€•cd      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ /translations/zh_CN/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/zh_TW/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/it_IT/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/ja_JP/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/ko_KR/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/sp_SP/bpf/prog_lsm”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ!SPDX-License-Identifier: GPL-2.0+”h]”hŒ!SPDX-License-Identifier: GPL-2.0+”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒ:/var/lib/git/docbuild/linux/Documentation/bpf/prog_lsm.rst”h Kubh¢)”}”(hŒCopyright (C) 2020 Google LLC.”h]”hŒCopyright (C) 2020 Google LLC.”…””}”hh´sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒLSM BPF Programs”h]”hŒLSM BPF Programs”…””}”(hhÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhÄhžhhŸh³h KubhŒ	paragraph”“”)”}”(hŒ¬These BPF programs allow runtime instrumentation of the LSM hooks by privileged
users to implement system-wide MAC (Mandatory Access Control) and Audit
policies using eBPF.”h]”hŒ¬These BPF programs allow runtime instrumentation of the LSM hooks by privileged
users to implement system-wide MAC (Mandatory Access Control) and Audit
policies using eBPF.”…””}”(hhÙhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhÄhžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒ	Structure”h]”hŒ	Structure”…””}”(hhêhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhçhžhhŸh³h KubhØ)”}”(hŒYThe example shows an eBPF program that can be attached to the ``file_mprotect``
LSM hook:”h]”(hŒ>The example shows an eBPF program that can be attached to the ”…””}”(hhøhžhhŸNh NubhŒliteral”“”)”}”(hŒ``file_mprotect``”h]”hŒfile_mprotect”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hhøubhŒ

LSM hook:”…””}”(hhøhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Khhçhžhubh Œindex”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œentries”]”(Œsingle”Œfile_mprotect (C function)”Œc.file_mprotect”hNt”auh1j  hhçhžhhŸNh Nubh Œdesc”“”)”}”(hhh]”(h Œdesc_signature”“”)”}”(hŒYint file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot);”h]”h Œdesc_signature_line”“”)”}”(hŒYint file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot);”h]”(h Œdesc_sig_keyword_type”“”)”}”(hŒint”h]”hŒint”…””}”(hj>  hžhhŸNh Nubah}”(h]”h ]”Œkt”ah"]”h$]”h&]”uh1j<  hj8  hžhhŸh³h Kubh Œdesc_sig_space”“”)”}”(hŒ ”h]”hŒ ”…””}”(hjO  hžhhŸNh Nubah}”(h]”h ]”Œw”ah"]”h$]”h&]”uh1jM  hj8  hžhhŸh³h Kubh Œ	desc_name”“”)”}”(hŒfile_mprotect”h]”h Œdesc_sig_name”“”)”}”(hŒfile_mprotect”h]”hŒfile_mprotect”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”Œn”ah"]”h$]”h&]”uh1jd  hj`  ubah}”(h]”h ]”(Œsig-name”Œdescname”eh"]”h$]”h&]”h±h²uh1j^  hj8  hžhhŸh³h Kubh Œdesc_parameterlist”“”)”}”(hŒG(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot)”h]”(h Œdesc_parameter”“”)”}”(hŒstruct vm_area_struct *vma”h]”(h Œdesc_sig_keyword”“”)”}”(hŒstruct”h]”hŒstruct”…””}”(hj‹  hžhhŸNh Nubah}”(h]”h ]”Œk”ah"]”h$]”h&]”uh1j‰  hj…  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hjš  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hj…  ubh)”}”(hhh]”je  )”}”(hŒvm_area_struct”h]”hŒvm_area_struct”…””}”(hj«  hžhhŸNh Nubah}”(h]”h ]”jq  ah"]”h$]”h&]”uh1jd  hj¨  ubah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”Œc”Œreftype”Œ
identifier”Œ	reftarget”j­  Œmodname”NŒ	classname”NŒc:parent_key”Œsphinx.domains.c”Œ	LookupKey”“”)”}”Œdata”]”jÇ  ŒASTIdentifier”“”)”}”jÂ  jh  sbŒc.file_mprotect”†”asbuh1hhj…  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hj…  ubh Œdesc_sig_punctuation”“”)”}”(hŒ*”h]”hŒ*”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”Œp”ah"]”h$]”h&]”uh1jâ  hj…  ubje  )”}”(hŒvma”h]”hŒvma”…””}”(hjó  hžhhŸNh Nubah}”(h]”h ]”jq  ah"]”h$]”h&]”uh1jd  hj…  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jƒ  hj  ubj„  )”}”(hŒunsigned long reqprot”h]”(j=  )”}”(hŒunsigned”h]”hŒunsigned”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jI  ah"]”h$]”h&]”uh1j<  hj  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hj  ubj=  )”}”(hŒlong”h]”hŒlong”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”jI  ah"]”h$]”h&]”uh1j<  hj  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hj6  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hj  ubje  )”}”(hŒreqprot”h]”hŒreqprot”…””}”(hjD  hžhhŸNh Nubah}”(h]”h ]”jq  ah"]”h$]”h&]”uh1jd  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jƒ  hj  ubj„  )”}”(hŒunsigned long prot”h]”(j=  )”}”(hŒunsigned”h]”hŒunsigned”…””}”(hj]  hžhhŸNh Nubah}”(h]”h ]”jI  ah"]”h$]”h&]”uh1j<  hjY  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hjk  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hjY  ubj=  )”}”(hŒlong”h]”hŒlong”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”jI  ah"]”h$]”h&]”uh1j<  hjY  ubjN  )”}”(hŒ ”h]”hŒ ”…””}”(hj‡  hžhhŸNh Nubah}”(h]”h ]”jZ  ah"]”h$]”h&]”uh1jM  hjY  ubje  )”}”(hŒprot”h]”hŒprot”…””}”(hj•  hžhhŸNh Nubah}”(h]”h ]”jq  ah"]”h$]”h&]”uh1jd  hjY  ubeh}”(h]”h ]”h"]”h$]”h&]”Œnoemph”ˆh±h²uh1jƒ  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j}  hj8  hžhhŸh³h Kubjã  )”}”(hŒ;”h]”hŒ;”…””}”(hj°  hžhhŸNh Nubah}”(h]”h ]”jï  ah"]”h$]”h&]”uh1jâ  hj8  hžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”h±h²Œadd_permalink”ˆuh1j6  Œsphinx_line_type”Œ
declarator”hj2  hžhhŸh³h Kubah}”(h]”j)  ah ]”(Œsig”Œ
sig-object”eh"]”h$]”h&]”Œis_multiline”ˆŒ
_toc_parts”)Œ	_toc_name”huh1j0  hŸh³h Khj-  hžhubh Œdesc_content”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”uh1jÒ  hj-  hžhhŸh³h Kubeh}”(h]”h ]”(jÀ  Œfunction”eh"]”h$]”h&]”Œdomain”jÀ  Œobjtype”jà  Œdesctype”jà  Œnoindex”‰Œnoindexentry”‰Œnocontentsentry”‰uh1j+  hžhhhçhŸNh NubhØ)”}”(hŒROther LSM hooks which can be instrumented can be found in
``security/security.c``.”h]”(hŒ:Other LSM hooks which can be instrumented can be found in
”…””}”(hjê  hžhhŸNh Nubj  )”}”(hŒ``security/security.c``”h]”hŒsecurity/security.c”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjê  ubhŒ.”…””}”(hjê  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhçhžhubhØ)”}”(hX  eBPF programs that use Documentation/bpf/btf.rst do not need to include kernel
headers for accessing information from the attached eBPF program's context.
They can simply declare the structures in the eBPF program and only specify
the fields that need to be accessed.”h]”hX  eBPF programs that use Documentation/bpf/btf.rst do not need to include kernel
headers for accessing information from the attached eBPF programâ€™s context.
They can simply declare the structures in the eBPF program and only specify
the fields that need to be accessed.”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhçhžhubhŒliteral_block”“”)”}”(hX.  struct mm_struct {
        unsigned long start_brk, brk, start_stack;
} __attribute__((preserve_access_index));

struct vm_area_struct {
        unsigned long start_brk, brk, start_stack;
        unsigned long vm_start, vm_end;
        struct mm_struct *vm_mm;
} __attribute__((preserve_access_index));”h]”hX.  struct mm_struct {
        unsigned long start_brk, brk, start_stack;
} __attribute__((preserve_access_index));

struct vm_area_struct {
        unsigned long start_brk, brk, start_stack;
        unsigned long vm_start, vm_end;
        struct mm_struct *vm_mm;
} __attribute__((preserve_access_index));”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²Œforce”‰Œlanguage”jÀ  Œhighlight_args”}”uh1j  hŸh³h KhhçhžhubhŒnote”“”)”}”(hŒ&The order of the fields is irrelevant.”h]”hØ)”}”(hj0  h]”hŒ&The order of the fields is irrelevant.”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K)hj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  hhçhžhhŸh³h NubhØ)”}”(hŒ}This can be further simplified (if one has access to the BTF information at
build time) by generating the ``vmlinux.h`` with:”h]”(hŒjThis can be further simplified (if one has access to the BTF information at
build time) by generating the ”…””}”(hjE  hžhhŸNh Nubj  )”}”(hŒ``vmlinux.h``”h]”hŒ	vmlinux.h”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjE  ubhŒ with:”…””}”(hjE  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K+hhçhžhubj  )”}”(hŒB# bpftool btf dump file <path-to-btf-vmlinux> format c > vmlinux.h”h]”hŒB# bpftool btf dump file <path-to-btf-vmlinux> format c > vmlinux.h”…””}”hje  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²j(  ‰j)  Œconsole”j*  }”uh1j  hŸh³h K.hhçhžhubj-  )”}”(hŒ``path-to-btf-vmlinux`` can be ``/sys/kernel/btf/vmlinux`` if the
build environment matches the environment the BPF programs are
deployed in.”h]”hØ)”}”(hŒ``path-to-btf-vmlinux`` can be ``/sys/kernel/btf/vmlinux`` if the
build environment matches the environment the BPF programs are
deployed in.”h]”(j  )”}”(hŒ``path-to-btf-vmlinux``”h]”hŒpath-to-btf-vmlinux”…””}”(hj}  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjy  ubhŒ can be ”…””}”(hjy  hžhhŸNh Nubj  )”}”(hŒ``/sys/kernel/btf/vmlinux``”h]”hŒ/sys/kernel/btf/vmlinux”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjy  ubhŒS if the
build environment matches the environment the BPF programs are
deployed in.”…””}”(hjy  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K2hju  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j,  hhçhžhhŸh³h NubhØ)”}”(hŒpThe ``vmlinux.h`` can then simply be included in the BPF programs without
requiring the definition of the types.”h]”(hŒThe ”…””}”(hj­  hžhhŸNh Nubj  )”}”(hŒ``vmlinux.h``”h]”hŒ	vmlinux.h”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj­  ubhŒ_ can then simply be included in the BPF programs without
requiring the definition of the types.”…””}”(hj­  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K6hhçhžhubhØ)”}”(hŒzThe eBPF programs can be declared using the``BPF_PROG``
macros defined in `tools/lib/bpf/bpf_tracing.h`_. In this
example:”h]”(hŒJThe eBPF programs can be declared using the``BPF_PROG``
macros defined in ”…””}”(hjÍ  hžhhŸNh NubhŒ	reference”“”)”}”(hŒ`tools/lib/bpf/bpf_tracing.h`_”h]”hŒtools/lib/bpf/bpf_tracing.h”…””}”(hj×  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œtools/lib/bpf/bpf_tracing.h”Œrefuri”Œahttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/lib/bpf/bpf_tracing.h”uh1jÕ  hjÍ  Œresolved”KubhŒ. In this
example:”…””}”(hjÍ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K9hhçhžhubhŒblock_quote”“”)”}”(hŒ* ``"lsm/file_mprotect"`` indicates the LSM hook that the program must
  be attached to
* ``mprotect_audit`` is the name of the eBPF program
”h]”hŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒS``"lsm/file_mprotect"`` indicates the LSM hook that the program must
be attached to”h]”hØ)”}”(hŒS``"lsm/file_mprotect"`` indicates the LSM hook that the program must
be attached to”h]”(j  )”}”(hŒ``"lsm/file_mprotect"``”h]”hŒ"lsm/file_mprotect"”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ< indicates the LSM hook that the program must
be attached to”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K=hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÿ  hjü  ubj   )”}”(hŒ3``mprotect_audit`` is the name of the eBPF program
”h]”hØ)”}”(hŒ2``mprotect_audit`` is the name of the eBPF program”h]”(j  )”}”(hŒ``mprotect_audit``”h]”hŒmprotect_audit”…””}”(hj/  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj+  ubhŒ  is the name of the eBPF program”…””}”(hj+  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K?hj'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jÿ  hjü  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”jæ  uh1jú  hŸh³h K=hjö  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jô  hŸh³h K=hhçhžhubj  )”}”(hXi  SEC("lsm/file_mprotect")
int BPF_PROG(mprotect_audit, struct vm_area_struct *vma,
             unsigned long reqprot, unsigned long prot, int ret)
{
        /* ret is the return value from the previous BPF program
         * or 0 if it's the first hook.
         */
        if (ret != 0)
                return ret;

        int is_heap;

        is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
                   vma->vm_end <= vma->vm_mm->brk);

        /* Return an -EPERM or write information to the perf events buffer
         * for auditing
         */
        if (is_heap)
                return -EPERM;
}”h]”hXi  SEC("lsm/file_mprotect")
int BPF_PROG(mprotect_audit, struct vm_area_struct *vma,
             unsigned long reqprot, unsigned long prot, int ret)
{
        /* ret is the return value from the previous BPF program
         * or 0 if it's the first hook.
         */
        if (ret != 0)
                return ret;

        int is_heap;

        is_heap = (vma->vm_start >= vma->vm_mm->start_brk &&
                   vma->vm_end <= vma->vm_mm->brk);

        /* Return an -EPERM or write information to the perf events buffer
         * for auditing
         */
        if (is_heap)
                return -EPERM;
}”…””}”hjZ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²j(  ‰j)  jÀ  j*  }”uh1j  hŸh³h KAhhçhžhubhØ)”}”(hX?  The ``__attribute__((preserve_access_index))`` is a clang feature that allows
the BPF verifier to update the offsets for the access at runtime using the
Documentation/bpf/btf.rst information. Since the BPF verifier is aware of the
types, it also validates all the accesses made to the various types in the
eBPF program.”h]”(hŒThe ”…””}”(hji  hžhhŸNh Nubj  )”}”(hŒ*``__attribute__((preserve_access_index))``”h]”hŒ&__attribute__((preserve_access_index))”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hji  ubhX   is a clang feature that allows
the BPF verifier to update the offsets for the access at runtime using the
Documentation/bpf/btf.rst information. Since the BPF verifier is aware of the
types, it also validates all the accesses made to the various types in the
eBPF program.”…””}”(hji  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KYhhçhžhubeh}”(h]”Œ	structure”ah ]”h"]”Œ	structure”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒLoading”h]”hŒLoading”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj‘  hžhhŸh³h K`ubhØ)”}”(hŒ]eBPF programs can be loaded with the :manpage:`bpf(2)` syscall's
``BPF_PROG_LOAD`` operation:”h]”(hŒ%eBPF programs can be loaded with the ”…””}”(hj¢  hžhhŸNh Nubh Œmanpage”“”)”}”(hŒ:manpage:`bpf(2)`”h]”hŒbpf(2)”…””}”(hj¬  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”h±h²Œpath”Œbpf(2)”Œpage”Œbpf”Œsection”Œ2”uh1jª  hj¢  ubhŒ syscallâ€™s
”…””}”(hj¢  hžhhŸNh Nubj  )”}”(hŒ``BPF_PROG_LOAD``”h]”hŒBPF_PROG_LOAD”…””}”(hjÄ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj¢  ubhŒ operation:”…””}”(hj¢  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kbhj‘  hžhubj  )”}”(hŒVstruct bpf_object *obj;

obj = bpf_object__open("./my_prog.o");
bpf_object__load(obj);”h]”hŒVstruct bpf_object *obj;

obj = bpf_object__open("./my_prog.o");
bpf_object__load(obj);”…””}”hjÜ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²j(  ‰j)  jÀ  j*  }”uh1j  hŸh³h Kehj‘  hžhubhØ)”}”(hŒKThis can be simplified by using a skeleton header generated by ``bpftool``:”h]”(hŒ?This can be simplified by using a skeleton header generated by ”…””}”(hjë  hžhhŸNh Nubj  )”}”(hŒ``bpftool``”h]”hŒbpftool”…””}”(hjó  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjë  ubhŒ:”…””}”(hjë  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Klhj‘  hžhubj  )”}”(hŒ1# bpftool gen skeleton my_prog.o > my_prog.skel.h”h]”hŒ1# bpftool gen skeleton my_prog.o > my_prog.skel.h”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²j(  ‰j)  Œconsole”j*  }”uh1j  hŸh³h Knhj‘  hžhubhØ)”}”(hŒyand the program can be loaded by including ``my_prog.skel.h`` and using
the generated helper, ``my_prog__open_and_load``.”h]”(hŒ+and the program can be loaded by including ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``my_prog.skel.h``”h]”hŒmy_prog.skel.h”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ! and using
the generated helper, ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``my_prog__open_and_load``”h]”hŒmy_prog__open_and_load”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Krhj‘  hžhubeh}”(h]”Œloading”ah ]”h"]”Œloading”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K`ubhÃ)”}”(hhh]”(hÈ)”}”(hŒAttachment to LSM Hooks”h]”hŒAttachment to LSM Hooks”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjU  hžhhŸh³h KvubhØ)”}”(hŒÆThe LSM allows attachment of eBPF programs as LSM hooks using :manpage:`bpf(2)`
syscall's ``BPF_RAW_TRACEPOINT_OPEN`` operation or more simply by
using the libbpf helper ``bpf_program__attach_lsm``.”h]”(hŒ>The LSM allows attachment of eBPF programs as LSM hooks using ”…””}”(hjf  hžhhŸNh Nubj«  )”}”(hŒ:manpage:`bpf(2)`”h]”hŒbpf(2)”…””}”(hjn  hžhhŸNh Nubah}”(h]”h ]”jª  ah"]”h$]”h&]”h±h²jº  Œbpf(2)”j¼  Œbpf”j¾  j¿  uh1jª  hjf  ubhŒ
syscallâ€™s ”…””}”(hjf  hžhhŸNh Nubj  )”}”(hŒ``BPF_RAW_TRACEPOINT_OPEN``”h]”hŒBPF_RAW_TRACEPOINT_OPEN”…””}”(hj‚  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjf  ubhŒ5 operation or more simply by
using the libbpf helper ”…””}”(hjf  hžhhŸNh Nubj  )”}”(hŒ``bpf_program__attach_lsm``”h]”hŒbpf_program__attach_lsm”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjf  ubhŒ.”…””}”(hjf  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KxhjU  hžhubhØ)”}”(hŒ”The program can be detached from the LSM hook by *destroying* the ``link``
link returned by ``bpf_program__attach_lsm`` using ``bpf_link__destroy``.”h]”(hŒ1The program can be detached from the LSM hook by ”…””}”(hj¬  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*destroying*”h]”hŒ
destroying”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j´  hj¬  ubhŒ the ”…””}”(hj¬  hžhhŸNh Nubj  )”}”(hŒ``link``”h]”hŒlink”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj¬  ubhŒ
link returned by ”…””}”(hj¬  hžhhŸNh Nubj  )”}”(hŒ``bpf_program__attach_lsm``”h]”hŒbpf_program__attach_lsm”…””}”(hjÚ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj¬  ubhŒ using ”…””}”(hj¬  hžhhŸNh Nubj  )”}”(hŒ``bpf_link__destroy``”h]”hŒbpf_link__destroy”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj¬  ubhŒ.”…””}”(hj¬  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K|hjU  hžhubhØ)”}”(hŒŽOne can also use the helpers generated in ``my_prog.skel.h`` i.e.
``my_prog__attach`` for attachment and ``my_prog__destroy`` for cleaning up.”h]”(hŒ*One can also use the helpers generated in ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``my_prog.skel.h``”h]”hŒmy_prog.skel.h”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ i.e.
”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``my_prog__attach``”h]”hŒmy_prog__attach”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ for attachment and ”…””}”(hj  hžhhŸNh Nubj  )”}”(hŒ``my_prog__destroy``”h]”hŒmy_prog__destroy”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hj  ubhŒ for cleaning up.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhjU  hžhubeh}”(h]”Œattachment-to-lsm-hooks”ah ]”h"]”Œattachment to lsm hooks”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KvubhÃ)”}”(hhh]”(hÈ)”}”(hŒExamples”h]”hŒExamples”…””}”(hjS  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjP  hžhhŸh³h KƒubhØ)”}”(hŒ¯An example eBPF program can be found in
`tools/testing/selftests/bpf/progs/lsm.c`_ and the corresponding
userspace code in `tools/testing/selftests/bpf/prog_tests/test_lsm.c`_”h]”(hŒ(An example eBPF program can be found in
”…””}”(hja  hžhhŸNh NubjÖ  )”}”(hŒ*`tools/testing/selftests/bpf/progs/lsm.c`_”h]”hŒ'tools/testing/selftests/bpf/progs/lsm.c”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ'tools/testing/selftests/bpf/progs/lsm.c”jç  Œmhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/bpf/progs/lsm.c”uh1jÕ  hja  jé  KubhŒ) and the corresponding
userspace code in ”…””}”(hja  hžhhŸNh NubjÖ  )”}”(hŒ4`tools/testing/selftests/bpf/prog_tests/test_lsm.c`_”h]”hŒ1tools/testing/selftests/bpf/prog_tests/test_lsm.c”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ1tools/testing/selftests/bpf/prog_tests/test_lsm.c”jç  Œwhttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/bpf/prog_tests/test_lsm.c”uh1jÕ  hja  jé  Kubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K…hjP  hžhubh¢)”}”(hŒLinks”h]”hŒLinks”…””}”hj•  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hjP  hžhhŸh³h K‰ubhŒtarget”“”)”}”(hŒ….. _tools/lib/bpf/bpf_tracing.h:
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/lib/bpf/bpf_tracing.h”h]”h}”(h]”Œtools-lib-bpf-bpf-tracing-h”ah ]”h"]”Œtools/lib/bpf/bpf_tracing.h”ah$]”h&]”jç  jè  uh1j£  h KŠhjP  hžhhŸh³Œ
referenced”Kubj¤  )”}”(hŒ.. _tools/testing/selftests/bpf/progs/lsm.c:
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/bpf/progs/lsm.c”h]”h}”(h]”Œ'tools-testing-selftests-bpf-progs-lsm-c”ah ]”h"]”Œ'tools/testing/selftests/bpf/progs/lsm.c”ah$]”h&]”jç  jy  uh1j£  h KŒhjP  hžhhŸh³j±  Kubj¤  )”}”(hŒ±.. _tools/testing/selftests/bpf/prog_tests/test_lsm.c:
   https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/bpf/prog_tests/test_lsm.c”h]”h}”(h]”Œ1tools-testing-selftests-bpf-prog-tests-test-lsm-c”ah ]”h"]”Œ1tools/testing/selftests/bpf/prog_tests/test_lsm.c”ah$]”h&]”jç  jŽ  uh1j£  h KŽhjP  hžhhŸh³j±  Kubeh}”(h]”Œexamples”ah ]”h"]”Œexamples”ah$]”h&]”uh1hÂhhÄhžhhŸh³h Kƒubeh}”(h]”Œlsm-bpf-programs”ah ]”h"]”Œlsm bpf programs”ah$]”h&]”uh1hÂhhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÇNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jý  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œtools/lib/bpf/bpf_tracing.h”]”j×  aŒ'tools/testing/selftests/bpf/progs/lsm.c”]”ji  aŒ1tools/testing/selftests/bpf/prog_tests/test_lsm.c”]”j~  auŒrefids”}”Œnameids”}”(j×  jÔ  jŽ  j‹  jR  jO  jM  jJ  jÏ  jÌ  j®  j«  j»  j¸  jÇ  jÄ  uŒ	nametypes”}”(j×  ‰jŽ  ‰jR  ‰jM  ‰jÏ  ‰j®  ˆj»  ˆjÇ  ˆuh}”(jÔ  hÄj‹  hçj)  j2  jO  j‘  jJ  jU  jÌ  jP  j«  j¥  j¸  j²  jÄ  j¾  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.