lua-lsm: support loadable API producers#26
Open
chenzongyao200127 wants to merge 22 commits into
Open
Conversation
Export the Lua runtime and lua-lsm auxiliary helpers needed by loadable API producer modules. Keep the exported surface limited to the functions used by the per-library modules. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Add the descriptor and registration entry points used by API libraries to publish their Lua functions to the lua-lsm core. The ABI also documents ownership, versioning, and metatable install contracts. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Move API object metatable creation behind a core-owned installer. Producer modules can attach their method tables without exporting the raw metatable construction helpers. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Add the registry that validates producer descriptors, audits registration attempts, replays libraries into live Lua VMs, and keeps CPU hotplug state synchronized. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Teach the lua-lsm core to build Lua states from the dynamic API library registry. Expose the VM and pool helpers needed by registry replay and invalidate stale pooled VMs by generation. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the kernel API surface through the new producer ABI. Keep object metatable setup in an open_extras callback, and route non-exported task lookup helpers through lua-lsm wrappers. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the filesystem API surface as an independent producer. Move filesystem object metatable installation into the producer callback so the library can be built separately from the core. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the networking API surface as an independent producer. Install socket-related object methods through the shared metatable helper instead of opening the library from the core. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the errno API surface through the producer ABI. Publish the errname helper and errno constants from the library callback. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the capability API surface through the producer ABI. Attach capability object methods through the shared metatable helper before publishing constants. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Register the signal API surface through the producer ABI. Use an empty function table and publish signal constants from the extras callback. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Document how lua-lsm API libraries register with the core and how the registry updates live Lua VMs. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Only task_blob_free() walked _MODULES before reusing a dirty VM, so pool overflow, drain, and register-time swap paths leaked policy module references and made unregister fail with -EBUSY. Move the walk into lua_state_free() under srcu_read_lock(&modules_ss) so every destruction path accounts uniformly. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Built-in (owner==NULL) producers are part of vmlinux text, already covered by the boot-time signature gate. The lockdown gate matches the signed-API gate and lets them through. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Make the helper name describe its actual contract more clearly. It recovers the owning lvm_state from a lua_State created by lua-lsm. The old name, lvm_state_from_state(), was ambiguous because both objects are kinds of state. Rename it and tighten the comment so the call sites read more clearly. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Rename lua_modules_free() to lvm_put_loaded_modules() so the helper name reflects its actual job: drop the loaded-module references recorded in a Lua VM and decrement module->nloaded. Update the associated comment and log messages to match. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Rename the heap-owned lvm_state cleanup helper so callers can tell it frees both the Lua state and the lvm_state storage. Keep the embedded state cleanup path separate through lua_state_free(). Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Make the signed API producer gate depend on module signature support. Without module signatures, the runtime signature check cannot make a trustworthy unsigned-module decision. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Mark replacement IRQ and current task VMs with the generation that will be published when API library registration commits. Also stamp offline CPU IRQ VMs after hotplug replay succeeds. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Detect task-owned Lua VMs that were built before the latest API library registration and replace them before returning the VM to hook dispatch. This lets existing tasks observe newly registered API libraries without mutating a VM that is currently in use. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Replace the internal registration notes with a user-facing guide for building Lua API producer modules outside the kernel tree. Include a small time library example, build commands, and policy usage. Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
chenzongyao200127
force-pushed
the
lua-lsm-per-lib-ko
branch
from
e699b9b to
601cdce
Compare
Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a registration path for Lua-LSM API libraries so the Lua-callable
surface can be provided by independent producer modules instead of being
fully tied to the core LSM object.
This allows the existing
kernel,fs,net,errno,capability,and
signallibraries to be built either into vmlinux or as loadableproducer modules, documents how external producers can register their
own Lua APIs, and exposes the live API library registry through
securityfsfor inspection.Changes
rollback handling.
closures may be reachable from Lua VMs.
enabled.
/sys/kernel/security/lua/api_libraries.securityfs example
Example output:
API set versionincrements when the registered Lua API library setchanges.
extra-initindicates whether the library defines anopen_extrascallback in addition to the plainluaL_Regfunctionarray.
Validation
The ignored checkpatch message types are limited to Lua API naming
(
luaL_Reg) and the standard new-file MAINTAINERS reminder.