From: Stephen Smalley <sds@tycho.nsa.gov>
To: KP Singh <kpsingh@chromium.org>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kees Cook <keescook@chromium.org>, Paul Turner <pjt@google.com>,
Jann Horn <jannh@google.com>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH bpf-next v7 4/8] bpf: lsm: Implement attach, detach and execution
Date: Fri, 27 Mar 2020 09:43:45 -0400 [thread overview]
Message-ID: <14ff822f-3ca5-7ebb-3df6-dd02249169d2@tycho.nsa.gov> (raw)
In-Reply-To: <20200327124115.GA8318@chromium.org>
On 3/27/20 8:41 AM, KP Singh wrote:
> On 27-Mär 08:27, Stephen Smalley wrote:
>> On 3/26/20 8:24 PM, James Morris wrote:
>>> On Thu, 26 Mar 2020, KP Singh wrote:
>>>
>>>> +int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
>>>> + const struct bpf_prog *prog)
>>>> +{
>>>> + /* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks
>>>> + */
>>>> + if (!capable(CAP_MAC_ADMIN))
>>>> + return -EPERM;
>>>> +
>>>
>>> Stephen, can you confirm that your concerns around this are resolved
>>> (IIRC, by SELinux implementing a bpf_prog callback) ?
>>
>> I guess the only residual concern I have is that CAP_MAC_ADMIN means
>> something different to SELinux (ability to get/set file security contexts
>> unknown to the currently loaded policy), so leaving the CAP_MAC_ADMIN check
>> here (versus calling a new security hook here and checking CAP_MAC_ADMIN in
>> the implementation of that hook for the modules that want that) conflates
>> two very different things. Prior to this patch, there are no users of
>> CAP_MAC_ADMIN outside of individual security modules; it is only checked in
>> module-specific logic within apparmor, safesetid, selinux, and smack, so the
>> meaning was module-specific.
>
> As we had discussed, We do have a security hook as well:
>
> https://lore.kernel.org/bpf/20200324180652.GA11855@chromium.org/
>
> The bpf_prog hook which can check for BPF_PROG_TYPE_LSM and implement
> module specific logic for LSM programs. I thougt that was okay?
>
> Kees was in favor of keeping the CAP_MAC_ADMIN check here:
>
> https://lore.kernel.org/bpf/202003241133.16C02BE5B@keescook
>
> If you feel strongly and Kees agrees, we can remove the CAP_MAC_ADMIN
> check here, but given that we already have a security hook that meets
> the requirements, we probably don't need another one.
I would favor removing the CAP_MAC_ADMIN check here, and implementing it
in a bpf_prog hook for Smack and AppArmor if they want that. SELinux
would implement its own check in its existing bpf_prog hook.
next prev parent reply other threads:[~2020-03-27 13:42 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 14:28 [PATCH bpf-next v7 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-03-26 14:28 ` [PATCH bpf-next v7 1/8] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-03-27 0:27 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 2/8] security: Refactor declaration of LSM hooks KP Singh
2020-03-27 0:28 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 3/8] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-03-27 0:29 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 4/8] bpf: lsm: Implement attach, detach and execution KP Singh
2020-03-26 19:12 ` Andrii Nakryiko
2020-03-26 19:39 ` KP Singh
2020-03-27 0:24 ` James Morris
2020-03-27 12:27 ` Stephen Smalley
2020-03-27 12:41 ` KP Singh
2020-03-27 13:43 ` Stephen Smalley [this message]
2020-03-27 14:29 ` KP Singh
2020-03-27 16:36 ` Casey Schaufler
2020-03-27 18:59 ` Kees Cook
2020-03-27 19:17 ` KP Singh
2020-03-27 3:12 ` Alexei Starovoitov
2020-03-27 15:06 ` KP Singh
2020-03-26 14:28 ` [PATCH bpf-next v7 5/8] bpf: lsm: Initialize the BPF LSM hooks KP Singh
2020-03-27 0:29 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 6/8] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-03-27 0:30 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 7/8] bpf: lsm: Add selftests " KP Singh
2020-03-26 19:24 ` Andrii Nakryiko
2020-03-26 19:44 ` KP Singh
2020-03-27 0:31 ` James Morris
2020-03-26 14:28 ` [PATCH bpf-next v7 8/8] bpf: lsm: Add Documentation KP Singh
2020-03-26 19:31 ` Andrii Nakryiko
2020-03-26 20:56 ` KP Singh
2020-03-26 22:01 ` Andrii Nakryiko
2020-03-27 0:33 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14ff822f-3ca5-7ebb-3df6-dd02249169d2@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jackmanb@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kpsingh@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pjt@google.com \
--cc=revest@chromium.org \
--cc=revest@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.