Add support for the BPF_MAP_TYPE_LANDLOCK_RULESET in the verifier. Mark the map as storing a trusted pointer to a BTF object. Specify the map as being usable from sleepable contexts. Signed-off-by: Justin Suess --- kernel/bpf/verifier.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f108c01ff6d0..52ba58536387 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -493,7 +493,8 @@ static bool is_acquire_function(enum bpf_func_id func_id, if (func_id == BPF_FUNC_map_lookup_elem && (map_type == BPF_MAP_TYPE_SOCKMAP || - map_type == BPF_MAP_TYPE_SOCKHASH)) + map_type == BPF_MAP_TYPE_SOCKHASH || + map_type == BPF_MAP_TYPE_LANDLOCK_RULESET)) return true; return false; @@ -2269,6 +2270,10 @@ static void mark_ptr_not_null_reg(struct bpf_reg_state *reg) } else if (map->map_type == BPF_MAP_TYPE_SOCKMAP || map->map_type == BPF_MAP_TYPE_SOCKHASH) { reg->type = PTR_TO_SOCKET; + } else if (map->map_type == BPF_MAP_TYPE_LANDLOCK_RULESET) { + reg->type = PTR_TO_BTF_ID | PTR_TRUSTED; + reg->btf = btf_vmlinux; + reg->btf_id = *bpf_landlock_ruleset_btf_ids; } else { reg->type = PTR_TO_MAP_VALUE; } @@ -10238,6 +10243,13 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env, !may_update_sockmap(env, func_id)) goto error; break; + case BPF_MAP_TYPE_LANDLOCK_RULESET: + if (resolve_prog_type(env->prog) != BPF_PROG_TYPE_LSM) + goto error; + if (func_id != BPF_FUNC_map_lookup_elem && + func_id != BPF_FUNC_map_delete_elem) + goto error; + break; case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY: if (func_id != BPF_FUNC_sk_select_reuseport) goto error; @@ -21662,6 +21674,7 @@ static int check_map_prog_compatibility(struct bpf_verifier_env *env, case BPF_MAP_TYPE_ARENA: case BPF_MAP_TYPE_INSN_ARRAY: case BPF_MAP_TYPE_PROG_ARRAY: + case BPF_MAP_TYPE_LANDLOCK_RULESET: break; default: verbose(env, -- 2.53.0