Re: [PoC][PATCH] bpf: Call return value check function in the JITed code

From: Casey Schaufler <casey@schaufler-ca.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	Roberto Sassu <roberto.sassu@huaweicloud.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Florent Revest <revest@chromium.org>,
	Brendan Jackman <jackmanb@chromium.org>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>, bpf <bpf@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huawei.com>,
	casey@schaufler-ca.com
Subject: Re: [PoC][PATCH] bpf: Call return value check function in the JITed code
Date: Wed, 16 Nov 2022 10:29:52 -0800	[thread overview]
Message-ID: <2430b157-9ef9-2465-a9e4-d117d421566d@schaufler-ca.com> (raw)
In-Reply-To: <CAADnVQJu7isDCi4+f8s4LfiwcYJbN4kXkvgJ8+ZnsS+QGDVnMw@mail.gmail.com>

On 11/16/2022 9:55 AM, Alexei Starovoitov wrote:
> On Wed, Nov 16, 2022 at 8:41 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
>> On Wed, 2022-11-16 at 08:16 -0800, Alexei Starovoitov wrote:
>>> On Wed, Nov 16, 2022 at 7:48 AM Roberto Sassu
>>> <roberto.sassu@huaweicloud.com> wrote:
>>>> +static bool is_ret_value_allowed(int ret, u32 ret_flags)
>>>> +{
>>>> +       if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) ||
>>>> +           (ret == 0 && !(ret_flags & LSM_RET_ZERO)) ||
>>>> +           (ret == 1 && !(ret_flags & LSM_RET_ONE)) ||
>>>> +           (ret > 1 && !(ret_flags & LSM_RET_GT_ONE)))
>>>> +               return false;
>>>> +
>>>> +       return true;
>>>> +}
>>>> +
>>>>  /* For every LSM hook that allows attachment of BPF programs, declare a nop
>>>>   * function where a BPF program can be attached.
>>>>   */
>>>> @@ -30,6 +41,15 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__)     \
>>>>  #include <linux/lsm_hook_defs.h>
>>>>  #undef LSM_HOOK
>>>>
>>>> +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...)   \
>>>> +noinline RET bpf_lsm_##NAME##_ret(int ret)     \
>>>> +{                                              \
>>>> +       return is_ret_value_allowed(ret, RET_FLAGS) ? ret : DEFAULT; \
>>>> +}
>>>> +
>>>> +#include <linux/lsm_hook_defs.h>
>>>> +#undef LSM_HOOK
>>>> +
>>> because lsm hooks is mess of undocumented return values your
>>> "solution" is to add hundreds of noninline functions
>>> and hack the call into them in JITs ?!
>> I revisited the documentation and checked each LSM hook one by one.
>> Hopefully, I completed it correctly, but I would review again (others
>> are also welcome to do it).
>>
>> Not sure if there is a more efficient way. Do you have any idea?
>> Maybe we find a way to use only one check function (by reusing the
>> address of the attachment point?).
>>
>> Regarding the JIT approach, I didn't find a reliable solution for using
>> just the verifier. As I wrote to you, there could be the case where the
>> range can include positive values, despite the possible return values
>> are zero and -EACCES.
> Didn't you find that there are only 12 or so odd return cases.
> Maybe refactor some of them to something that the verifier can enforce
> and denylist the rest ?

Changing security_mumble() often requires changes in either VFS, audit or
networking code. Even simple changes can require extensive review and
difficult to obtain Acked-by's. It may be the correct approach, but it
won't be easy or quick.

> Also denylist those that Casey mentioned like security_secid_to_secctx ?

Identifying all the hooks that could be "dangerous" isn't an easy chore,
and some of the "dangerous" hooks are key to implementing classes of policy
and absolutely necessary for audit support.