bpf,selinux: Allocate bpf_security_struct per BPF token (0054493e) · Commits · git / linux-nf

security/selinux/hooks.c

+25 −0

Original line number	Diff line number	Diff line
		@@ -6965,6 +6965,29 @@ static void selinux_bpf_prog_free(struct bpf_prog *prog)
		prog->aux->security = NULL;
		kfree(bpfsec);
		}

		static int selinux_bpf_token_create(struct bpf_token token, union bpf_attr attr,
		struct path *path)
		{
		struct bpf_security_struct *bpfsec;

		bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
		if (!bpfsec)
		return -ENOMEM;

		bpfsec->sid = current_sid();
		token->security = bpfsec;

		return 0;
		}

		static void selinux_bpf_token_free(struct bpf_token *token)
		{
		struct bpf_security_struct *bpfsec = token->security;

		token->security = NULL;
		kfree(bpfsec);
		}
		#endif

		struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
		@@ -7328,6 +7351,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
		LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
		LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
		LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
		LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
		#endif

		#ifdef CONFIG_PERF_EVENTS
		@@ -7386,6 +7410,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
		#ifdef CONFIG_BPF_SYSCALL
		LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
		LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
		LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
		#endif
		#ifdef CONFIG_PERF_EVENTS
		LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),