From: Casey Schaufler <casey@schaufler-ca.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Paul Moore <paul@paul-moore.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Ondrej Mosnacek <omosnace@redhat.com>,
LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@redhat.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org, ppc-dev <linuxppc-dev@lists.ozlabs.org>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, Jiri Olsa <jolsa@redhat.com>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks
Date: Sat, 5 Jun 2021 11:10:57 -0700 [thread overview]
Message-ID: <64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com> (raw)
In-Reply-To: <CAADnVQ+0bNtDj46Q8s-h=rqJgZz2JaGTeHpbmof3e7fBBQKuDQ@mail.gmail.com>
On 6/4/2021 5:08 PM, Alexei Starovoitov wrote:
> On Fri, Jun 4, 2021 at 4:34 PM Paul Moore <paul@paul-moore.com> wrote:
>>> Again, the problem is not limited to BPF at all. kprobes is doing register-
>>> the hooks which are equivalent to the one of BPF. Anything in run-time
>>> trying to prevent probe_read_kernel by kprobes or BPF is broken by design.
>> Not being an expert on kprobes I can't really comment on that, but
>> right now I'm focused on trying to make things work for the BPF
>> helpers. I suspect that if we can get the SELinux lockdown
>> implementation working properly for BPF the solution for kprobes won't
>> be far off.
> Paul,
>
> Both kprobe and bpf can call probe_read_kernel==copy_from_kernel_nofault
> from all contexts.
> Including NMI. Most of audit_log_* is not acceptable.
> Just removing a wakeup is not solving anything.
> Audit hooks don't belong in NMI.
> Audit design needs memory allocation. Hence it's not suitable
> for NMI and hardirq. But kprobes and bpf progs do run just fine there.
> BPF, for example, only uses pre-allocated memory.
You have fallen into a common fallacy. The fact that the "code runs"
does not assure that the "system works right". In the security world
we face this all the time, often with performance expectations. In this
case the BPF design has failed to accommodate the long standing needs
of audit and SELinux. Shifting the responsibility for these design flaws
to SELinux is inappropriate. Integration of sub-systems is usually the
burden of the newcomer, which in this case is BPF. Paul is doing the
bulk of your work for you. Maybe you could step up to your responsibility
and work with him, not against him.
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Paul Moore <paul@paul-moore.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Jiri Olsa <jolsa@redhat.com>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
selinux@vger.kernel.org,
Network Development <netdev@vger.kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ondrej Mosnacek <omosnace@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
James Morris <jmorris@namei.org>,
Andrii Nakryiko <andrii@kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Ingo Molnar <mingo@redhat.com>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
Jakub Kicinski <kuba@kernel.org>, bpf <bpf@vger.kernel.org>,
ppc-dev <linuxppc-dev@lists.ozlabs.org>,
"David S. Miller" <davem@davemloft.net>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks
Date: Sat, 5 Jun 2021 11:10:57 -0700 [thread overview]
Message-ID: <64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com> (raw)
In-Reply-To: <CAADnVQ+0bNtDj46Q8s-h=rqJgZz2JaGTeHpbmof3e7fBBQKuDQ@mail.gmail.com>
On 6/4/2021 5:08 PM, Alexei Starovoitov wrote:
> On Fri, Jun 4, 2021 at 4:34 PM Paul Moore <paul@paul-moore.com> wrote:
>>> Again, the problem is not limited to BPF at all. kprobes is doing register-
>>> the hooks which are equivalent to the one of BPF. Anything in run-time
>>> trying to prevent probe_read_kernel by kprobes or BPF is broken by design.
>> Not being an expert on kprobes I can't really comment on that, but
>> right now I'm focused on trying to make things work for the BPF
>> helpers. I suspect that if we can get the SELinux lockdown
>> implementation working properly for BPF the solution for kprobes won't
>> be far off.
> Paul,
>
> Both kprobe and bpf can call probe_read_kernel==copy_from_kernel_nofault
> from all contexts.
> Including NMI. Most of audit_log_* is not acceptable.
> Just removing a wakeup is not solving anything.
> Audit hooks don't belong in NMI.
> Audit design needs memory allocation. Hence it's not suitable
> for NMI and hardirq. But kprobes and bpf progs do run just fine there.
> BPF, for example, only uses pre-allocated memory.
You have fallen into a common fallacy. The fact that the "code runs"
does not assure that the "system works right". In the security world
we face this all the time, often with performance expectations. In this
case the BPF design has failed to accommodate the long standing needs
of audit and SELinux. Shifting the responsibility for these design flaws
to SELinux is inappropriate. Integration of sub-systems is usually the
burden of the newcomer, which in this case is BPF. Paul is doing the
bulk of your work for you. Maybe you could step up to your responsibility
and work with him, not against him.
next prev parent reply other threads:[~2021-06-05 18:11 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 9:20 [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks Ondrej Mosnacek
2021-05-17 9:20 ` [PATCH v2] lockdown, selinux: " Ondrej Mosnacek
2021-05-17 11:00 ` [PATCH v2] lockdown,selinux: " Michael Ellerman
2021-05-17 11:00 ` Michael Ellerman
2021-05-26 11:44 ` Ondrej Mosnacek
2021-05-26 11:44 ` Ondrej Mosnacek
2021-05-27 4:28 ` James Morris
2021-05-27 4:28 ` James Morris
2021-05-27 14:18 ` Paul Moore
2021-05-27 14:18 ` Paul Moore
2021-05-28 1:37 ` Paul Moore
2021-05-28 1:37 ` Paul Moore
2021-05-28 7:09 ` Daniel Borkmann
2021-05-28 7:09 ` Daniel Borkmann
2021-05-28 9:53 ` Jiri Olsa
2021-05-28 9:53 ` Jiri Olsa
2021-05-28 9:56 ` Daniel Borkmann
2021-05-28 9:56 ` Daniel Borkmann
2021-05-28 10:16 ` Jiri Olsa
2021-05-28 10:16 ` Jiri Olsa
2021-05-28 11:47 ` Jiri Olsa
2021-05-28 11:47 ` Jiri Olsa
2021-05-28 11:54 ` Daniel Borkmann
2021-05-28 11:54 ` Daniel Borkmann
2021-05-28 13:42 ` Ondrej Mosnacek
2021-05-28 13:42 ` Ondrej Mosnacek
2021-05-28 14:20 ` Daniel Borkmann
2021-05-28 14:20 ` Daniel Borkmann
2021-05-28 15:54 ` Paul Moore
2021-05-28 15:54 ` Paul Moore
2021-05-28 15:47 ` Paul Moore
2021-05-28 15:47 ` Paul Moore
2021-05-28 18:10 ` Daniel Borkmann
2021-05-28 18:10 ` Daniel Borkmann
2021-05-28 22:52 ` Paul Moore
2021-05-28 22:52 ` Paul Moore
2021-05-29 18:48 ` Paul Moore
2021-05-29 18:48 ` Paul Moore
2021-05-31 8:24 ` Daniel Borkmann
2021-05-31 8:24 ` Daniel Borkmann
2021-06-01 20:47 ` Paul Moore
2021-06-01 20:47 ` Paul Moore
2021-06-02 12:40 ` Daniel Borkmann
2021-06-02 12:40 ` Daniel Borkmann
2021-06-02 15:13 ` Paul Moore
2021-06-02 15:13 ` Paul Moore
2021-06-03 18:52 ` Daniel Borkmann
2021-06-03 18:52 ` Daniel Borkmann
2021-06-04 4:50 ` Paul Moore
2021-06-04 4:50 ` Paul Moore
2021-06-04 18:02 ` Daniel Borkmann
2021-06-04 18:02 ` Daniel Borkmann
2021-06-04 23:34 ` Paul Moore
2021-06-04 23:34 ` Paul Moore
2021-06-05 0:08 ` Alexei Starovoitov
2021-06-05 0:08 ` Alexei Starovoitov
2021-06-05 18:10 ` Casey Schaufler [this message]
2021-06-05 18:10 ` Casey Schaufler
2021-06-05 18:17 ` Linus Torvalds
2021-06-05 18:17 ` Linus Torvalds
2021-06-06 2:11 ` Paul Moore
2021-06-06 2:11 ` Paul Moore
2021-06-06 1:30 ` Paul Moore
2021-06-06 1:30 ` Paul Moore
2021-06-02 13:39 ` Ondrej Mosnacek
2021-06-02 13:39 ` Ondrej Mosnacek
2021-06-03 17:46 ` Paul Moore
2021-06-03 17:46 ` Paul Moore
2021-06-08 11:01 ` Ondrej Mosnacek
2021-06-08 11:01 ` Ondrej Mosnacek
2021-06-09 2:40 ` Paul Moore
2021-06-09 2:40 ` Paul Moore
2021-05-28 13:58 ` Steven Rostedt
2021-05-28 13:58 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=jolsa@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.