 | |
| 	.arg3_type	= ARG_CONST_SIZE,
 | |
| 	.allowed	= bpf_ima_inode_hash_allowed,
 | |
| };
 | |
| 
 | |
| static const struct bpf_func_proto *
 | |
| bpf_lsm_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 | |
| {
 | |
| 	switch (func_id) {
 | |
| 	case BPF_FUNC_inode_storage_get:
 | |
| 		return &bpf_inode_storage_get_proto;
 | |
| 	case BPF_FUNC_inode_storage_delete:
 | |
| 		return &bpf_inode_storage_delete_proto;
 | |
| 	case BPF_FUNC_sk_storage_get:
 | |
| 		return &bpf_sk_storage_get_proto;
 | |
| 	case BPF_FUNC_sk_storage_delete:
 | |
| 		return &bpf_sk_storage_delete_proto;
 | |
| 	case BPF_FUNC_spin_lock:
 | |
| 		return &bpf_spin_lock_proto;
 | |
| 	case BPF_FUNC_spin_unlock:
 | |
| 		return &bpf_spin_unlock_proto;
 | |
| 	case BPF_FUNC_bprm_opts_set:
 | |
| 		return &bpf_bprm_opts_set_proto;
 | |
| 	case BPF_FUNC_ima_inode_hash:
 | |
| 		return prog->aux->sleepable ? &bpf_ima_inode_hash_proto : NULL;
 | |
| 	default:
 | |
| 		return tracing_prog_func_proto(func_id, prog);
 | |
| 	}
 | |
| }
 | |
| 
 | |
| /* The set of hooks which are called without pagefaults disabled and are allowed
 | |
|  * to "sleep" and thus can be used for sleeable BPF programs.
 | |
|  */
 | |
| BTF_SET_START(sleepable_lsm_hooks)
 | |
| BTF_ID(func, bpf_lsm_bpf)
 | |
| BTF_ID(func, bpf_lsm_bpf_map)
 | |
| BTF_ID(func, bpf_lsm_bpf_map_alloc_security)
 | |
| BTF_ID(func, bpf_lsm_bpf_map_free_security)
 | |
| BTF_ID(func, bpf_lsm_bpf_prog)
 | |
| BTF_ID(func, bpf_lsm_bprm_check_security)
 | |
| BTF_ID(func, bpf_lsm_bprm_committed_creds)
 | |
| BTF_ID(func, bpf_lsm_bprm_committing_creds)
 | |
| BTF_ID(func, bpf_lsm_bprm_creds_for_exec)
 | |
| BTF_ID(func, bpf_lsm_bprm_creds_from_file)
 | |
| BTF_ID(func, bpf_lsm_capget)
 | |
| BTF_ID(func, bpf_lsm_capset)
 | |
| BTF_ID(func, bpf_lsm_cred_prepare)
 | |
| BTF_ID(func, bpf_lsm_file_ioctl)
 | |
| BTF_ID(func, bpf_lsm_file_lock)
 | |
| BTF_ID(func, bpf_lsm_file_open)
 | |
| BTF_ID(func, bpf_lsm_file_receive)
 | |
| 
 | |
| #ifdef CONFIG_SECURITY_NETWORK
 | |
| BTF_ID(func, bpf_lsm_inet_conn_established)
 | |
| #endif /* CONFIG_SECURITY_NETWORK */
 | |
| 
 | |
| BTF_ID(func, bpf_lsm_inode_create)
 | |
| BTF_ID(func, bpf_lsm_inode_free_security)
 | |
| BTF_ID(func, bpf_lsm_inode_getattr)
 | |
| BTF_ID(func, bpf_lsm_inode_getxattr)
 | |
| BTF_ID(func, bpf_lsm_inode_mknod)
 | |
| BTF_ID(func, bpf_lsm_inode_need_killpriv)
 | |
| BTF_ID(func, bpf_lsm_inode_post_setxattr)
 | |
| BTF_ID(func, bpf_lsm_inode_readlink)
 | |
| BTF_ID(func, bpf_lsm_inode_rename)
 | |
| BTF_ID(func, bpf_lsm_inode_rmdir)
 | |
| BTF_ID(func, bpf_lsm_inode_setattr)
 | |
| BTF_ID(func, bpf_lsm_inode_setxattr)
 | |
| BTF_ID(func, bpf_lsm_inode_symlink)
 | |
| BTF_ID(func, bpf_lsm_inode_unlink)
 | |
| BTF_ID(func, bpf_lsm_kernel_module_request)
 | |
| BTF_ID(func, bpf_lsm_kernfs_init_security)
 | |
| 
 | |
| #ifdef CONFIG_KEYS
 | |
| BTF_ID(func, bpf_lsm_key_free)
 | |
| #endif /* CONFIG_KEYS */
 | |
| 
 | |
| BTF_ID(func, bpf_lsm_mmap_file)
 | |
| BTF_ID(func, bpf_lsm_netlink_send)
 | |
| BTF_ID(func, bpf_lsm_path_notify)
 | |
| BTF_ID(func, bpf_lsm_release_secctx)
 | |
| BTF_ID(func, bpf_lsm_sb_alloc_security)
 | |
| BTF_ID(func, bpf_lsm_sb_eat_lsm_opts)
 | |
| BTF_ID(func, bpf_lsm_sb_kern_mount)
 | |
| BTF_ID(func, bpf_lsm_sb_mount)
 | |
| BTF_ID(func, bpf_lsm_sb_remount)
 | |
| BTF_ID(func, bpf_lsm_sb_set_mnt_opts)
 | |
| BTF_ID(func, bpf_lsm_sb_show_options)
 | |
| BTF_ID(func, bpf_lsm_sb_statfs)
 | |
| BTF_ID(func, bpf_lsm_sb_umount)
 | |
| BTF_ID(func, bpf_lsm_settime)
 | |
| 
 | |
| #ifdef CONFIG_SECURITY_NETWORK
 | |
| BTF_ID(func, bpf_lsm_socket_accept)
 | |
| BTF_ID(func, bpf_lsm_socket_bind)
 | |
| BTF_ID(func, bpf_lsm_socket_connect)
 | |
| BTF_ID(func, bpf_lsm_socket_create)
 | |
| BTF_ID(func, bpf_lsm_socket_getpeername)
 | |
| BTF_ID(func, bpf_lsm_socket_getpeersec_dgram)
 | |
| BTF_ID(func, bpf_lsm_socket_getsockname)
 | |
| BTF_ID(func, bpf_lsm_socket_getsockopt)
 | |
| BTF_ID(func, bpf_lsm_socket_listen)
 | |
| BTF_ID(func, bpf_lsm_socket_post_create)
 | |
| BTF_ID(func, bpf_lsm_socket_recvmsg)
 | |
| BTF_ID(func, bpf_lsm_socket_sendmsg)
 | |
| BTF_ID(func, bpf_lsm_socket_shutdown)
 | |
| BTF_ID(func, bpf_lsm_socket_socketpair)
 | |
| #endif /* CONFIG_SECURITY_NETWORK */
 | |
| 
 | |
| BTF_ID(func, bpf_lsm_syslog)
 | |
| BTF_ID(func, bpf_lsm_task_alloc)
 | |
| BTF_ID(func, bpf_lsm_task_getsecid_subj)
 | |
| BTF_ID(func, bpf_lsm_task_getsecid_obj)
 | |
| BTF_ID(func, bpf_lsm_task_prctl)
 | |
| BTF_ID(func, bpf_lsm_task_setscheduler)
 | |
| BTF_ID(func, bpf_lsm_task_to_inode)
 | |
| BTF_SET_END(sleepable_lsm_hooks)
 | |
| 
 | |
| bool bpf_lsm_is_sleepable_hook(u32 btf_id)
 | |
| {
 | |
| 	return btf_id_set_contains(&sleepable_lsm_hooks, btf_id);
 | |
| }
 | |
| 
 | |
| const struct bpf_prog_ops lsm_prog_ops = {
 | |
| };
 | |
| 
 | |
| const struct bpf_verifier_ops lsm_verifier_ops = {
 | |
| 	.get_func_proto = bpf_lsm_func_proto,
 | |
| 	.is_valid_access = btf_ctx_access,
 | |
| };
 |