On 30/08/2016 22:18, Andy Lutomirski wrote: > On Tue, Aug 30, 2016 at 1:10 PM, Mickaël Salaün wrote: >> >> On 30/08/2016 20:56, Andy Lutomirski wrote: >>> On Aug 25, 2016 12:34 PM, "Mickaël Salaün" wrote: >>>> >>>> Add LSM hooks which can be used by userland through Landlock (eBPF) >>>> programs. This programs are limited to a whitelist of functions (cf. >>>> next commit). The eBPF program context is depicted by the struct >>>> landlock_data (cf. include/uapi/linux/bpf.h): >>>> * hook: LSM hook ID (useful when using the same program for multiple LSM >>>> hooks); >>>> * cookie: the 16-bit value from the seccomp filter that triggered this >>>> Landlock program; >>>> * args[6]: array of LSM hook arguments. >>>> >>>> The LSM hook arguments can contain raw values as integers or >>>> (unleakable) pointers. The only way to use the pointers are to pass them >>>> to an eBPF function according to their types (e.g. the >>>> bpf_landlock_cmp_fs_beneath_with_struct_file function can use a struct >>>> file pointer). >>>> >>>> For now, there is three hooks for file system access control: >>>> * file_open; >>>> * file_permission; >>>> * mmap_file. >>>> >>> >>> What's the purpose of exposing struct cred * to userspace? It's >>> primarily just an optimization to save a bit of RAM, and it's a >>> dubious optimization at that. What are you using it for? Would it >>> make more sense to use struct task_struct * or struct pid * instead? >>> >>> Also, exposing struct cred * has a really weird side-effect: it allows >>> (maybe even encourages) checking for pointer equality between two >>> struct cred * objects. Doing so will have erratic results. >>> >> >> The pointers exposed in the ePBF context are not directly readable by an >> unprivileged eBPF program thanks to the strong typing of the Landlock >> context and the static eBPF verification. There is no way to leak a >> kernel pointer to userspace from an unprivileged eBPF program: pointer >> arithmetic and comparison are prohibited. Pointers can only be pass as >> argument to dedicated eBPF functions. > > I'm not talking about leaking the value -- I'm talking about leaking > the predicate (a == b) for two struct cred pointers. That predicate > shouldn't be available because it has very odd effects. I'm pretty sure this case is covered with the impossibility of doing pointers comparison. > >> >> For now, struct cred * is simply not used by any eBPF function and then >> not usable at all. It only exist here because I map the LSM hook >> arguments in a generic/automatic way to the eBPF context. > > Maybe remove it from this patch set then? Well, this is done with the LANDLOCK_HOOK* macros but I will remove it.