On Mon, Apr 14, 2025 at 5:32 PM Blaise Boscaccy
wrote:
>
> Alexei Starovoitov writes:
>
> > On Sat, Apr 12, 2025 at 6:58 AM Blaise Boscaccy
> > wrote:
> >>
> >> TAlexei Starovoitov writes:
> >>
> >> > On Fri, Apr 4, 2025 at 2:56 PM Blaise Boscaccy
> >> > wrote:
> >> >> +
> >> >> +static int ho
On Mon, Apr 14, 2025 at 4:46 PM Blaise Boscaccy
wrote:
> Paul Moore writes:
> > On Apr 4, 2025 Blaise Boscaccy wrote:
...
> >> +static int hornet_check_binary(struct bpf_prog *prog, union bpf_attr
> >> *attr,
> >> + struct hornet_maps *maps)
> >> +{
> >> +struct
Alexei Starovoitov writes:
> On Sat, Apr 12, 2025 at 6:58 AM Blaise Boscaccy
> wrote:
>>
>> TAlexei Starovoitov writes:
>>
>> > On Fri, Apr 4, 2025 at 2:56 PM Blaise Boscaccy
>> > wrote:
>> >> +
>> >> +static int hornet_find_maps(struct bpf_prog *prog, struct hornet_maps
>> >> *maps)
>> >> +{
On Sat, Apr 12, 2025 at 6:58 AM Blaise Boscaccy
wrote:
>
> TAlexei Starovoitov writes:
>
> > On Fri, Apr 4, 2025 at 2:56 PM Blaise Boscaccy
> > wrote:
> >> +
> >> +static int hornet_find_maps(struct bpf_prog *prog, struct hornet_maps
> >> *maps)
> >> +{
> >> + struct bpf_insn *insn = prog
Paul Moore writes:
> On Apr 4, 2025 Blaise Boscaccy wrote:
>>
>> This adds the Hornet Linux Security Module which provides signature
>> verification of eBPF programs. This allows users to continue to
>> maintain an invariant that all code running inside of the kernel has
>> been signed.
>>
>>
Tyler Hicks writes:
> On 2025-04-04 14:54:50, Blaise Boscaccy wrote:
>> +static int hornet_verify_lskel(struct bpf_prog *prog, struct hornet_maps
>> *maps,
>> + void *sig, size_t sig_len)
>> +{
>> +int fd;
>> +u32 i;
>> +void *buf;
>> +void *new;
>> +
On Sat, Apr 12, 2025 at 9:58 AM Blaise Boscaccy
wrote:
> Alexei Starovoitov writes:
> > On Fri, Apr 4, 2025 at 2:56 PM Blaise Boscaccy
> > wrote:
...
> > Above are serious layering violations.
> > LSMs should not be looking that deep into bpf instructions.
>
> These aren't BPF internals; this
