[v2] device_cgroup: guard mknod for non-initial user namespace

[RESEND RFC PATCH v2 12/14] bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access

Posted by Michael Weiß 2 years, 1 month ago

With this new flag for bpf cgroup device programs, it should be
possible to guard mknod() access in non-initial user namespaces
later on.

Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
 include/uapi/linux/bpf.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 0448700890f7..0196b9c72d3e 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -6927,6 +6927,7 @@ enum {
 	BPF_DEVCG_ACC_MKNOD	= (1ULL << 0),
 	BPF_DEVCG_ACC_READ	= (1ULL << 1),
 	BPF_DEVCG_ACC_WRITE	= (1ULL << 2),
+	BPF_DEVCG_ACC_MKNOD_UNS	= (1ULL << 3),
 };
 
 enum {
-- 
2.30.2

[RESEND RFC PATCH v2 01/14] device_cgroup: Implement devcgroup hooks as lsm security hooks
[RESEND RFC PATCH v2 02/14] vfs: Remove explicit devcgroup_inode calls
[RESEND RFC PATCH v2 03/14] device_cgroup: Remove explicit devcgroup_inode hooks
[RESEND RFC PATCH v2 04/14] lsm: Add security_dev_permission() hook
[RESEND RFC PATCH v2 05/14] device_cgroup: Implement dev_permission() hook
[RESEND RFC PATCH v2 06/14] block: Switch from devcgroup_check_permission to security hook
[RESEND RFC PATCH v2 07/14] drm/amdkfd: Switch from devcgroup_check_permission to security hook
[RESEND RFC PATCH v2 08/14] device_cgroup: Hide devcgroup functionality completely in lsm
[RESEND RFC PATCH v2 09/14] lsm: Add security_inode_mknod_nscap() hook
[RESEND RFC PATCH v2 10/14] lsm: Add security_sb_alloc_userns() hook
[RESEND RFC PATCH v2 11/14] vfs: Wire up security hooks for lsm-based device guard in userns
[RESEND RFC PATCH v2 12/14] bpf: Add flag BPF_DEVCG_ACC_MKNOD_UNS for device access
[RESEND RFC PATCH v2 13/14] bpf: cgroup: Introduce helper cgroup_bpf_current_enabled()
[RESEND RFC PATCH v2 14/14] device_cgroup: Allow mknod in non-initial userns if guarded