[PATCH v5 bpf-next 0/5] Add bpf_getxattr

[PATCH v5 bpf-next 0/5] Add bpf_getxattr

[KP Singh]

v4 -> v5

- Fixes suggested by Andrii

v3 -> v4

- Fixed issue incorrect increment of arg counter
- Removed __weak and noinline from kfunc definiton
- Some other minor fixes.

v2 -> v3

- Fixed missing prototype error
- Fixes suggested by other Joanne and Kumar.

v1 -> v2

- Used kfuncs as suggested by Alexei
- Used Benjamin Tissoires' patch from the HID v4 series to add a
  sleepable kfunc set (I sent the patch as a part of this series as it
  seems to have been dropped from v5) and acked it. Hope this is okay.
- Added support for verifying string constants to kfuncs



Benjamin Tissoires (1):
  btf: Add a new kfunc set which allows to mark a function to be
    sleepable

KP Singh (4):
  bpf: kfunc support for ARG_PTR_TO_CONST_STR
  bpf: Allow kfuncs to be used in LSM programs
  bpf: Add a bpf_getxattr kfunc
  bpf/selftests: Add a selftest for bpf_getxattr

 include/linux/bpf_verifier.h                  |  2 +
 include/linux/btf.h                           |  2 +
 kernel/bpf/btf.c                              | 43 ++++++++-
 kernel/bpf/verifier.c                         | 89 +++++++++++--------
 kernel/trace/bpf_trace.c                      | 42 +++++++++
 .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++
 tools/testing/selftests/bpf/progs/xattr.c     | 37 ++++++++
 7 files changed, 229 insertions(+), 40 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
 create mode 100644 tools/testing/selftests/bpf/progs/xattr.c

-- 
2.37.0.rc0.161.g10f37bed90-goog

[PATCH v5 bpf-next 1/5] btf: Add a new kfunc set which allows to mark a function to be sleepable

[KP Singh]

From: Benjamin Tissoires <benjamin.tissoires@redhat.com>

This allows to declare a kfunc as sleepable and prevents its use in
a non sleepable program.

Acked-by: KP Singh <kpsingh@kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/btf.h |  2 ++
 kernel/bpf/btf.c    | 12 ++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/include/linux/btf.h b/include/linux/btf.h
index 1bfed7fa0428..6e7517573d9e 100644
--- a/include/linux/btf.h
+++ b/include/linux/btf.h
@@ -18,6 +18,7 @@ enum btf_kfunc_type {
 	BTF_KFUNC_TYPE_RELEASE,
 	BTF_KFUNC_TYPE_RET_NULL,
 	BTF_KFUNC_TYPE_KPTR_ACQUIRE,
+	BTF_KFUNC_TYPE_SLEEPABLE,
 	BTF_KFUNC_TYPE_MAX,
 };
 
@@ -37,6 +38,7 @@ struct btf_kfunc_id_set {
 			struct btf_id_set *release_set;
 			struct btf_id_set *ret_null_set;
 			struct btf_id_set *kptr_acquire_set;
+			struct btf_id_set *sleepable_set;
 		};
 		struct btf_id_set *sets[BTF_KFUNC_TYPE_MAX];
 	};
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 2e2066d6af94..37bc77b3b499 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6171,7 +6171,7 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 	struct bpf_verifier_log *log = &env->log;
 	u32 i, nargs, ref_id, ref_obj_id = 0;
 	bool is_kfunc = btf_is_kernel(btf);
-	bool rel = false, kptr_get = false;
+	bool rel = false, kptr_get = false, sleepable = false;
 	const char *func_name, *ref_tname;
 	const struct btf_type *t, *ref_t;
 	const struct btf_param *args;
@@ -6202,9 +6202,10 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 	}
 
 	if (is_kfunc) {
-		/* Only kfunc can be release func */
 		rel = btf_kfunc_id_set_contains(btf, resolve_prog_type(env->prog),
 						BTF_KFUNC_TYPE_RELEASE, func_id);
+		sleepable = btf_kfunc_id_set_contains(btf, resolve_prog_type(env->prog),
+						      BTF_KFUNC_TYPE_SLEEPABLE, func_id);
 		kptr_get = btf_kfunc_id_set_contains(btf, resolve_prog_type(env->prog),
 						     BTF_KFUNC_TYPE_KPTR_ACQUIRE, func_id);
 	}
@@ -6404,6 +6405,13 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 			func_name);
 		return -EINVAL;
 	}
+
+	if (sleepable && !env->prog->aux->sleepable) {
+		bpf_log(log, "kernel function %s is sleepable but the program is not\n",
+			func_name);
+		return -EINVAL;
+	}
+
 	/* returns argument register number > 0 in case of reference release kfunc */
 	return rel ? ref_regno : 0;
 }
-- 
2.37.0.rc0.161.g10f37bed90-goog

[PATCH v5 bpf-next 2/5] bpf: kfunc support for ARG_PTR_TO_CONST_STR

[KP Singh]

kfuncs can handle pointers to memory when the next argument is
the size of the memory that can be read and verify these as
ARG_CONST_SIZE_OR_ZERO

Similarly add support for string constants (const char *) and
verify it similar to ARG_PTR_TO_CONST_STR.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/bpf_verifier.h |  2 +
 kernel/bpf/btf.c             | 30 ++++++++++++
 kernel/bpf/verifier.c        | 89 +++++++++++++++++++++---------------
 3 files changed, 83 insertions(+), 38 deletions(-)

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 81b19669efba..f6d8898270d5 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -560,6 +560,8 @@ int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state
 			     u32 regno);
 int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
 		   u32 regno, u32 mem_size);
+int check_const_str(struct bpf_verifier_env *env,
+		    const struct bpf_reg_state *reg, int regno);
 
 /* this lives here instead of in bpf.h because it needs to dereference tgt_prog */
 static inline u64 bpf_trampoline_compute_key(const struct bpf_prog *tgt_prog,
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 37bc77b3b499..9b9d6117deae 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -6162,6 +6162,27 @@ static bool is_kfunc_arg_mem_size(const struct btf *btf,
 	return true;
 }
 
+static bool btf_param_is_const_str_ptr(const struct btf *btf,
+				       const struct btf_param *param)
+{
+	const struct btf_type *t;
+	bool is_const = false;
+
+	t = btf_type_by_id(btf, param->type);
+	if (!btf_type_is_ptr(t))
+		return false;
+
+	t = btf_type_by_id(btf, t->type);
+	while (btf_type_is_modifier(t)) {
+		if (BTF_INFO_KIND(t->info) == BTF_KIND_CONST)
+			is_const = true;
+		t = btf_type_by_id(btf, t->type);
+	}
+
+	return (is_const &&
+		!strcmp(btf_name_by_offset(btf, t->name_off), "char"));
+}
+
 static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 				    const struct btf *btf, u32 func_id,
 				    struct bpf_reg_state *regs,
@@ -6344,10 +6365,19 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env,
 		} else if (ptr_to_mem_ok) {
 			const struct btf_type *resolve_ret;
 			u32 type_size;
+			int err;
 
 			if (is_kfunc) {
 				bool arg_mem_size = i + 1 < nargs && is_kfunc_arg_mem_size(btf, &args[i + 1], &regs[regno + 1]);
 
+
+				if (btf_param_is_const_str_ptr(btf, &args[i])) {
+					err = check_const_str(env, reg, regno);
+					if (err < 0)
+						return err;
+					continue;
+				}
+
 				/* Permit pointer to mem, but only when argument
 				 * type is pointer to scalar, or struct composed
 				 * (recursively) of scalars.
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4938477912cd..8ce5d2f86c1e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5840,6 +5840,56 @@ static u32 stack_slot_get_id(struct bpf_verifier_env *env, struct bpf_reg_state
 	return state->stack[spi].spilled_ptr.id;
 }
 
+int check_const_str(struct bpf_verifier_env *env,
+		    const struct bpf_reg_state *reg, int regno)
+{
+	struct bpf_map *map;
+	int map_off;
+	u64 map_addr;
+	char *str_ptr;
+	int err;
+
+	if (reg->type != PTR_TO_MAP_VALUE)
+		return -EACCES;
+
+	map = reg->map_ptr;
+	if (!bpf_map_is_rdonly(map)) {
+		verbose(env, "R%d does not point to a readonly map'\n", regno);
+		return -EACCES;
+	}
+
+	if (!tnum_is_const(reg->var_off)) {
+		verbose(env, "R%d is not a constant address'\n", regno);
+		return -EACCES;
+	}
+
+	if (!map->ops->map_direct_value_addr) {
+		verbose(env,
+			"no direct value access support for this map type\n");
+		return -EACCES;
+	}
+
+	err = check_map_access(env, regno, reg->off, map->value_size - reg->off,
+			       false, ACCESS_HELPER);
+	if (err)
+		return err;
+
+	map_off = reg->off + reg->var_off.value;
+	err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
+	if (err) {
+		verbose(env, "direct value access on string failed\n");
+		return err;
+	}
+
+	str_ptr = (char *)(long)(map_addr);
+	if (!strnchr(str_ptr + map_off, map->value_size - map_off, 0)) {
+		verbose(env, "string is not zero-terminated\n");
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
 static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			  struct bpf_call_arg_meta *meta,
 			  const struct bpf_func_proto *fn)
@@ -6074,44 +6124,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 		err = check_ptr_alignment(env, reg, 0, size, true);
 	} else if (arg_type == ARG_PTR_TO_CONST_STR) {
-		struct bpf_map *map = reg->map_ptr;
-		int map_off;
-		u64 map_addr;
-		char *str_ptr;
-
-		if (!bpf_map_is_rdonly(map)) {
-			verbose(env, "R%d does not point to a readonly map'\n", regno);
-			return -EACCES;
-		}
-
-		if (!tnum_is_const(reg->var_off)) {
-			verbose(env, "R%d is not a constant address'\n", regno);
-			return -EACCES;
-		}
-
-		if (!map->ops->map_direct_value_addr) {
-			verbose(env, "no direct value access support for this map type\n");
-			return -EACCES;
-		}
-
-		err = check_map_access(env, regno, reg->off,
-				       map->value_size - reg->off, false,
-				       ACCESS_HELPER);
-		if (err)
-			return err;
-
-		map_off = reg->off + reg->var_off.value;
-		err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
-		if (err) {
-			verbose(env, "direct value access on string failed\n");
-			return err;
-		}
-
-		str_ptr = (char *)(long)(map_addr);
-		if (!strnchr(str_ptr + map_off, map->value_size - map_off, 0)) {
-			verbose(env, "string is not zero-terminated\n");
-			return -EINVAL;
-		}
+		err = check_const_str(env, reg, regno);
 	} else if (arg_type == ARG_PTR_TO_KPTR) {
 		if (process_kptr_func(env, regno, meta))
 			return -EACCES;
-- 
2.37.0.rc0.161.g10f37bed90-goog

[PATCH v5 bpf-next 3/5] bpf: Allow kfuncs to be used in LSM programs

[KP Singh]

In preparation for the addition of bpf_getxattr kfunc.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 kernel/bpf/btf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 9b9d6117deae..0331caa98726 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -7265,6 +7265,7 @@ static int bpf_prog_type_to_kfunc_hook(enum bpf_prog_type prog_type)
 	case BPF_PROG_TYPE_STRUCT_OPS:
 		return BTF_KFUNC_HOOK_STRUCT_OPS;
 	case BPF_PROG_TYPE_TRACING:
+	case BPF_PROG_TYPE_LSM:
 		return BTF_KFUNC_HOOK_TRACING;
 	case BPF_PROG_TYPE_SYSCALL:
 		return BTF_KFUNC_HOOK_SYSCALL;
-- 
2.37.0.rc0.161.g10f37bed90-goog

[PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc

[KP Singh]

LSMs like SELinux store security state in xattrs. bpf_getxattr enables
BPF LSM to implement similar functionality. In combination with
bpf_local_storage, xattrs can be used to develop more complex security
policies.

This kfunc wraps around __vfs_getxattr which can sleep and is,
therefore, limited to sleepable programs using the newly added
sleepable_set for kfuncs.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 kernel/trace/bpf_trace.c | 42 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 4be976cf7d63..87496d57b099 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -20,6 +20,7 @@
 #include <linux/fprobe.h>
 #include <linux/bsearch.h>
 #include <linux/sort.h>
+#include <linux/xattr.h>
 
 #include <net/bpf_sk_storage.h>
 
@@ -1181,6 +1182,47 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = {
 	.arg1_type	= ARG_PTR_TO_CTX,
 };
 
+__diag_push();
+__diag_ignore_all("-Wmissing-prototypes",
+		  "kfuncs that are used in tracing/LSM BPF programs");
+
+ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
+		     const char *name, void *value, int value__sz)
+{
+	return __vfs_getxattr(dentry, inode, name, value, value__sz);
+}
+
+__diag_pop();
+
+BTF_SET_START(bpf_trace_kfunc_ids)
+BTF_ID(func, bpf_getxattr)
+BTF_SET_END(bpf_trace_kfunc_ids)
+
+BTF_SET_START(bpf_trace_sleepable_kfunc_ids)
+BTF_ID(func, bpf_getxattr)
+BTF_SET_END(bpf_trace_sleepable_kfunc_ids)
+
+static const struct btf_kfunc_id_set bpf_trace_kfunc_set = {
+	.owner = THIS_MODULE,
+	.check_set = &bpf_trace_kfunc_ids,
+	.sleepable_set = &bpf_trace_sleepable_kfunc_ids,
+};
+
+static int __init bpf_trace_kfunc_init(void)
+{
+	int ret;
+
+	ret = register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING,
+					&bpf_trace_kfunc_set);
+	if (!ret)
+		return ret;
+
+	return register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM,
+					&bpf_trace_kfunc_set);
+
+}
+late_initcall(bpf_trace_kfunc_init);
+
 static const struct bpf_func_proto *
 bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 {
-- 
2.37.0.rc0.161.g10f37bed90-goog

[PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

A simple test that adds an xattr on a copied /bin/ls and reads it back
when the copied ls is executed.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/xattr.c     | 37 +++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
 create mode 100644 tools/testing/selftests/bpf/progs/xattr.c

diff --git a/tools/testing/selftests/bpf/prog_tests/xattr.c b/tools/testing/selftests/bpf/prog_tests/xattr.c
new file mode 100644
index 000000000000..ef07fa8a1763
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/xattr.c
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2022 Google LLC.
+ */
+
+#include <test_progs.h>
+#include <sys/xattr.h>
+#include "xattr.skel.h"
+
+#define XATTR_NAME "security.bpf"
+#define XATTR_VALUE "test_progs"
+
+void test_xattr(void)
+{
+	struct xattr *skel = NULL;
+	char tmp_dir_path[] = "/tmp/xattrXXXXXX";
+	char tmp_exec_path[64];
+	char cmd[256];
+	int err;
+
+	if (CHECK_FAIL(!mkdtemp(tmp_dir_path)))
+		goto close_prog;
+
+	snprintf(tmp_exec_path, sizeof(tmp_exec_path), "%s/copy_of_ls",
+		 tmp_dir_path);
+	snprintf(cmd, sizeof(cmd), "cp /bin/ls %s", tmp_exec_path);
+	if (CHECK_FAIL(system(cmd)))
+		goto close_prog_rmdir;
+
+	if (CHECK_FAIL(setxattr(tmp_exec_path, XATTR_NAME, XATTR_VALUE,
+			   sizeof(XATTR_VALUE), 0)))
+		goto close_prog_rmdir;
+
+	skel = xattr__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "skel_load"))
+		goto close_prog_rmdir;
+
+	err = xattr__attach(skel);
+	if (!ASSERT_OK(err, "xattr__attach failed"))
+		goto close_prog_rmdir;
+
+	snprintf(cmd, sizeof(cmd), "%s -l", tmp_exec_path);
+	if (CHECK_FAIL(system(cmd)))
+		goto close_prog_rmdir;
+
+	ASSERT_EQ(skel->bss->result, 1, "xattr result");
+
+close_prog_rmdir:
+	snprintf(cmd, sizeof(cmd), "rm -rf %s", tmp_dir_path);
+	system(cmd);
+close_prog:
+	xattr__destroy(skel);
+}
diff --git a/tools/testing/selftests/bpf/progs/xattr.c b/tools/testing/selftests/bpf/progs/xattr.c
new file mode 100644
index 000000000000..ccc078fb8ebd
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/xattr.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright 2022 Google LLC.
+ */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+char _license[] SEC("license") = "GPL";
+
+#define XATTR_NAME "security.bpf"
+#define XATTR_VALUE "test_progs"
+
+__u64 result = 0;
+
+extern ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
+			    const char *name, void *value, int size) __ksym;
+
+SEC("lsm.s/bprm_committed_creds")
+void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
+{
+	struct task_struct *current = bpf_get_current_task_btf();
+	char dir_xattr_value[64] = {0};
+	int xattr_sz = 0;
+
+	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
+				bprm->file->f_path.dentry->d_inode, XATTR_NAME,
+				dir_xattr_value, 64);
+
+	if (xattr_sz <= 0)
+		return;
+
+	if (!bpf_strncmp(dir_xattr_value, sizeof(XATTR_VALUE), XATTR_VALUE))
+		result = 1;
+}
-- 
2.37.0.rc0.161.g10f37bed90-goog

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[Christian Brauner]

On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> v4 -> v5
> 
> - Fixes suggested by Andrii
> 
> v3 -> v4
> 
> - Fixed issue incorrect increment of arg counter
> - Removed __weak and noinline from kfunc definiton
> - Some other minor fixes.
> 
> v2 -> v3
> 
> - Fixed missing prototype error
> - Fixes suggested by other Joanne and Kumar.
> 
> v1 -> v2
> 
> - Used kfuncs as suggested by Alexei
> - Used Benjamin Tissoires' patch from the HID v4 series to add a
>   sleepable kfunc set (I sent the patch as a part of this series as it
>   seems to have been dropped from v5) and acked it. Hope this is okay.
> - Added support for verifying string constants to kfuncs

Hm, I mean this isn't really giving any explanation as to why you are
doing this. There's literally not a single sentence about the rationale?
Did you accidently forget to put that into the cover letter? :)

> 
> 
> 
> Benjamin Tissoires (1):
>   btf: Add a new kfunc set which allows to mark a function to be
>     sleepable
> 
> KP Singh (4):
>   bpf: kfunc support for ARG_PTR_TO_CONST_STR
>   bpf: Allow kfuncs to be used in LSM programs
>   bpf: Add a bpf_getxattr kfunc
>   bpf/selftests: Add a selftest for bpf_getxattr
> 
>  include/linux/bpf_verifier.h                  |  2 +
>  include/linux/btf.h                           |  2 +
>  kernel/bpf/btf.c                              | 43 ++++++++-
>  kernel/bpf/verifier.c                         | 89 +++++++++++--------
>  kernel/trace/bpf_trace.c                      | 42 +++++++++
>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++
>  tools/testing/selftests/bpf/progs/xattr.c     | 37 ++++++++
>  7 files changed, 229 insertions(+), 40 deletions(-)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
>  create mode 100644 tools/testing/selftests/bpf/progs/xattr.c
> 
> -- 
> 2.37.0.rc0.161.g10f37bed90-goog
> 

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[KP Singh]

On Tue, Jun 28, 2022 at 7:13 PM Christian Brauner <brauner@kernel.org> wrote:
>
> On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> > v4 -> v5
> >
> > - Fixes suggested by Andrii
> >
> > v3 -> v4
> >
> > - Fixed issue incorrect increment of arg counter
> > - Removed __weak and noinline from kfunc definiton
> > - Some other minor fixes.
> >
> > v2 -> v3
> >
> > - Fixed missing prototype error
> > - Fixes suggested by other Joanne and Kumar.
> >
> > v1 -> v2
> >
> > - Used kfuncs as suggested by Alexei
> > - Used Benjamin Tissoires' patch from the HID v4 series to add a
> >   sleepable kfunc set (I sent the patch as a part of this series as it
> >   seems to have been dropped from v5) and acked it. Hope this is okay.
> > - Added support for verifying string constants to kfuncs
>
> Hm, I mean this isn't really giving any explanation as to why you are
> doing this. There's literally not a single sentence about the rationale?
> Did you accidently forget to put that into the cover letter? :)


Yes, actually I did forget to copy paste :)

Foundation for building more complex security policies using the
BPF LSM as presented in LSF/MM/BPF:

http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf\

See: https://lore.kernel.org/bpf/20220624045636.3668195-1-kpsingh@kernel.org/


>
> >
> >
> >
> > Benjamin Tissoires (1):
> >   btf: Add a new kfunc set which allows to mark a function to be
> >     sleepable
> >
> > KP Singh (4):
> >   bpf: kfunc support for ARG_PTR_TO_CONST_STR
> >   bpf: Allow kfuncs to be used in LSM programs
> >   bpf: Add a bpf_getxattr kfunc
> >   bpf/selftests: Add a selftest for bpf_getxattr
> >
> >  include/linux/bpf_verifier.h                  |  2 +
> >  include/linux/btf.h                           |  2 +
> >  kernel/bpf/btf.c                              | 43 ++++++++-
> >  kernel/bpf/verifier.c                         | 89 +++++++++++--------
> >  kernel/trace/bpf_trace.c                      | 42 +++++++++
> >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++
> >  tools/testing/selftests/bpf/progs/xattr.c     | 37 ++++++++
> >  7 files changed, 229 insertions(+), 40 deletions(-)
> >  create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
> >  create mode 100644 tools/testing/selftests/bpf/progs/xattr.c
> >
> > --
> > 2.37.0.rc0.161.g10f37bed90-goog
> >

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[KP Singh]

On Tue, Jun 28, 2022 at 7:20 PM KP Singh <kpsingh@kernel.org> wrote:
>
> On Tue, Jun 28, 2022 at 7:13 PM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> > > v4 -> v5
> > >
> > > - Fixes suggested by Andrii
> > >
> > > v3 -> v4
> > >
> > > - Fixed issue incorrect increment of arg counter
> > > - Removed __weak and noinline from kfunc definiton
> > > - Some other minor fixes.
> > >
> > > v2 -> v3
> > >
> > > - Fixed missing prototype error
> > > - Fixes suggested by other Joanne and Kumar.
> > >
> > > v1 -> v2
> > >
> > > - Used kfuncs as suggested by Alexei
> > > - Used Benjamin Tissoires' patch from the HID v4 series to add a
> > >   sleepable kfunc set (I sent the patch as a part of this series as it
> > >   seems to have been dropped from v5) and acked it. Hope this is okay.
> > > - Added support for verifying string constants to kfuncs
> >
> > Hm, I mean this isn't really giving any explanation as to why you are
> > doing this. There's literally not a single sentence about the rationale?
> > Did you accidently forget to put that into the cover letter? :)
>
>
> Yes, actually I did forget to copy paste :)
>
> Foundation for building more complex security policies using the
> BPF LSM as presented in LSF/MM/BPF:
>
> http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf\

And my copy paste skills are getting worse (with the back-slash removed):

http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf

>
> See: https://lore.kernel.org/bpf/20220624045636.3668195-1-kpsingh@kernel.org/
>
>
> >
> > >
> > >
> > >
> > > Benjamin Tissoires (1):
> > >   btf: Add a new kfunc set which allows to mark a function to be
> > >     sleepable
> > >
> > > KP Singh (4):
> > >   bpf: kfunc support for ARG_PTR_TO_CONST_STR
> > >   bpf: Allow kfuncs to be used in LSM programs
> > >   bpf: Add a bpf_getxattr kfunc
> > >   bpf/selftests: Add a selftest for bpf_getxattr
> > >
> > >  include/linux/bpf_verifier.h                  |  2 +
> > >  include/linux/btf.h                           |  2 +
> > >  kernel/bpf/btf.c                              | 43 ++++++++-
> > >  kernel/bpf/verifier.c                         | 89 +++++++++++--------
> > >  kernel/trace/bpf_trace.c                      | 42 +++++++++
> > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++
> > >  tools/testing/selftests/bpf/progs/xattr.c     | 37 ++++++++
> > >  7 files changed, 229 insertions(+), 40 deletions(-)
> > >  create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
> > >  create mode 100644 tools/testing/selftests/bpf/progs/xattr.c
> > >
> > > --
> > > 2.37.0.rc0.161.g10f37bed90-goog
> > >

Re: [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc

[Christian Brauner]

On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:
> LSMs like SELinux store security state in xattrs. bpf_getxattr enables
> BPF LSM to implement similar functionality. In combination with
> bpf_local_storage, xattrs can be used to develop more complex security
> policies.
> 
> This kfunc wraps around __vfs_getxattr which can sleep and is,
> therefore, limited to sleepable programs using the newly added
> sleepable_set for kfuncs.
> 
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  kernel/trace/bpf_trace.c | 42 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 42 insertions(+)
> 
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 4be976cf7d63..87496d57b099 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -20,6 +20,7 @@
>  #include <linux/fprobe.h>
>  #include <linux/bsearch.h>
>  #include <linux/sort.h>
> +#include <linux/xattr.h>
>  
>  #include <net/bpf_sk_storage.h>
>  
> @@ -1181,6 +1182,47 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = {
>  	.arg1_type	= ARG_PTR_TO_CTX,
>  };
>  
> +__diag_push();
> +__diag_ignore_all("-Wmissing-prototypes",
> +		  "kfuncs that are used in tracing/LSM BPF programs");
> +
> +ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
> +		     const char *name, void *value, int value__sz)
> +{
> +	return __vfs_getxattr(dentry, inode, name, value, value__sz);

So this might all be due to my ignorance where and how this is supposed
to be used but using __vfs_getxattr() is performing _zero_ permission
checks. That means every eBPF program will be able to retrieve whatever
extended attribute it likes.

In addition to generic permission checking your code also assumes that
every caller is located in the initial user namespace. Is that a valid
assumption?

POSIX ACLs can store additional [u,g]ids on disk that need to be
translated according to the caller's user namespace.

Looking at your selftest example you have a current task and you also
have access to a struct file which makes me doubt that this assumption
is correct. But I'm happy to be convinced otherwise.

Also, if the current task is retrieving extended attributes from an
idmapped mount you also need to take the mount's idmapping into account.
Otherwise again, you'll retrieve misleading [g,u]id values...

Could you explain to me why that is safe and how this is going to be
used, please? As it stands I can't make heads nor tails of this.

Re: [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc

[Al Viro]

On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:
> LSMs like SELinux store security state in xattrs. bpf_getxattr enables
> BPF LSM to implement similar functionality. In combination with
> bpf_local_storage, xattrs can be used to develop more complex security
> policies.
> 
> This kfunc wraps around __vfs_getxattr which can sleep and is,
> therefore, limited to sleepable programs using the newly added
> sleepable_set for kfuncs.

"Sleepable" is nowhere near enough - for a trivial example, consider
what e.g. ext2_xattr_get() does.
        down_read(&EXT2_I(inode)->xattr_sem);
in there means that having that thing executed in anything that happens
to hold ->xattr_sem is a deadlock fodder.

"Can't use that in BPF program executed in non-blocking context" is
*not* sufficient to make it safe.

Re: [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc

[KP Singh]

On Tue, Jun 28, 2022 at 7:23 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:
> > LSMs like SELinux store security state in xattrs. bpf_getxattr enables
> > BPF LSM to implement similar functionality. In combination with
> > bpf_local_storage, xattrs can be used to develop more complex security
> > policies.
> >
> > This kfunc wraps around __vfs_getxattr which can sleep and is,
> > therefore, limited to sleepable programs using the newly added
> > sleepable_set for kfuncs.
>
> "Sleepable" is nowhere near enough - for a trivial example, consider
> what e.g. ext2_xattr_get() does.
>         down_read(&EXT2_I(inode)->xattr_sem);
> in there means that having that thing executed in anything that happens
> to hold ->xattr_sem is a deadlock fodder.
>

We could limit this to sleepable LSM hooks:

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/bpf_lsm.c#n169

and when we have abilities to tag
kernel functions and pointers with the work Yonghong did
(e.g. https://reviews.llvm.org/D113496) we can expand the set.


> "Can't use that in BPF program executed in non-blocking context" is
> *not* sufficient to make it safe.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> A simple test that adds an xattr on a copied /bin/ls and reads it back
> when the copied ls is executed.
> 
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
>  tools/testing/selftests/bpf/progs/xattr.c     | 37 +++++++++++++
>  2 files changed, 91 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/xattr.c
>  create mode 100644 tools/testing/selftests/bpf/progs/xattr.c
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/xattr.c b/tools/testing/selftests/bpf/prog_tests/xattr.c
> new file mode 100644
> index 000000000000..ef07fa8a1763
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/xattr.c
> @@ -0,0 +1,54 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright 2022 Google LLC.
> + */
> +
> +#include <test_progs.h>
> +#include <sys/xattr.h>
> +#include "xattr.skel.h"
> +
> +#define XATTR_NAME "security.bpf"
> +#define XATTR_VALUE "test_progs"
> +
> +void test_xattr(void)
> +{
> +	struct xattr *skel = NULL;
> +	char tmp_dir_path[] = "/tmp/xattrXXXXXX";
> +	char tmp_exec_path[64];
> +	char cmd[256];
> +	int err;
> +
> +	if (CHECK_FAIL(!mkdtemp(tmp_dir_path)))
> +		goto close_prog;
> +
> +	snprintf(tmp_exec_path, sizeof(tmp_exec_path), "%s/copy_of_ls",
> +		 tmp_dir_path);
> +	snprintf(cmd, sizeof(cmd), "cp /bin/ls %s", tmp_exec_path);
> +	if (CHECK_FAIL(system(cmd)))
> +		goto close_prog_rmdir;
> +
> +	if (CHECK_FAIL(setxattr(tmp_exec_path, XATTR_NAME, XATTR_VALUE,
> +			   sizeof(XATTR_VALUE), 0)))
> +		goto close_prog_rmdir;
> +
> +	skel = xattr__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "skel_load"))
> +		goto close_prog_rmdir;
> +
> +	err = xattr__attach(skel);
> +	if (!ASSERT_OK(err, "xattr__attach failed"))
> +		goto close_prog_rmdir;
> +
> +	snprintf(cmd, sizeof(cmd), "%s -l", tmp_exec_path);
> +	if (CHECK_FAIL(system(cmd)))
> +		goto close_prog_rmdir;
> +
> +	ASSERT_EQ(skel->bss->result, 1, "xattr result");
> +
> +close_prog_rmdir:
> +	snprintf(cmd, sizeof(cmd), "rm -rf %s", tmp_dir_path);
> +	system(cmd);
> +close_prog:
> +	xattr__destroy(skel);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/xattr.c b/tools/testing/selftests/bpf/progs/xattr.c
> new file mode 100644
> index 000000000000..ccc078fb8ebd
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/xattr.c
> @@ -0,0 +1,37 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +/*
> + * Copyright 2022 Google LLC.
> + */
> +
> +#include "vmlinux.h"
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +
> +char _license[] SEC("license") = "GPL";
> +
> +#define XATTR_NAME "security.bpf"
> +#define XATTR_VALUE "test_progs"
> +
> +__u64 result = 0;
> +
> +extern ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
> +			    const char *name, void *value, int size) __ksym;
> +
> +SEC("lsm.s/bprm_committed_creds")
> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> +{
> +	struct task_struct *current = bpf_get_current_task_btf();
> +	char dir_xattr_value[64] = {0};
> +	int xattr_sz = 0;
> +
> +	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> +				bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> +				dir_xattr_value, 64);

Yeah, this isn't right. You're not accounting for the caller's userns
nor for the idmapped mount. If this is supposed to work you will need a
variant of vfs_getxattr() that takes the mount's idmapping into account
afaict. See what needs to happen after do_getxattr().

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
>
> On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > when the copied ls is executed.
> >
> > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > ---
> >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++

[...]

> > +SEC("lsm.s/bprm_committed_creds")
> > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > +{
> > +     struct task_struct *current = bpf_get_current_task_btf();
> > +     char dir_xattr_value[64] = {0};
> > +     int xattr_sz = 0;
> > +
> > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > +                             dir_xattr_value, 64);
>
> Yeah, this isn't right. You're not accounting for the caller's userns
> nor for the idmapped mount. If this is supposed to work you will need a
> variant of vfs_getxattr() that takes the mount's idmapping into account
> afaict. See what needs to happen after do_getxattr().

Thanks for taking a look.

So, If I understand correctly, we don't need xattr_permission (and
other checks in
vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.

but...

So, Is this bit what's missing then?

error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
if (error > 0) {
    if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
        posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
            ctx->kvalue, error);
    if (ctx->size && copy_to_user(ctx->value, ctx->kvalue, error))
        error = -EFAULT;
}
else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) {
    /* The file system tried to returned a value bigger
than XATTR_SIZE_MAX bytes. Not possible. */
    error = -E2BIG;
}

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Alexei Starovoitov]

On Tue, Jun 28, 2022 at 10:52 AM KP Singh <kpsingh@kernel.org> wrote:
>
> On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > > when the copied ls is executed.
> > >
> > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > ---
> > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
>
> [...]
>
> > > +SEC("lsm.s/bprm_committed_creds")
> > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > +{
> > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > +     char dir_xattr_value[64] = {0};
> > > +     int xattr_sz = 0;
> > > +
> > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > +                             dir_xattr_value, 64);
> >
> > Yeah, this isn't right. You're not accounting for the caller's userns
> > nor for the idmapped mount. If this is supposed to work you will need a
> > variant of vfs_getxattr() that takes the mount's idmapping into account
> > afaict. See what needs to happen after do_getxattr().
>
> Thanks for taking a look.
>
> So, If I understand correctly, we don't need xattr_permission (and
> other checks in
> vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.
>
> but...
>
> So, Is this bit what's missing then?
>
> error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
> if (error > 0) {
>     if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
> (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
>         posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
>             ctx->kvalue, error);

That will not be correct.
posix_acl_fix_xattr_to_user checking current_user_ns()
is checking random tasks that happen to be running
when lsm hook got invoked.

KP,
we probably have to document clearly that neither 'current*'
should not be used here.
xattr_permission also makes little sense in this context.
If anything it can be a different kfunc if there is a use case,
but I don't see it yet.
bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
call it directly. It's the kernel that is doing its security thing.

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[Dave Chinner]

On Tue, Jun 28, 2022 at 07:21:42PM +0200, KP Singh wrote:
> On Tue, Jun 28, 2022 at 7:20 PM KP Singh <kpsingh@kernel.org> wrote:
> > On Tue, Jun 28, 2022 at 7:13 PM Christian Brauner <brauner@kernel.org> wrote:
> > > On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> > > > v4 -> v5
> > > >
> > > > - Fixes suggested by Andrii
> > > >
> > > > v3 -> v4
> > > >
> > > > - Fixed issue incorrect increment of arg counter
> > > > - Removed __weak and noinline from kfunc definiton
> > > > - Some other minor fixes.
> > > >
> > > > v2 -> v3
> > > >
> > > > - Fixed missing prototype error
> > > > - Fixes suggested by other Joanne and Kumar.
> > > >
> > > > v1 -> v2
> > > >
> > > > - Used kfuncs as suggested by Alexei
> > > > - Used Benjamin Tissoires' patch from the HID v4 series to add a
> > > >   sleepable kfunc set (I sent the patch as a part of this series as it
> > > >   seems to have been dropped from v5) and acked it. Hope this is okay.
> > > > - Added support for verifying string constants to kfuncs
> > >
> > > Hm, I mean this isn't really giving any explanation as to why you are
> > > doing this. There's literally not a single sentence about the rationale?
> > > Did you accidently forget to put that into the cover letter? :)
> >
> >
> > Yes, actually I did forget to copy paste :)
> >
> > Foundation for building more complex security policies using the
> > BPF LSM as presented in LSF/MM/BPF:
> >
> > http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf\
> 
> And my copy paste skills are getting worse (with the back-slash removed):
> 
> http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf

There's literally zero information in that link, so I still have no
clue on what this does and how it interacts with filesystem xattr
code.

So for those of us who have zero clue as to what you are trying to
do, please write a cover letter containing a non-zero amount of
information.  i.e.  a description of the problem, the threat model
being addressed, the design of the infrastructure that needs this
hook, document assumptions that have been made (e.g. for
accessing inode metadata atomically from random bpf contexts), what
xattr namespace(s) this hook should belong/be constrained to,
whether you're going to ask for a setxattr hook next, etc.

At minimum this is going to need a bunch of documentation for people
to understand how to use this - where can I find that?

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[KP Singh]

On Wed, Jun 29, 2022 at 3:36 AM Dave Chinner <david@fromorbit.com> wrote:
>
> On Tue, Jun 28, 2022 at 07:21:42PM +0200, KP Singh wrote:
> > On Tue, Jun 28, 2022 at 7:20 PM KP Singh <kpsingh@kernel.org> wrote:
> > > On Tue, Jun 28, 2022 at 7:13 PM Christian Brauner <brauner@kernel.org> wrote:
> > > > On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> > > > > v4 -> v5
> > > > >
> > > > > - Fixes suggested by Andrii
> > > > >
> > > > > v3 -> v4
> > > > >
> > > > > - Fixed issue incorrect increment of arg counter
> > > > > - Removed __weak and noinline from kfunc definiton
> > > > > - Some other minor fixes.
> > > > >
> > > > > v2 -> v3
> > > > >
> > > > > - Fixed missing prototype error
> > > > > - Fixes suggested by other Joanne and Kumar.
> > > > >
> > > > > v1 -> v2
> > > > >
> > > > > - Used kfuncs as suggested by Alexei
> > > > > - Used Benjamin Tissoires' patch from the HID v4 series to add a
> > > > >   sleepable kfunc set (I sent the patch as a part of this series as it
> > > > >   seems to have been dropped from v5) and acked it. Hope this is okay.
> > > > > - Added support for verifying string constants to kfuncs
> > > >
> > > > Hm, I mean this isn't really giving any explanation as to why you are
> > > > doing this. There's literally not a single sentence about the rationale?
> > > > Did you accidently forget to put that into the cover letter? :)
> > >
> > >
> > > Yes, actually I did forget to copy paste :)
> > >
> > > Foundation for building more complex security policies using the
> > > BPF LSM as presented in LSF/MM/BPF:
> > >
> > > http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf\
> >
> > And my copy paste skills are getting worse (with the back-slash removed):
> >
> > http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf
>
> There's literally zero information in that link, so I still have no
> clue on what this does and how it interacts with filesystem xattr
> code.

This is literally a wrapper around __vfs_getxattr which is an exported
symbol. So, the interaction with the xattr code is the same as
__vfs_getxattr interacts currently.

ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
const char *name, void *value, int value__sz)
{
return __vfs_getxattr(dentry, inode, name, value, value__sz);
}

The reason for the wrapper is that the BPF verifier offers
extra checks on the arguments passed.

https://lore.kernel.org/bpf/20210325015240.1550074-1-kafai@fb.com/T/

has more information on the kfunc support.

>
> So for those of us who have zero clue as to what you are trying to
> do, please write a cover letter containing a non-zero amount of
> information.  i.e.  a description of the problem, the threat model
> being addressed, the design of the infrastructure that needs this
> hook, document assumptions that have been made (e.g. for
> accessing inode metadata atomically from random bpf contexts), what

The intention is to use this in BPF programs which can only be loaded
with CAP_SYS_ADMIN.
We are currently planning on limiting the usage of this kfunc
to the sleepable LSM hooks listed here:

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/bpf_lsm.c#n169

> xattr namespace(s) this hook should belong/be constrained to,
> whether you're going to ask for a setxattr hook next, etc.

Fair point, I will resend the series with the details.

>
> At minimum this is going to need a bunch of documentation for people
> to understand how to use this - where can I find that?

There are a bunch of examples in selftests on how to use kfuncs in BPF
and we added a selftests (there is a simple selftests added with this patch
too).

As to how we will use xattrs to create security policies or use this
functionality for
logging, this is work in progress.

Cheers,
- KP

>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@fromorbit.com

Re: [PATCH v5 bpf-next 0/5] Add bpf_getxattr

[KP Singh]

On Wed, Jun 29, 2022 at 4:00 AM KP Singh <kpsingh@kernel.org> wrote:
>
> On Wed, Jun 29, 2022 at 3:36 AM Dave Chinner <david@fromorbit.com> wrote:
> >
> > On Tue, Jun 28, 2022 at 07:21:42PM +0200, KP Singh wrote:
> > > On Tue, Jun 28, 2022 at 7:20 PM KP Singh <kpsingh@kernel.org> wrote:
> > > > On Tue, Jun 28, 2022 at 7:13 PM Christian Brauner <brauner@kernel.org> wrote:
> > > > > On Tue, Jun 28, 2022 at 04:19:43PM +0000, KP Singh wrote:
> > > > > > v4 -> v5
> > > > > >
> > > > > > - Fixes suggested by Andrii
> > > > > >
> > > > > > v3 -> v4
> > > > > >
> > > > > > - Fixed issue incorrect increment of arg counter
> > > > > > - Removed __weak and noinline from kfunc definiton
> > > > > > - Some other minor fixes.
> > > > > >
> > > > > > v2 -> v3
> > > > > >
> > > > > > - Fixed missing prototype error
> > > > > > - Fixes suggested by other Joanne and Kumar.
> > > > > >
> > > > > > v1 -> v2
> > > > > >
> > > > > > - Used kfuncs as suggested by Alexei
> > > > > > - Used Benjamin Tissoires' patch from the HID v4 series to add a
> > > > > >   sleepable kfunc set (I sent the patch as a part of this series as it
> > > > > >   seems to have been dropped from v5) and acked it. Hope this is okay.
> > > > > > - Added support for verifying string constants to kfuncs
> > > > >
> > > > > Hm, I mean this isn't really giving any explanation as to why you are
> > > > > doing this. There's literally not a single sentence about the rationale?
> > > > > Did you accidently forget to put that into the cover letter? :)
> > > >
> > > >
> > > > Yes, actually I did forget to copy paste :)
> > > >
> > > > Foundation for building more complex security policies using the
> > > > BPF LSM as presented in LSF/MM/BPF:
> > > >
> > > > http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf\
> > >
> > > And my copy paste skills are getting worse (with the back-slash removed):
> > >
> > > http://vger.kernel.org/bpfconf2022_material/lsfmmbpf2022-xattr.pdf
> >
> > There's literally zero information in that link, so I still have no
> > clue on what this does and how it interacts with filesystem xattr
> > code.
>
> This is literally a wrapper around __vfs_getxattr which is an exported
> symbol. So, the interaction with the xattr code is the same as
> __vfs_getxattr interacts currently.
>
> ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
> const char *name, void *value, int value__sz)
> {
> return __vfs_getxattr(dentry, inode, name, value, value__sz);
> }
>
> The reason for the wrapper is that the BPF verifier offers
> extra checks on the arguments passed.
>
> https://lore.kernel.org/bpf/20210325015240.1550074-1-kafai@fb.com/T/
>
> has more information on the kfunc support.
>
> >
> > So for those of us who have zero clue as to what you are trying to
> > do, please write a cover letter containing a non-zero amount of
> > information.  i.e.  a description of the problem, the threat model
> > being addressed, the design of the infrastructure that needs this
> > hook, document assumptions that have been made (e.g. for
> > accessing inode metadata atomically from random bpf contexts), what
>
> The intention is to use this in BPF programs which can only be loaded
> with CAP_SYS_ADMIN.
> We are currently planning on limiting the usage of this kfunc
> to the sleepable LSM hooks listed here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/bpf_lsm.c#n169
>
> > xattr namespace(s) this hook should belong/be constrained to,
> > whether you're going to ask for a setxattr hook next, etc.
>
> Fair point, I will resend the series with the details.
>
> >
> > At minimum this is going to need a bunch of documentation for people
> > to understand how to use this - where can I find that?
>
> There are a bunch of examples in selftests on how to use kfuncs in BPF
> and we added a selftests (there is a simple selftests added with this patch
> too).
>
> As to how we will use xattrs to create security policies or use this
> functionality for
> logging, this is work in progress.

In any case, I will update the cover letter with some use-cases
we ideated over in LSF/MM/BPF in the next version.

- KP

>
> Cheers,
> - KP
>
> >
> > Cheers,
> >
> > Dave.
> > --
> > Dave Chinner
> > david@fromorbit.com

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Tue, Jun 28, 2022 at 03:28:42PM -0700, Alexei Starovoitov wrote:
> On Tue, Jun 28, 2022 at 10:52 AM KP Singh <kpsingh@kernel.org> wrote:
> >
> > On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
> > >
> > > On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > > > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > > > when the copied ls is executed.
> > > >
> > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > ---
> > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> >
> > [...]
> >
> > > > +SEC("lsm.s/bprm_committed_creds")
> > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > +{
> > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > +     char dir_xattr_value[64] = {0};
> > > > +     int xattr_sz = 0;
> > > > +
> > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > +                             dir_xattr_value, 64);
> > >
> > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > nor for the idmapped mount. If this is supposed to work you will need a
> > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > afaict. See what needs to happen after do_getxattr().
> >
> > Thanks for taking a look.
> >
> > So, If I understand correctly, we don't need xattr_permission (and
> > other checks in
> > vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.
> >
> > but...
> >
> > So, Is this bit what's missing then?
> >
> > error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
> > if (error > 0) {
> >     if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
> > (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
> >         posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
> >             ctx->kvalue, error);
> 
> That will not be correct.
> posix_acl_fix_xattr_to_user checking current_user_ns()
> is checking random tasks that happen to be running
> when lsm hook got invoked.
> 
> KP,
> we probably have to document clearly that neither 'current*'
> should not be used here.
> xattr_permission also makes little sense in this context.
> If anything it can be a different kfunc if there is a use case,
> but I don't see it yet.
> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> call it directly. It's the kernel that is doing its security thing.

Right, but LSMs usually only retrieve their own xattr namespace (ima,
selinux, smack) or they calculate hashes for xattrs based on the raw
filesystem xattr values (evm).

But this new bpf_getxattr() is different. It allows to retrieve _any_
xattr in any security hook it can be attached to. So someone can write a
bpf program that retrieves filesystem capabilites or posix acls. And
these are xattrs that require higher-level vfs involvement to be
sensible in most contexts.

So looking at:

SEC("lsm.s/bprm_committed_creds")
void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
{
	struct task_struct *current = bpf_get_current_task_btf();
	char dir_xattr_value[64] = {0};
	int xattr_sz = 0;

	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
				bprm->file->f_path.dentry->d_inode, XATTR_NAME,
				dir_xattr_value, 64);

	if (xattr_sz <= 0)
		return;

	if (!bpf_strncmp(dir_xattr_value, sizeof(XATTR_VALUE), XATTR_VALUE))
		result = 1;
}

This hooks a bpf-lsm program to the security_bprm_committed_creds()
hook. It then retrieves the extended attributes of the file to be
executed. The hook currently always retrieves the raw filesystem values.

But for example any XATTR_NAME_CAPS filesystem capabilities that
might've been stored will be taken into account during exec. And both
the idmapping of the mount and the caller matter when determing whether
they are used or not.

But the current implementation of bpf_getxattr() just ignores both. It
will always retrieve the raw filesystem values. So if one invokes this
hook they're not actually retrieving the values as they are seen by
fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
some use-cases it might very well become a security issue in others if
access decisions are always based on the raw values.

I'm not well-versed in this so bear with me, please.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Wed, Jun 29, 2022 at 10:11:19AM +0200, Christian Brauner wrote:
> On Tue, Jun 28, 2022 at 03:28:42PM -0700, Alexei Starovoitov wrote:
> > On Tue, Jun 28, 2022 at 10:52 AM KP Singh <kpsingh@kernel.org> wrote:
> > >
> > > On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
> > > >
> > > > On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > > > > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > > > > when the copied ls is executed.
> > > > >
> > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > ---
> > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > >
> > > [...]
> > >
> > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > +{
> > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > +     char dir_xattr_value[64] = {0};
> > > > > +     int xattr_sz = 0;
> > > > > +
> > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > +                             dir_xattr_value, 64);
> > > >
> > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > afaict. See what needs to happen after do_getxattr().
> > >
> > > Thanks for taking a look.
> > >
> > > So, If I understand correctly, we don't need xattr_permission (and
> > > other checks in
> > > vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.
> > >
> > > but...
> > >
> > > So, Is this bit what's missing then?
> > >
> > > error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
> > > if (error > 0) {
> > >     if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
> > > (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
> > >         posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
> > >             ctx->kvalue, error);
> > 
> > That will not be correct.
> > posix_acl_fix_xattr_to_user checking current_user_ns()
> > is checking random tasks that happen to be running
> > when lsm hook got invoked.
> > 
> > KP,
> > we probably have to document clearly that neither 'current*'
> > should not be used here.
> > xattr_permission also makes little sense in this context.
> > If anything it can be a different kfunc if there is a use case,
> > but I don't see it yet.
> > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > call it directly. It's the kernel that is doing its security thing.
> 
> Right, but LSMs usually only retrieve their own xattr namespace (ima,
> selinux, smack) or they calculate hashes for xattrs based on the raw
> filesystem xattr values (evm).
> 
> But this new bpf_getxattr() is different. It allows to retrieve _any_
> xattr in any security hook it can be attached to. So someone can write a
> bpf program that retrieves filesystem capabilites or posix acls. And
> these are xattrs that require higher-level vfs involvement to be
> sensible in most contexts.
> 
> So looking at:
> 
> SEC("lsm.s/bprm_committed_creds")
> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> {
> 	struct task_struct *current = bpf_get_current_task_btf();
> 	char dir_xattr_value[64] = {0};
> 	int xattr_sz = 0;
> 
> 	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> 				bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> 				dir_xattr_value, 64);
> 
> 	if (xattr_sz <= 0)
> 		return;
> 
> 	if (!bpf_strncmp(dir_xattr_value, sizeof(XATTR_VALUE), XATTR_VALUE))
> 		result = 1;
> }
> 
> This hooks a bpf-lsm program to the security_bprm_committed_creds()
> hook. It then retrieves the extended attributes of the file to be
> executed. The hook currently always retrieves the raw filesystem values.
> 
> But for example any XATTR_NAME_CAPS filesystem capabilities that
> might've been stored will be taken into account during exec. And both
> the idmapping of the mount and the caller matter when determing whether
> they are used or not.
> 
> But the current implementation of bpf_getxattr() just ignores both. It
> will always retrieve the raw filesystem values. So if one invokes this
> hook they're not actually retrieving the values as they are seen by
> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> some use-cases it might very well become a security issue in others if
> access decisions are always based on the raw values.
> 
> I'm not well-versed in this so bear with me, please.

If this is really just about retrieving the "security.bpf" xattr and no
other xattr then the bpf_getxattr() variant should somehow hard-code
that to ensure that no other xattrs can be retrieved, imho.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Alexei Starovoitov]

On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
>
> On Wed, Jun 29, 2022 at 10:11:19AM +0200, Christian Brauner wrote:
> > On Tue, Jun 28, 2022 at 03:28:42PM -0700, Alexei Starovoitov wrote:
> > > On Tue, Jun 28, 2022 at 10:52 AM KP Singh <kpsingh@kernel.org> wrote:
> > > >
> > > > On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
> > > > >
> > > > > On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > > > > > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > > > > > when the copied ls is executed.
> > > > > >
> > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > ---
> > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > >
> > > > [...]
> > > >
> > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > +{
> > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > +     int xattr_sz = 0;
> > > > > > +
> > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > +                             dir_xattr_value, 64);
> > > > >
> > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > afaict. See what needs to happen after do_getxattr().
> > > >
> > > > Thanks for taking a look.
> > > >
> > > > So, If I understand correctly, we don't need xattr_permission (and
> > > > other checks in
> > > > vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.
> > > >
> > > > but...
> > > >
> > > > So, Is this bit what's missing then?
> > > >
> > > > error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
> > > > if (error > 0) {
> > > >     if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
> > > > (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
> > > >         posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
> > > >             ctx->kvalue, error);
> > >
> > > That will not be correct.
> > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > is checking random tasks that happen to be running
> > > when lsm hook got invoked.
> > >
> > > KP,
> > > we probably have to document clearly that neither 'current*'
> > > should not be used here.
> > > xattr_permission also makes little sense in this context.
> > > If anything it can be a different kfunc if there is a use case,
> > > but I don't see it yet.
> > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > call it directly. It's the kernel that is doing its security thing.
> >
> > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > selinux, smack) or they calculate hashes for xattrs based on the raw
> > filesystem xattr values (evm).
> >
> > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > xattr in any security hook it can be attached to. So someone can write a
> > bpf program that retrieves filesystem capabilites or posix acls. And
> > these are xattrs that require higher-level vfs involvement to be
> > sensible in most contexts.
> >
> > So looking at:
> >
> > SEC("lsm.s/bprm_committed_creds")
> > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > {
> >       struct task_struct *current = bpf_get_current_task_btf();
> >       char dir_xattr_value[64] = {0};
> >       int xattr_sz = 0;
> >
> >       xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >                               bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> >                               dir_xattr_value, 64);
> >
> >       if (xattr_sz <= 0)
> >               return;
> >
> >       if (!bpf_strncmp(dir_xattr_value, sizeof(XATTR_VALUE), XATTR_VALUE))
> >               result = 1;
> > }
> >
> > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > hook. It then retrieves the extended attributes of the file to be
> > executed. The hook currently always retrieves the raw filesystem values.
> >
> > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > might've been stored will be taken into account during exec. And both
> > the idmapping of the mount and the caller matter when determing whether
> > they are used or not.
> >
> > But the current implementation of bpf_getxattr() just ignores both. It
> > will always retrieve the raw filesystem values. So if one invokes this
> > hook they're not actually retrieving the values as they are seen by
> > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > some use-cases it might very well become a security issue in others if
> > access decisions are always based on the raw values.
> >
> > I'm not well-versed in this so bear with me, please.
>
> If this is really just about retrieving the "security.bpf" xattr and no
> other xattr then the bpf_getxattr() variant should somehow hard-code
> that to ensure that no other xattrs can be retrieved, imho.

All of these restrictions look very artificial to me.
Especially the part "might very well become a security issue"
just doesn't click.
We're talking about bpf-lsm progs here that implement security.
Can somebody implement a poor bpf-lsm that doesn't enforce
any actual security? Sure. It's a code.
No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
in the existing LSMs like selinux.
No one complains about its usage in out of tree LSMs.
Is that a security issue? Of course not.
__vfs_getxattr is a kernel mechanism that LSMs use to implement
the security features they need.
__vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
with a big difference that it's EXPORT_SYMBOL_GPL.
BPF land doesn't have an equivalent of non-gpl export and is not going
to get one.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Wed, Jun 29, 2022 at 10:11:19AM +0200, Christian Brauner wrote:
> > > On Tue, Jun 28, 2022 at 03:28:42PM -0700, Alexei Starovoitov wrote:
> > > > On Tue, Jun 28, 2022 at 10:52 AM KP Singh <kpsingh@kernel.org> wrote:
> > > > >
> > > > > On Tue, Jun 28, 2022 at 7:33 PM Christian Brauner <brauner@kernel.org> wrote:
> > > > > >
> > > > > > On Tue, Jun 28, 2022 at 04:19:48PM +0000, KP Singh wrote:
> > > > > > > A simple test that adds an xattr on a copied /bin/ls and reads it back
> > > > > > > when the copied ls is executed.
> > > > > > >
> > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > ---
> > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > >
> > > > > [...]
> > > > >
> > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > +{
> > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > +     int xattr_sz = 0;
> > > > > > > +
> > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > +                             dir_xattr_value, 64);
> > > > > >
> > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > afaict. See what needs to happen after do_getxattr().
> > > > >
> > > > > Thanks for taking a look.
> > > > >
> > > > > So, If I understand correctly, we don't need xattr_permission (and
> > > > > other checks in
> > > > > vfs_getxattr) here as the BPF programs run as CAP_SYS_ADMIN.
> > > > >
> > > > > but...
> > > > >
> > > > > So, Is this bit what's missing then?
> > > > >
> > > > > error = vfs_getxattr(mnt_userns, d, kname, ctx->kvalue, ctx->size);
> > > > > if (error > 0) {
> > > > >     if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
> > > > > (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
> > > > >         posix_acl_fix_xattr_to_user(mnt_userns, d_inode(d),
> > > > >             ctx->kvalue, error);
> > > >
> > > > That will not be correct.
> > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > is checking random tasks that happen to be running
> > > > when lsm hook got invoked.
> > > >
> > > > KP,
> > > > we probably have to document clearly that neither 'current*'
> > > > should not be used here.
> > > > xattr_permission also makes little sense in this context.
> > > > If anything it can be a different kfunc if there is a use case,
> > > > but I don't see it yet.
> > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > call it directly. It's the kernel that is doing its security thing.
> > >
> > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > filesystem xattr values (evm).
> > >
> > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > xattr in any security hook it can be attached to. So someone can write a
> > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > these are xattrs that require higher-level vfs involvement to be
> > > sensible in most contexts.
> > >
> > > So looking at:
> > >
> > > SEC("lsm.s/bprm_committed_creds")
> > > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > {
> > >       struct task_struct *current = bpf_get_current_task_btf();
> > >       char dir_xattr_value[64] = {0};
> > >       int xattr_sz = 0;
> > >
> > >       xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >                               bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > >                               dir_xattr_value, 64);
> > >
> > >       if (xattr_sz <= 0)
> > >               return;
> > >
> > >       if (!bpf_strncmp(dir_xattr_value, sizeof(XATTR_VALUE), XATTR_VALUE))
> > >               result = 1;
> > > }
> > >
> > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > hook. It then retrieves the extended attributes of the file to be
> > > executed. The hook currently always retrieves the raw filesystem values.
> > >
> > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > might've been stored will be taken into account during exec. And both
> > > the idmapping of the mount and the caller matter when determing whether
> > > they are used or not.
> > >
> > > But the current implementation of bpf_getxattr() just ignores both. It
> > > will always retrieve the raw filesystem values. So if one invokes this
> > > hook they're not actually retrieving the values as they are seen by
> > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > some use-cases it might very well become a security issue in others if
> > > access decisions are always based on the raw values.
> > >
> > > I'm not well-versed in this so bear with me, please.
> >
> > If this is really just about retrieving the "security.bpf" xattr and no
> > other xattr then the bpf_getxattr() variant should somehow hard-code
> > that to ensure that no other xattrs can be retrieved, imho.
> 
> All of these restrictions look very artificial to me.
> Especially the part "might very well become a security issue"
> just doesn't click.
> We're talking about bpf-lsm progs here that implement security.
> Can somebody implement a poor bpf-lsm that doesn't enforce
> any actual security? Sure. It's a code.

The point is that with the current implementation of bpf_getxattr() you
are able to retrieve any xattrs and we have way less control over a
bpf-lsm program than we do over selinux which a simple git grep
__vfs_getxattr() is all we need.

The thing is that with bpf_getxattr() as it stands it is currently
impossible to retrieve xattr values - specifically filesystem
capabilities and posix acls - and see them exactly like the code you're
trying to supervise is. And that seems very strange from a security
perspective. So if someone were to write

SEC("lsm.s/bprm_creds_from_file")
void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
{
	struct task_struct *current = bpf_get_current_task_btf();

	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
				bprm->file->f_path.dentry->d_inode,
				XATTR_NAME_POSIX_ACL_ACCESS, ..);
	// or
	xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
				bprm->file->f_path.dentry->d_inode,
				XATTR_NAME_CAPS, ..);

}

they'd get the raw nscaps and the raw xattrs back. But now, as just a
tiny example, the nscaps->rootuid and the ->e_id fields in the posix
ACLs make zero sense in this context.

And what's more there's no way for the bpf-lsm program to turn them into
something that makes sense in the context of the hook they are retrieved
in. It lacks all the necessary helpers to do so afaict.

> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> in the existing LSMs like selinux.

Selinux only cares about its own xattr namespace. It doesn't retrieve
fscaps or posix acls and it's not possible to write selinux programs
that do so. With the bpf-lsm that's very much possible.

And if we'd notice selinux would start retrieving random xattrs we'd ask
the same questions we do here.

> No one complains about its usage in out of tree LSMs.
> Is that a security issue? Of course not.
> __vfs_getxattr is a kernel mechanism that LSMs use to implement
> the security features they need.
> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> with a big difference that it's EXPORT_SYMBOL_GPL.
> BPF land doesn't have an equivalent of non-gpl export and is not going
> to get one.

This discussion would probably be a lot shorter if this series were sent
with a proper explanation of how this supposed to work and what it's
used for.

A series without a cover letter and no detailed explanation in the
commit messages makes it quite hard to understand whether what is asked
can be acked or not.

I'm just adding Serge and Casey to double-check here as the LSM stuff is
more up their alley. I can just look at this from the perspective of a
vfs person.

If you have your eBPF meeting thing I'm also happy to jump on there next
week to get more context.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
>
> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:

[...]

> > > > > > > >
> > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > ---
> > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > >
> > > > > > [...]
> > > > > >
> > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > +{
> > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > +     int xattr_sz = 0;
> > > > > > > > +
> > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > +                             dir_xattr_value, 64);
> > > > > > >
> > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > >
> > > > > > Thanks for taking a look.
> > > > > >

[...]

> > > > >
> > > > > That will not be correct.
> > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > is checking random tasks that happen to be running
> > > > > when lsm hook got invoked.
> > > > >
> > > > > KP,
> > > > > we probably have to document clearly that neither 'current*'
> > > > > should not be used here.
> > > > > xattr_permission also makes little sense in this context.
> > > > > If anything it can be a different kfunc if there is a use case,
> > > > > but I don't see it yet.
> > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > call it directly. It's the kernel that is doing its security thing.
> > > >
> > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > filesystem xattr values (evm).
> > > >
> > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > xattr in any security hook it can be attached to. So someone can write a
> > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > these are xattrs that require higher-level vfs involvement to be
> > > > sensible in most contexts.
> > > >

[...]

> > > >
> > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > hook. It then retrieves the extended attributes of the file to be
> > > > executed. The hook currently always retrieves the raw filesystem values.
> > > >
> > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > might've been stored will be taken into account during exec. And both
> > > > the idmapping of the mount and the caller matter when determing whether
> > > > they are used or not.
> > > >
> > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > hook they're not actually retrieving the values as they are seen by
> > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > some use-cases it might very well become a security issue in others if
> > > > access decisions are always based on the raw values.
> > > >
> > > > I'm not well-versed in this so bear with me, please.
> > >
> > > If this is really just about retrieving the "security.bpf" xattr and no
> > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > that to ensure that no other xattrs can be retrieved, imho.
> >
> > All of these restrictions look very artificial to me.
> > Especially the part "might very well become a security issue"
> > just doesn't click.
> > We're talking about bpf-lsm progs here that implement security.
> > Can somebody implement a poor bpf-lsm that doesn't enforce
> > any actual security? Sure. It's a code.
>
> The point is that with the current implementation of bpf_getxattr() you
> are able to retrieve any xattrs and we have way less control over a
> bpf-lsm program than we do over selinux which a simple git grep
> __vfs_getxattr() is all we need.
>
> The thing is that with bpf_getxattr() as it stands it is currently
> impossible to retrieve xattr values - specifically filesystem
> capabilities and posix acls - and see them exactly like the code you're
> trying to supervise is. And that seems very strange from a security
> perspective. So if someone were to write
>
> SEC("lsm.s/bprm_creds_from_file")
> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> {
>         struct task_struct *current = bpf_get_current_task_btf();
>
>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>                                 bprm->file->f_path.dentry->d_inode,
>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
>         // or
>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>                                 bprm->file->f_path.dentry->d_inode,
>                                 XATTR_NAME_CAPS, ..);
>
> }
>
> they'd get the raw nscaps and the raw xattrs back. But now, as just a
> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> ACLs make zero sense in this context.
>
> And what's more there's no way for the bpf-lsm program to turn them into
> something that makes sense in the context of the hook they are retrieved
> in. It lacks all the necessary helpers to do so afaict.
>
> > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > in the existing LSMs like selinux.
>
> Selinux only cares about its own xattr namespace. It doesn't retrieve
> fscaps or posix acls and it's not possible to write selinux programs
> that do so. With the bpf-lsm that's very much possible.
>
> And if we'd notice selinux would start retrieving random xattrs we'd ask
> the same questions we do here.
>
> > No one complains about its usage in out of tree LSMs.
> > Is that a security issue? Of course not.
> > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > the security features they need.
> > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > with a big difference that it's EXPORT_SYMBOL_GPL.
> > BPF land doesn't have an equivalent of non-gpl export and is not going
> > to get one.

I want to reiterate what Alexei is saying here:

*Please* consider this as a simple wrapper around __vfs_getxattr
with a limited attach surface and extra verification checks and
and nothing else.

What you are saying is __vfs_getxattr does not make sense in some
contexts. But kernel modules can still use it right?

The user is implementing an LSM, if they chose to do things that don't make
sense, then they can surely cause a lot more harm:

SEC("lsm/bprm_check_security")
int BPF_PROG(bprm_check, struct linux_binprm *bprm)
{
     return -EPERM;
}

>
> This discussion would probably be a lot shorter if this series were sent
> with a proper explanation of how this supposed to work and what it's
> used for.

It's currently scoped to BPF LSM (albeit limited to LSM for now)
but it won't just be used in LSM programs but some (allow-listed)
tracing programs too.

We want to leave the flexibility to the implementer of the LSM hooks. If the
implementer choses to retrieve posix_acl_* we can also expose
posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
but that would be a separate kfunc (and a separate use-case).

>
> A series without a cover letter and no detailed explanation in the
> commit messages makes it quite hard to understand whether what is asked
> can be acked or not.

As I mentioned in

https://lore.kernel.org/bpf/CACYkzJ70uqVJr5EnM0i03Lu+zkuSsXOXcOLQoUS6HZPqH=skpQ@mail.gmail.com/T/#m74f32bae800a97d5c2caf08cee4199d3ba48d76c

I will resend with a cover letter that has more details.

>
> I'm just adding Serge and Casey to double-check here as the LSM stuff is
> more up their alley. I can just look at this from the perspective of a
> vfs person.
>
> If you have your eBPF meeting thing I'm also happy to jump on there next

Sure, we can discuss this during BPF office hours next week.


> week to get more context.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Thu, Jun 30, 2022 at 2:21 PM KP Singh <kpsingh@kernel.org> wrote:
>
> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
>
> [...]
>
> > > > > > > > >
> > > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > > ---
> > > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > > >
> > > > > > > [...]
> > > > > > >
> > > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > > +{
> > > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > > +     int xattr_sz = 0;
> > > > > > > > > +
> > > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > > +                             dir_xattr_value, 64);
> > > > > > > >
> > > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > > >
> > > > > > > Thanks for taking a look.
> > > > > > >
>
> [...]
>
> > > > > >
> > > > > > That will not be correct.
> > > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > > is checking random tasks that happen to be running
> > > > > > when lsm hook got invoked.
> > > > > >
> > > > > > KP,
> > > > > > we probably have to document clearly that neither 'current*'
> > > > > > should not be used here.
> > > > > > xattr_permission also makes little sense in this context.
> > > > > > If anything it can be a different kfunc if there is a use case,
> > > > > > but I don't see it yet.
> > > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > > call it directly. It's the kernel that is doing its security thing.
> > > > >
> > > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > > filesystem xattr values (evm).
> > > > >
> > > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > > xattr in any security hook it can be attached to. So someone can write a
> > > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > > these are xattrs that require higher-level vfs involvement to be
> > > > > sensible in most contexts.
> > > > >
>
> [...]
>
> > > > >
> > > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > > hook. It then retrieves the extended attributes of the file to be
> > > > > executed. The hook currently always retrieves the raw filesystem values.
> > > > >
> > > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > > might've been stored will be taken into account during exec. And both
> > > > > the idmapping of the mount and the caller matter when determing whether
> > > > > they are used or not.
> > > > >
> > > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > > hook they're not actually retrieving the values as they are seen by
> > > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > > some use-cases it might very well become a security issue in others if
> > > > > access decisions are always based on the raw values.
> > > > >
> > > > > I'm not well-versed in this so bear with me, please.
> > > >
> > > > If this is really just about retrieving the "security.bpf" xattr and no
> > > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > > that to ensure that no other xattrs can be retrieved, imho.
> > >
> > > All of these restrictions look very artificial to me.
> > > Especially the part "might very well become a security issue"
> > > just doesn't click.
> > > We're talking about bpf-lsm progs here that implement security.
> > > Can somebody implement a poor bpf-lsm that doesn't enforce
> > > any actual security? Sure. It's a code.
> >
> > The point is that with the current implementation of bpf_getxattr() you
> > are able to retrieve any xattrs and we have way less control over a
> > bpf-lsm program than we do over selinux which a simple git grep
> > __vfs_getxattr() is all we need.
> >
> > The thing is that with bpf_getxattr() as it stands it is currently
> > impossible to retrieve xattr values - specifically filesystem
> > capabilities and posix acls - and see them exactly like the code you're
> > trying to supervise is. And that seems very strange from a security
> > perspective. So if someone were to write
> >
> > SEC("lsm.s/bprm_creds_from_file")
> > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > {
> >         struct task_struct *current = bpf_get_current_task_btf();
> >
> >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >                                 bprm->file->f_path.dentry->d_inode,
> >                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> >         // or
> >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >                                 bprm->file->f_path.dentry->d_inode,
> >                                 XATTR_NAME_CAPS, ..);
> >
> > }
> >
> > they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > ACLs make zero sense in this context.
> >
> > And what's more there's no way for the bpf-lsm program to turn them into
> > something that makes sense in the context of the hook they are retrieved
> > in. It lacks all the necessary helpers to do so afaict.
> >
> > > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > > in the existing LSMs like selinux.
> >
> > Selinux only cares about its own xattr namespace. It doesn't retrieve
> > fscaps or posix acls and it's not possible to write selinux programs
> > that do so. With the bpf-lsm that's very much possible.
> >
> > And if we'd notice selinux would start retrieving random xattrs we'd ask
> > the same questions we do here.
> >
> > > No one complains about its usage in out of tree LSMs.
> > > Is that a security issue? Of course not.
> > > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > > the security features they need.
> > > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL

Alexei, should we consider renaming it to bpf__vfs_getxattr to emphasize the
fact that this is just a simple wrapper around __vfs_getxattr?

> > > with a big difference that it's EXPORT_SYMBOL_GPL.
> > > BPF land doesn't have an equivalent of non-gpl export and is not going
> > > to get one.
>
> I want to reiterate what Alexei is saying here:
>
> *Please* consider this as a simple wrapper around __vfs_getxattr
> with a limited attach surface and extra verification checks and
> and nothing else.
>
> What you are saying is __vfs_getxattr does not make sense in some
> contexts. But kernel modules can still use it right?
>
> The user is implementing an LSM, if they chose to do things that don't make
> sense, then they can surely cause a lot more harm:
>
> SEC("lsm/bprm_check_security")
> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> {
>      return -EPERM;
> }
>
> >
> > This discussion would probably be a lot shorter if this series were sent
> > with a proper explanation of how this supposed to work and what it's
> > used for.
>
> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> but it won't just be used in LSM programs but some (allow-listed)
> tracing programs too.
>
> We want to leave the flexibility to the implementer of the LSM hooks. If the
> implementer choses to retrieve posix_acl_* we can also expose
> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> but that would be a separate kfunc (and a separate use-case).
>
> >
> > A series without a cover letter and no detailed explanation in the
> > commit messages makes it quite hard to understand whether what is asked
> > can be acked or not.
>
> As I mentioned in
>
> https://lore.kernel.org/bpf/CACYkzJ70uqVJr5EnM0i03Lu+zkuSsXOXcOLQoUS6HZPqH=skpQ@mail.gmail.com/T/#m74f32bae800a97d5c2caf08cee4199d3ba48d76c
>
> I will resend with a cover letter that has more details.
>
> >
> > I'm just adding Serge and Casey to double-check here as the LSM stuff is
> > more up their alley. I can just look at this from the perspective of a
> > vfs person.
> >
> > If you have your eBPF meeting thing I'm also happy to jump on there next
>
> Sure, we can discuss this during BPF office hours next week.
>
>
> > week to get more context.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> 
> [...]
> 
> > > > > > > > >
> > > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > > ---
> > > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > > >
> > > > > > > [...]
> > > > > > >
> > > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > > +{
> > > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > > +     int xattr_sz = 0;
> > > > > > > > > +
> > > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > > +                             dir_xattr_value, 64);
> > > > > > > >
> > > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > > >
> > > > > > > Thanks for taking a look.
> > > > > > >
> 
> [...]
> 
> > > > > >
> > > > > > That will not be correct.
> > > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > > is checking random tasks that happen to be running
> > > > > > when lsm hook got invoked.
> > > > > >
> > > > > > KP,
> > > > > > we probably have to document clearly that neither 'current*'
> > > > > > should not be used here.
> > > > > > xattr_permission also makes little sense in this context.
> > > > > > If anything it can be a different kfunc if there is a use case,
> > > > > > but I don't see it yet.
> > > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > > call it directly. It's the kernel that is doing its security thing.
> > > > >
> > > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > > filesystem xattr values (evm).
> > > > >
> > > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > > xattr in any security hook it can be attached to. So someone can write a
> > > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > > these are xattrs that require higher-level vfs involvement to be
> > > > > sensible in most contexts.
> > > > >
> 
> [...]
> 
> > > > >
> > > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > > hook. It then retrieves the extended attributes of the file to be
> > > > > executed. The hook currently always retrieves the raw filesystem values.
> > > > >
> > > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > > might've been stored will be taken into account during exec. And both
> > > > > the idmapping of the mount and the caller matter when determing whether
> > > > > they are used or not.
> > > > >
> > > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > > hook they're not actually retrieving the values as they are seen by
> > > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > > some use-cases it might very well become a security issue in others if
> > > > > access decisions are always based on the raw values.
> > > > >
> > > > > I'm not well-versed in this so bear with me, please.
> > > >
> > > > If this is really just about retrieving the "security.bpf" xattr and no
> > > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > > that to ensure that no other xattrs can be retrieved, imho.
> > >
> > > All of these restrictions look very artificial to me.
> > > Especially the part "might very well become a security issue"
> > > just doesn't click.
> > > We're talking about bpf-lsm progs here that implement security.
> > > Can somebody implement a poor bpf-lsm that doesn't enforce
> > > any actual security? Sure. It's a code.
> >
> > The point is that with the current implementation of bpf_getxattr() you
> > are able to retrieve any xattrs and we have way less control over a
> > bpf-lsm program than we do over selinux which a simple git grep
> > __vfs_getxattr() is all we need.
> >
> > The thing is that with bpf_getxattr() as it stands it is currently
> > impossible to retrieve xattr values - specifically filesystem
> > capabilities and posix acls - and see them exactly like the code you're
> > trying to supervise is. And that seems very strange from a security
> > perspective. So if someone were to write
> >
> > SEC("lsm.s/bprm_creds_from_file")
> > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > {
> >         struct task_struct *current = bpf_get_current_task_btf();
> >
> >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >                                 bprm->file->f_path.dentry->d_inode,
> >                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> >         // or
> >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >                                 bprm->file->f_path.dentry->d_inode,
> >                                 XATTR_NAME_CAPS, ..);
> >
> > }
> >
> > they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > ACLs make zero sense in this context.
> >
> > And what's more there's no way for the bpf-lsm program to turn them into
> > something that makes sense in the context of the hook they are retrieved
> > in. It lacks all the necessary helpers to do so afaict.
> >
> > > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > > in the existing LSMs like selinux.
> >
> > Selinux only cares about its own xattr namespace. It doesn't retrieve
> > fscaps or posix acls and it's not possible to write selinux programs
> > that do so. With the bpf-lsm that's very much possible.
> >
> > And if we'd notice selinux would start retrieving random xattrs we'd ask
> > the same questions we do here.
> >
> > > No one complains about its usage in out of tree LSMs.
> > > Is that a security issue? Of course not.
> > > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > > the security features they need.
> > > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > > with a big difference that it's EXPORT_SYMBOL_GPL.
> > > BPF land doesn't have an equivalent of non-gpl export and is not going
> > > to get one.
> 
> I want to reiterate what Alexei is saying here:
> 
> *Please* consider this as a simple wrapper around __vfs_getxattr
> with a limited attach surface and extra verification checks and
> and nothing else.
> 
> What you are saying is __vfs_getxattr does not make sense in some
> contexts. But kernel modules can still use it right?
> 
> The user is implementing an LSM, if they chose to do things that don't make
> sense, then they can surely cause a lot more harm:
> 
> SEC("lsm/bprm_check_security")
> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> {
>      return -EPERM;
> }
> 
> >
> > This discussion would probably be a lot shorter if this series were sent
> > with a proper explanation of how this supposed to work and what it's
> > used for.
> 
> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> but it won't just be used in LSM programs but some (allow-listed)
> tracing programs too.
> 
> We want to leave the flexibility to the implementer of the LSM hooks. If the
> implementer choses to retrieve posix_acl_* we can also expose
> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> but that would be a separate kfunc (and a separate use-case).

No, sorry. That's what I feared and that's why I think this low-level
exposure of __vfs_getxattr() is wrong:
The posix_acl_fix_xattr_*() helpers, as well as the helpers like
get_file_caps() will not be exported. We're not going to export that
deeply internal vfs machinery. So I would NACK that. If you want that -
and that's what I'm saying here - you need to encapsulate this into your
vfs_*xattr() helper that you can call from your kfuncs.

> 
> >
> > A series without a cover letter and no detailed explanation in the
> > commit messages makes it quite hard to understand whether what is asked
> > can be acked or not.
> 
> As I mentioned in
> 
> https://lore.kernel.org/bpf/CACYkzJ70uqVJr5EnM0i03Lu+zkuSsXOXcOLQoUS6HZPqH=skpQ@mail.gmail.com/T/#m74f32bae800a97d5c2caf08cee4199d3ba48d76c
> 
> I will resend with a cover letter that has more details.

Thank you!

> 
> >
> > I'm just adding Serge and Casey to double-check here as the LSM stuff is
> > more up their alley. I can just look at this from the perspective of a
> > vfs person.
> >
> > If you have your eBPF meeting thing I'm also happy to jump on there next
> 
> Sure, we can discuss this during BPF office hours next week.

Sounds good.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
>
> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> > On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> > >
> > > On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > > > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> >
> > [...]
> >
> > > > > > > > > >
> > > > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > > > ---
> > > > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > > > >
> > > > > > > > [...]
> > > > > > > >
> > > > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > > > +{
> > > > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > > > +     int xattr_sz = 0;
> > > > > > > > > > +
> > > > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > > > +                             dir_xattr_value, 64);
> > > > > > > > >
> > > > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > > > >
> > > > > > > > Thanks for taking a look.
> > > > > > > >
> >
> > [...]
> >
> > > > > > >
> > > > > > > That will not be correct.
> > > > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > > > is checking random tasks that happen to be running
> > > > > > > when lsm hook got invoked.
> > > > > > >
> > > > > > > KP,
> > > > > > > we probably have to document clearly that neither 'current*'
> > > > > > > should not be used here.
> > > > > > > xattr_permission also makes little sense in this context.
> > > > > > > If anything it can be a different kfunc if there is a use case,
> > > > > > > but I don't see it yet.
> > > > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > > > call it directly. It's the kernel that is doing its security thing.
> > > > > >
> > > > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > > > filesystem xattr values (evm).
> > > > > >
> > > > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > > > xattr in any security hook it can be attached to. So someone can write a
> > > > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > > > these are xattrs that require higher-level vfs involvement to be
> > > > > > sensible in most contexts.
> > > > > >
> >
> > [...]
> >
> > > > > >
> > > > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > > > hook. It then retrieves the extended attributes of the file to be
> > > > > > executed. The hook currently always retrieves the raw filesystem values.
> > > > > >
> > > > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > > > might've been stored will be taken into account during exec. And both
> > > > > > the idmapping of the mount and the caller matter when determing whether
> > > > > > they are used or not.
> > > > > >
> > > > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > > > hook they're not actually retrieving the values as they are seen by
> > > > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > > > some use-cases it might very well become a security issue in others if
> > > > > > access decisions are always based on the raw values.
> > > > > >
> > > > > > I'm not well-versed in this so bear with me, please.
> > > > >
> > > > > If this is really just about retrieving the "security.bpf" xattr and no
> > > > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > > > that to ensure that no other xattrs can be retrieved, imho.
> > > >
> > > > All of these restrictions look very artificial to me.
> > > > Especially the part "might very well become a security issue"
> > > > just doesn't click.
> > > > We're talking about bpf-lsm progs here that implement security.
> > > > Can somebody implement a poor bpf-lsm that doesn't enforce
> > > > any actual security? Sure. It's a code.
> > >
> > > The point is that with the current implementation of bpf_getxattr() you
> > > are able to retrieve any xattrs and we have way less control over a
> > > bpf-lsm program than we do over selinux which a simple git grep
> > > __vfs_getxattr() is all we need.
> > >
> > > The thing is that with bpf_getxattr() as it stands it is currently
> > > impossible to retrieve xattr values - specifically filesystem
> > > capabilities and posix acls - and see them exactly like the code you're
> > > trying to supervise is. And that seems very strange from a security
> > > perspective. So if someone were to write
> > >
> > > SEC("lsm.s/bprm_creds_from_file")
> > > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > {
> > >         struct task_struct *current = bpf_get_current_task_btf();
> > >
> > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >                                 bprm->file->f_path.dentry->d_inode,
> > >                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> > >         // or
> > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >                                 bprm->file->f_path.dentry->d_inode,
> > >                                 XATTR_NAME_CAPS, ..);
> > >
> > > }
> > >
> > > they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > > tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > > ACLs make zero sense in this context.
> > >
> > > And what's more there's no way for the bpf-lsm program to turn them into
> > > something that makes sense in the context of the hook they are retrieved
> > > in. It lacks all the necessary helpers to do so afaict.
> > >
> > > > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > > > in the existing LSMs like selinux.
> > >
> > > Selinux only cares about its own xattr namespace. It doesn't retrieve
> > > fscaps or posix acls and it's not possible to write selinux programs
> > > that do so. With the bpf-lsm that's very much possible.
> > >
> > > And if we'd notice selinux would start retrieving random xattrs we'd ask
> > > the same questions we do here.
> > >
> > > > No one complains about its usage in out of tree LSMs.
> > > > Is that a security issue? Of course not.
> > > > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > > > the security features they need.
> > > > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > > > with a big difference that it's EXPORT_SYMBOL_GPL.
> > > > BPF land doesn't have an equivalent of non-gpl export and is not going
> > > > to get one.
> >
> > I want to reiterate what Alexei is saying here:
> >
> > *Please* consider this as a simple wrapper around __vfs_getxattr
> > with a limited attach surface and extra verification checks and
> > and nothing else.
> >
> > What you are saying is __vfs_getxattr does not make sense in some
> > contexts. But kernel modules can still use it right?
> >
> > The user is implementing an LSM, if they chose to do things that don't make
> > sense, then they can surely cause a lot more harm:
> >
> > SEC("lsm/bprm_check_security")
> > int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> > {
> >      return -EPERM;
> > }
> >
> > >
> > > This discussion would probably be a lot shorter if this series were sent
> > > with a proper explanation of how this supposed to work and what it's
> > > used for.
> >
> > It's currently scoped to BPF LSM (albeit limited to LSM for now)
> > but it won't just be used in LSM programs but some (allow-listed)
> > tracing programs too.
> >
> > We want to leave the flexibility to the implementer of the LSM hooks. If the
> > implementer choses to retrieve posix_acl_* we can also expose
> > posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> > but that would be a separate kfunc (and a separate use-case).
>
> No, sorry. That's what I feared and that's why I think this low-level
> exposure of __vfs_getxattr() is wrong:
> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> get_file_caps() will not be exported. We're not going to export that

I don't want to expose them and I don't want any others to be
exposed either.

> deeply internal vfs machinery. So I would NACK that. If you want that -
> and that's what I'm saying here - you need to encapsulate this into your
> vfs_*xattr() helper that you can call from your kfuncs.

It seems like __vfs_getxattr is already exposed and does the wrong thing in
some contexts, why can't we just "fix" __vfs_getxattr then?


- KP

>
> >
> > >
> > > A series without a cover letter and no detailed explanation in the
> > > commit messages makes it quite hard to understand whether what is asked
> > > can be acked or not.
> >
> > As I mentioned in
> >
> > https://lore.kernel.org/bpf/CACYkzJ70uqVJr5EnM0i03Lu+zkuSsXOXcOLQoUS6HZPqH=skpQ@mail.gmail.com/T/#m74f32bae800a97d5c2caf08cee4199d3ba48d76c
> >
> > I will resend with a cover letter that has more details.
>
> Thank you!
>
> >
> > >
> > > I'm just adding Serge and Casey to double-check here as the LSM stuff is
> > > more up their alley. I can just look at this from the perspective of a
> > > vfs person.
> > >
> > > If you have your eBPF meeting thing I'm also happy to jump on there next
> >
> > Sure, we can discuss this during BPF office hours next week.
>
> Sounds good.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
> >
> > On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> > > On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> > > >
> > > > On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > > > > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> > >
> > > [...]
> > >
> > > > > > > > > > >
> > > > > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > > > > ---
> > > > > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > > > > >
> > > > > > > > > [...]
> > > > > > > > >
> > > > > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > > > > +{
> > > > > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > > > > +     int xattr_sz = 0;
> > > > > > > > > > > +
> > > > > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > > > > +                             dir_xattr_value, 64);
> > > > > > > > > >
> > > > > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > > > > >
> > > > > > > > > Thanks for taking a look.
> > > > > > > > >
> > >
> > > [...]
> > >
> > > > > > > >
> > > > > > > > That will not be correct.
> > > > > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > > > > is checking random tasks that happen to be running
> > > > > > > > when lsm hook got invoked.
> > > > > > > >
> > > > > > > > KP,
> > > > > > > > we probably have to document clearly that neither 'current*'
> > > > > > > > should not be used here.
> > > > > > > > xattr_permission also makes little sense in this context.
> > > > > > > > If anything it can be a different kfunc if there is a use case,
> > > > > > > > but I don't see it yet.
> > > > > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > > > > call it directly. It's the kernel that is doing its security thing.
> > > > > > >
> > > > > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > > > > filesystem xattr values (evm).
> > > > > > >
> > > > > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > > > > xattr in any security hook it can be attached to. So someone can write a
> > > > > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > > > > these are xattrs that require higher-level vfs involvement to be
> > > > > > > sensible in most contexts.
> > > > > > >
> > >
> > > [...]
> > >
> > > > > > >
> > > > > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > > > > hook. It then retrieves the extended attributes of the file to be
> > > > > > > executed. The hook currently always retrieves the raw filesystem values.
> > > > > > >
> > > > > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > > > > might've been stored will be taken into account during exec. And both
> > > > > > > the idmapping of the mount and the caller matter when determing whether
> > > > > > > they are used or not.
> > > > > > >
> > > > > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > > > > hook they're not actually retrieving the values as they are seen by
> > > > > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > > > > some use-cases it might very well become a security issue in others if
> > > > > > > access decisions are always based on the raw values.
> > > > > > >
> > > > > > > I'm not well-versed in this so bear with me, please.
> > > > > >
> > > > > > If this is really just about retrieving the "security.bpf" xattr and no
> > > > > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > > > > that to ensure that no other xattrs can be retrieved, imho.
> > > > >
> > > > > All of these restrictions look very artificial to me.
> > > > > Especially the part "might very well become a security issue"
> > > > > just doesn't click.
> > > > > We're talking about bpf-lsm progs here that implement security.
> > > > > Can somebody implement a poor bpf-lsm that doesn't enforce
> > > > > any actual security? Sure. It's a code.
> > > >
> > > > The point is that with the current implementation of bpf_getxattr() you
> > > > are able to retrieve any xattrs and we have way less control over a
> > > > bpf-lsm program than we do over selinux which a simple git grep
> > > > __vfs_getxattr() is all we need.
> > > >
> > > > The thing is that with bpf_getxattr() as it stands it is currently
> > > > impossible to retrieve xattr values - specifically filesystem
> > > > capabilities and posix acls - and see them exactly like the code you're
> > > > trying to supervise is. And that seems very strange from a security
> > > > perspective. So if someone were to write
> > > >
> > > > SEC("lsm.s/bprm_creds_from_file")
> > > > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > {
> > > >         struct task_struct *current = bpf_get_current_task_btf();
> > > >
> > > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > >                                 bprm->file->f_path.dentry->d_inode,
> > > >                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> > > >         // or
> > > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > >                                 bprm->file->f_path.dentry->d_inode,
> > > >                                 XATTR_NAME_CAPS, ..);
> > > >
> > > > }
> > > >
> > > > they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > > > tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > > > ACLs make zero sense in this context.
> > > >
> > > > And what's more there's no way for the bpf-lsm program to turn them into
> > > > something that makes sense in the context of the hook they are retrieved
> > > > in. It lacks all the necessary helpers to do so afaict.
> > > >
> > > > > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > > > > in the existing LSMs like selinux.
> > > >
> > > > Selinux only cares about its own xattr namespace. It doesn't retrieve
> > > > fscaps or posix acls and it's not possible to write selinux programs
> > > > that do so. With the bpf-lsm that's very much possible.
> > > >
> > > > And if we'd notice selinux would start retrieving random xattrs we'd ask
> > > > the same questions we do here.
> > > >
> > > > > No one complains about its usage in out of tree LSMs.
> > > > > Is that a security issue? Of course not.
> > > > > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > > > > the security features they need.
> > > > > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > > > > with a big difference that it's EXPORT_SYMBOL_GPL.
> > > > > BPF land doesn't have an equivalent of non-gpl export and is not going
> > > > > to get one.
> > >
> > > I want to reiterate what Alexei is saying here:
> > >
> > > *Please* consider this as a simple wrapper around __vfs_getxattr
> > > with a limited attach surface and extra verification checks and
> > > and nothing else.
> > >
> > > What you are saying is __vfs_getxattr does not make sense in some
> > > contexts. But kernel modules can still use it right?
> > >
> > > The user is implementing an LSM, if they chose to do things that don't make
> > > sense, then they can surely cause a lot more harm:
> > >
> > > SEC("lsm/bprm_check_security")
> > > int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> > > {
> > >      return -EPERM;
> > > }
> > >
> > > >
> > > > This discussion would probably be a lot shorter if this series were sent
> > > > with a proper explanation of how this supposed to work and what it's
> > > > used for.
> > >
> > > It's currently scoped to BPF LSM (albeit limited to LSM for now)
> > > but it won't just be used in LSM programs but some (allow-listed)
> > > tracing programs too.
> > >
> > > We want to leave the flexibility to the implementer of the LSM hooks. If the
> > > implementer choses to retrieve posix_acl_* we can also expose
> > > posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> > > but that would be a separate kfunc (and a separate use-case).
> >
> > No, sorry. That's what I feared and that's why I think this low-level
> > exposure of __vfs_getxattr() is wrong:
> > The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> > get_file_caps() will not be exported. We're not going to export that
> 
> I don't want to expose them and I don't want any others to be
> exposed either.
> 
> > deeply internal vfs machinery. So I would NACK that. If you want that -
> > and that's what I'm saying here - you need to encapsulate this into your
> > vfs_*xattr() helper that you can call from your kfuncs.
> 
> It seems like __vfs_getxattr is already exposed and does the wrong thing in
> some contexts, why can't we just "fix" __vfs_getxattr then?

To me having either a version of bpf_getxattr() that restricts access to
certain xattrs or a version that takes care to perform the neccesary
translations is what seems to make the most sense. I suggested that in
one of my first mails.

The one thing where the way the xattrs are retrieved really matters is
for vfscaps (see get_vfs_caps_from_disk()) you really need something
like that function in order for vfs caps to make any sense and be
interpretable by the user of the hook.

But again, I might just misunderstand the context here and for the
bpf-lsm all of this isn't really a concern. If your new series comes out
I'll try to get more into the wider context.
If the security folks are happy with this then I won't argue.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Thu, Jun 30, 2022 at 03:47:02PM +0200, Christian Brauner wrote:
> On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
> > On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
> > >
> > > On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> > > > On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> > > > >
> > > > > On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > > > > > On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> > > >
> > > > [...]
> > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > > > > > > > > > > > ---
> > > > > > > > > > > >  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > > > > > > > > >
> > > > > > > > > > [...]
> > > > > > > > > >
> > > > > > > > > > > > +SEC("lsm.s/bprm_committed_creds")
> > > > > > > > > > > > +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > > > > > > > > +{
> > > > > > > > > > > > +     struct task_struct *current = bpf_get_current_task_btf();
> > > > > > > > > > > > +     char dir_xattr_value[64] = {0};
> > > > > > > > > > > > +     int xattr_sz = 0;
> > > > > > > > > > > > +
> > > > > > > > > > > > +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > > > > > > > > > +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > > > > > > > > > > > +                             dir_xattr_value, 64);
> > > > > > > > > > >
> > > > > > > > > > > Yeah, this isn't right. You're not accounting for the caller's userns
> > > > > > > > > > > nor for the idmapped mount. If this is supposed to work you will need a
> > > > > > > > > > > variant of vfs_getxattr() that takes the mount's idmapping into account
> > > > > > > > > > > afaict. See what needs to happen after do_getxattr().
> > > > > > > > > >
> > > > > > > > > > Thanks for taking a look.
> > > > > > > > > >
> > > >
> > > > [...]
> > > >
> > > > > > > > >
> > > > > > > > > That will not be correct.
> > > > > > > > > posix_acl_fix_xattr_to_user checking current_user_ns()
> > > > > > > > > is checking random tasks that happen to be running
> > > > > > > > > when lsm hook got invoked.
> > > > > > > > >
> > > > > > > > > KP,
> > > > > > > > > we probably have to document clearly that neither 'current*'
> > > > > > > > > should not be used here.
> > > > > > > > > xattr_permission also makes little sense in this context.
> > > > > > > > > If anything it can be a different kfunc if there is a use case,
> > > > > > > > > but I don't see it yet.
> > > > > > > > > bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > > > > > > > > call it directly. It's the kernel that is doing its security thing.
> > > > > > > >
> > > > > > > > Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > > > > > > > selinux, smack) or they calculate hashes for xattrs based on the raw
> > > > > > > > filesystem xattr values (evm).
> > > > > > > >
> > > > > > > > But this new bpf_getxattr() is different. It allows to retrieve _any_
> > > > > > > > xattr in any security hook it can be attached to. So someone can write a
> > > > > > > > bpf program that retrieves filesystem capabilites or posix acls. And
> > > > > > > > these are xattrs that require higher-level vfs involvement to be
> > > > > > > > sensible in most contexts.
> > > > > > > >
> > > >
> > > > [...]
> > > >
> > > > > > > >
> > > > > > > > This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > > > > > > > hook. It then retrieves the extended attributes of the file to be
> > > > > > > > executed. The hook currently always retrieves the raw filesystem values.
> > > > > > > >
> > > > > > > > But for example any XATTR_NAME_CAPS filesystem capabilities that
> > > > > > > > might've been stored will be taken into account during exec. And both
> > > > > > > > the idmapping of the mount and the caller matter when determing whether
> > > > > > > > they are used or not.
> > > > > > > >
> > > > > > > > But the current implementation of bpf_getxattr() just ignores both. It
> > > > > > > > will always retrieve the raw filesystem values. So if one invokes this
> > > > > > > > hook they're not actually retrieving the values as they are seen by
> > > > > > > > fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > > > > > > > some use-cases it might very well become a security issue in others if
> > > > > > > > access decisions are always based on the raw values.
> > > > > > > >
> > > > > > > > I'm not well-versed in this so bear with me, please.
> > > > > > >
> > > > > > > If this is really just about retrieving the "security.bpf" xattr and no
> > > > > > > other xattr then the bpf_getxattr() variant should somehow hard-code
> > > > > > > that to ensure that no other xattrs can be retrieved, imho.
> > > > > >
> > > > > > All of these restrictions look very artificial to me.
> > > > > > Especially the part "might very well become a security issue"
> > > > > > just doesn't click.
> > > > > > We're talking about bpf-lsm progs here that implement security.
> > > > > > Can somebody implement a poor bpf-lsm that doesn't enforce
> > > > > > any actual security? Sure. It's a code.
> > > > >
> > > > > The point is that with the current implementation of bpf_getxattr() you
> > > > > are able to retrieve any xattrs and we have way less control over a
> > > > > bpf-lsm program than we do over selinux which a simple git grep
> > > > > __vfs_getxattr() is all we need.
> > > > >
> > > > > The thing is that with bpf_getxattr() as it stands it is currently
> > > > > impossible to retrieve xattr values - specifically filesystem
> > > > > capabilities and posix acls - and see them exactly like the code you're
> > > > > trying to supervise is. And that seems very strange from a security
> > > > > perspective. So if someone were to write
> > > > >
> > > > > SEC("lsm.s/bprm_creds_from_file")
> > > > > void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > > > > {
> > > > >         struct task_struct *current = bpf_get_current_task_btf();
> > > > >
> > > > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > >                                 bprm->file->f_path.dentry->d_inode,
> > > > >                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> > > > >         // or
> > > > >         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > > > >                                 bprm->file->f_path.dentry->d_inode,
> > > > >                                 XATTR_NAME_CAPS, ..);
> > > > >
> > > > > }
> > > > >
> > > > > they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > > > > tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > > > > ACLs make zero sense in this context.
> > > > >
> > > > > And what's more there's no way for the bpf-lsm program to turn them into
> > > > > something that makes sense in the context of the hook they are retrieved
> > > > > in. It lacks all the necessary helpers to do so afaict.
> > > > >
> > > > > > No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > > > > > in the existing LSMs like selinux.
> > > > >
> > > > > Selinux only cares about its own xattr namespace. It doesn't retrieve
> > > > > fscaps or posix acls and it's not possible to write selinux programs
> > > > > that do so. With the bpf-lsm that's very much possible.
> > > > >
> > > > > And if we'd notice selinux would start retrieving random xattrs we'd ask
> > > > > the same questions we do here.
> > > > >
> > > > > > No one complains about its usage in out of tree LSMs.
> > > > > > Is that a security issue? Of course not.
> > > > > > __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > > > > > the security features they need.
> > > > > > __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > > > > > with a big difference that it's EXPORT_SYMBOL_GPL.
> > > > > > BPF land doesn't have an equivalent of non-gpl export and is not going
> > > > > > to get one.
> > > >
> > > > I want to reiterate what Alexei is saying here:
> > > >
> > > > *Please* consider this as a simple wrapper around __vfs_getxattr
> > > > with a limited attach surface and extra verification checks and
> > > > and nothing else.
> > > >
> > > > What you are saying is __vfs_getxattr does not make sense in some
> > > > contexts. But kernel modules can still use it right?
> > > >
> > > > The user is implementing an LSM, if they chose to do things that don't make
> > > > sense, then they can surely cause a lot more harm:
> > > >
> > > > SEC("lsm/bprm_check_security")
> > > > int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> > > > {
> > > >      return -EPERM;
> > > > }
> > > >
> > > > >
> > > > > This discussion would probably be a lot shorter if this series were sent
> > > > > with a proper explanation of how this supposed to work and what it's
> > > > > used for.
> > > >
> > > > It's currently scoped to BPF LSM (albeit limited to LSM for now)
> > > > but it won't just be used in LSM programs but some (allow-listed)
> > > > tracing programs too.
> > > >
> > > > We want to leave the flexibility to the implementer of the LSM hooks. If the
> > > > implementer choses to retrieve posix_acl_* we can also expose
> > > > posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> > > > but that would be a separate kfunc (and a separate use-case).
> > >
> > > No, sorry. That's what I feared and that's why I think this low-level
> > > exposure of __vfs_getxattr() is wrong:
> > > The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> > > get_file_caps() will not be exported. We're not going to export that
> > 
> > I don't want to expose them and I don't want any others to be
> > exposed either.
> > 
> > > deeply internal vfs machinery. So I would NACK that. If you want that -
> > > and that's what I'm saying here - you need to encapsulate this into your
> > > vfs_*xattr() helper that you can call from your kfuncs.
> > 
> > It seems like __vfs_getxattr is already exposed and does the wrong thing in
> > some contexts, why can't we just "fix" __vfs_getxattr then?
> 
> To me having either a version of bpf_getxattr() that restricts access to
> certain xattrs or a version that takes care to perform the neccesary
> translations is what seems to make the most sense. I suggested that in
> one of my first mails.
> 
> The one thing where the way the xattrs are retrieved really matters is
> for vfscaps (see get_vfs_caps_from_disk()) you really need something
> like that function in order for vfs caps to make any sense and be
> interpretable by the user of the hook.
> 
> But again, I might just misunderstand the context here and for the
> bpf-lsm all of this isn't really a concern. If your new series comes out
> I'll try to get more into the wider context.
> If the security folks are happy with this then I won't argue.

I think for posix acls you're actually fine since you never report
anything to userspace. So one of your bpf-lsms might reasonably
interpret this.

But for vfscaps you need them fixed up. That's what's done in
vfs_getxattr() via xattr_getsecurity() which calls into
security_inode_getsecurity() and then into cap_inode_getsecurity() which
does the conversion from the on-disk into the proper in-memory
representation. And that's nasty because fscaps are versioned depending
on whether they are namespaced or not.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Casey Schaufler]

On 6/30/2022 6:47 AM, Christian Brauner wrote:
> On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
>> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
>>> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
>>>> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
>>>>> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
>>>>>> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
>>>> [...]
>>>>
>>>>>>>>>>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
>>>>>>>>>>>> ---
>>>>>>>>>>>>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
>>>>>>>>>> [...]
>>>>>>>>>>
>>>>>>>>>>>> +SEC("lsm.s/bprm_committed_creds")
>>>>>>>>>>>> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
>>>>>>>>>>>> +{
>>>>>>>>>>>> +     struct task_struct *current = bpf_get_current_task_btf();
>>>>>>>>>>>> +     char dir_xattr_value[64] = {0};
>>>>>>>>>>>> +     int xattr_sz = 0;
>>>>>>>>>>>> +
>>>>>>>>>>>> +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>>>>>>>> +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
>>>>>>>>>>>> +                             dir_xattr_value, 64);
>>>>>>>>>>> Yeah, this isn't right. You're not accounting for the caller's userns
>>>>>>>>>>> nor for the idmapped mount. If this is supposed to work you will need a
>>>>>>>>>>> variant of vfs_getxattr() that takes the mount's idmapping into account
>>>>>>>>>>> afaict. See what needs to happen after do_getxattr().
>>>>>>>>>> Thanks for taking a look.
>>>>>>>>>>
>>>> [...]
>>>>
>>>>>>>>> That will not be correct.
>>>>>>>>> posix_acl_fix_xattr_to_user checking current_user_ns()
>>>>>>>>> is checking random tasks that happen to be running
>>>>>>>>> when lsm hook got invoked.
>>>>>>>>>
>>>>>>>>> KP,
>>>>>>>>> we probably have to document clearly that neither 'current*'
>>>>>>>>> should not be used here.
>>>>>>>>> xattr_permission also makes little sense in this context.
>>>>>>>>> If anything it can be a different kfunc if there is a use case,
>>>>>>>>> but I don't see it yet.
>>>>>>>>> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
>>>>>>>>> call it directly. It's the kernel that is doing its security thing.
>>>>>>>> Right, but LSMs usually only retrieve their own xattr namespace (ima,
>>>>>>>> selinux, smack) or they calculate hashes for xattrs based on the raw
>>>>>>>> filesystem xattr values (evm).
>>>>>>>>
>>>>>>>> But this new bpf_getxattr() is different. It allows to retrieve _any_
>>>>>>>> xattr in any security hook it can be attached to. So someone can write a
>>>>>>>> bpf program that retrieves filesystem capabilites or posix acls. And
>>>>>>>> these are xattrs that require higher-level vfs involvement to be
>>>>>>>> sensible in most contexts.
>>>>>>>>
>>>> [...]
>>>>
>>>>>>>> This hooks a bpf-lsm program to the security_bprm_committed_creds()
>>>>>>>> hook. It then retrieves the extended attributes of the file to be
>>>>>>>> executed. The hook currently always retrieves the raw filesystem values.
>>>>>>>>
>>>>>>>> But for example any XATTR_NAME_CAPS filesystem capabilities that
>>>>>>>> might've been stored will be taken into account during exec. And both
>>>>>>>> the idmapping of the mount and the caller matter when determing whether
>>>>>>>> they are used or not.
>>>>>>>>
>>>>>>>> But the current implementation of bpf_getxattr() just ignores both. It
>>>>>>>> will always retrieve the raw filesystem values. So if one invokes this
>>>>>>>> hook they're not actually retrieving the values as they are seen by
>>>>>>>> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
>>>>>>>> some use-cases it might very well become a security issue in others if
>>>>>>>> access decisions are always based on the raw values.
>>>>>>>>
>>>>>>>> I'm not well-versed in this so bear with me, please.
>>>>>>> If this is really just about retrieving the "security.bpf" xattr and no
>>>>>>> other xattr then the bpf_getxattr() variant should somehow hard-code
>>>>>>> that to ensure that no other xattrs can be retrieved, imho.
>>>>>> All of these restrictions look very artificial to me.
>>>>>> Especially the part "might very well become a security issue"
>>>>>> just doesn't click.
>>>>>> We're talking about bpf-lsm progs here that implement security.
>>>>>> Can somebody implement a poor bpf-lsm that doesn't enforce
>>>>>> any actual security? Sure. It's a code.
>>>>> The point is that with the current implementation of bpf_getxattr() you
>>>>> are able to retrieve any xattrs and we have way less control over a
>>>>> bpf-lsm program than we do over selinux which a simple git grep
>>>>> __vfs_getxattr() is all we need.
>>>>>
>>>>> The thing is that with bpf_getxattr() as it stands it is currently
>>>>> impossible to retrieve xattr values - specifically filesystem
>>>>> capabilities and posix acls - and see them exactly like the code you're
>>>>> trying to supervise is. And that seems very strange from a security
>>>>> perspective. So if someone were to write
>>>>>
>>>>> SEC("lsm.s/bprm_creds_from_file")
>>>>> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
>>>>> {
>>>>>         struct task_struct *current = bpf_get_current_task_btf();
>>>>>
>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>                                 bprm->file->f_path.dentry->d_inode,
>>>>>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
>>>>>         // or
>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>                                 bprm->file->f_path.dentry->d_inode,
>>>>>                                 XATTR_NAME_CAPS, ..);
>>>>>
>>>>> }
>>>>>
>>>>> they'd get the raw nscaps and the raw xattrs back. But now, as just a
>>>>> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
>>>>> ACLs make zero sense in this context.
>>>>>
>>>>> And what's more there's no way for the bpf-lsm program to turn them into
>>>>> something that makes sense in the context of the hook they are retrieved
>>>>> in. It lacks all the necessary helpers to do so afaict.
>>>>>
>>>>>> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
>>>>>> in the existing LSMs like selinux.
>>>>> Selinux only cares about its own xattr namespace. It doesn't retrieve
>>>>> fscaps or posix acls and it's not possible to write selinux programs
>>>>> that do so. With the bpf-lsm that's very much possible.
>>>>>
>>>>> And if we'd notice selinux would start retrieving random xattrs we'd ask
>>>>> the same questions we do here.
>>>>>
>>>>>> No one complains about its usage in out of tree LSMs.
>>>>>> Is that a security issue? Of course not.
>>>>>> __vfs_getxattr is a kernel mechanism that LSMs use to implement
>>>>>> the security features they need.
>>>>>> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
>>>>>> with a big difference that it's EXPORT_SYMBOL_GPL.
>>>>>> BPF land doesn't have an equivalent of non-gpl export and is not going
>>>>>> to get one.
>>>> I want to reiterate what Alexei is saying here:
>>>>
>>>> *Please* consider this as a simple wrapper around __vfs_getxattr
>>>> with a limited attach surface and extra verification checks and
>>>> and nothing else.
>>>>
>>>> What you are saying is __vfs_getxattr does not make sense in some
>>>> contexts. But kernel modules can still use it right?
>>>>
>>>> The user is implementing an LSM, if they chose to do things that don't make
>>>> sense, then they can surely cause a lot more harm:
>>>>
>>>> SEC("lsm/bprm_check_security")
>>>> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
>>>> {
>>>>      return -EPERM;
>>>> }
>>>>
>>>>> This discussion would probably be a lot shorter if this series were sent
>>>>> with a proper explanation of how this supposed to work and what it's
>>>>> used for.
>>>> It's currently scoped to BPF LSM (albeit limited to LSM for now)
>>>> but it won't just be used in LSM programs but some (allow-listed)
>>>> tracing programs too.
>>>>
>>>> We want to leave the flexibility to the implementer of the LSM hooks. If the
>>>> implementer choses to retrieve posix_acl_* we can also expose
>>>> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
>>>> but that would be a separate kfunc (and a separate use-case).
>>> No, sorry. That's what I feared and that's why I think this low-level
>>> exposure of __vfs_getxattr() is wrong:
>>> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
>>> get_file_caps() will not be exported. We're not going to export that
>> I don't want to expose them and I don't want any others to be
>> exposed either.
>>
>>> deeply internal vfs machinery. So I would NACK that. If you want that -
>>> and that's what I'm saying here - you need to encapsulate this into your
>>> vfs_*xattr() helper that you can call from your kfuncs.
>> It seems like __vfs_getxattr is already exposed and does the wrong thing in
>> some contexts, why can't we just "fix" __vfs_getxattr then?
> To me having either a version of bpf_getxattr() that restricts access to
> certain xattrs or a version that takes care to perform the neccesary
> translations is what seems to make the most sense. I suggested that in
> one of my first mails.
>
> The one thing where the way the xattrs are retrieved really matters is
> for vfscaps (see get_vfs_caps_from_disk()) you really need something
> like that function in order for vfs caps to make any sense and be
> interpretable by the user of the hook.
>
> But again, I might just misunderstand the context here and for the
> bpf-lsm all of this isn't really a concern. If your new series comes out
> I'll try to get more into the wider context.
> If the security folks are happy with this then I won't argue.

A security module (BPF) using another security module's (Smack)
xattrs without that module's (Smack) explicit approval would be
considered extremely rude.  Smack and SELinux use published interfaces
of the capability security module, but never access the capability
attributes directly. The details of a security module's implementation
are not a factor. The fact that BPF uses loadable programs as opposed
to loadable policy is not relevant. The only security.xattr values
that the BPF security module should allow the programs it runs to
access are the ones it is managing. If you decided to create an eBPF
implementation of SELinux you would still have to use attributes
specific to the BPF security module. If, on the other hand, you wanted
to extend Smack using eBPF programs, and the Smack maintainer liked
the idea, it would be OK for the BPF security module to access some
of the security.SMACK64 attributes.

I want it to be clear that BPF is a Linux Security Module (LSM) and
a collection of eBPF programs is *not* an LSM. BPF is responsible
for being a good kernel citizen, and must ensure that it does not
allow a set of configuration data that violates proper behavior.
You can't write an SELinux policy that monster-mashes an ACL.
You can't allow BPF to permit that either. You can't count on the
good intentions, wisdom or skill of the author of an unreviewed,
out of tree, eBPF program. I believe that this was understood during
the review process of the BPF LSM.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Amir Goldstein]

> >
> > This discussion would probably be a lot shorter if this series were sent
> > with a proper explanation of how this supposed to work and what it's
> > used for.
>
> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> but it won't just be used in LSM programs but some (allow-listed)
> tracing programs too.
>

KP,

Without taking sides in the discussion about the security aspect of
bpf_getxattr(),
I wanted to say that we have plans to add BPF hooks for fanotify event
filters and
AFAIK Alessio's team is working on adding BPF hooks for FUSE bypass decisions.

In both those cases, being able to tag files with some xattr and use
that as part of
criteria in the hook would be very useful IMO, but I don't think that
it should be a
problem to limit the scope of the allowed namespace to security.bpf.* for these
use cases.

Thanks,
Amir.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Thu, Jun 30, 2022 at 6:10 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 6/30/2022 6:47 AM, Christian Brauner wrote:
> > On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
> >> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
> >>> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> >>>> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> >>>>> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> >>>>>> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> >>>> [...]
> >>>>
> >>>>>>>>>>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> >>>>>>>>>> [...]
> >>>>>>>>>>
> >>>>>>>>>>>> +SEC("lsm.s/bprm_committed_creds")
> >>>>>>>>>>>> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> >>>>>>>>>>>> +{
> >>>>>>>>>>>> +     struct task_struct *current = bpf_get_current_task_btf();
> >>>>>>>>>>>> +     char dir_xattr_value[64] = {0};
> >>>>>>>>>>>> +     int xattr_sz = 0;
> >>>>>>>>>>>> +
> >>>>>>>>>>>> +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>>>>>>>> +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> >>>>>>>>>>>> +                             dir_xattr_value, 64);
> >>>>>>>>>>> Yeah, this isn't right. You're not accounting for the caller's userns
> >>>>>>>>>>> nor for the idmapped mount. If this is supposed to work you will need a
> >>>>>>>>>>> variant of vfs_getxattr() that takes the mount's idmapping into account
> >>>>>>>>>>> afaict. See what needs to happen after do_getxattr().
> >>>>>>>>>> Thanks for taking a look.
> >>>>>>>>>>
> >>>> [...]
> >>>>
> >>>>>>>>> That will not be correct.
> >>>>>>>>> posix_acl_fix_xattr_to_user checking current_user_ns()
> >>>>>>>>> is checking random tasks that happen to be running
> >>>>>>>>> when lsm hook got invoked.
> >>>>>>>>>
> >>>>>>>>> KP,
> >>>>>>>>> we probably have to document clearly that neither 'current*'
> >>>>>>>>> should not be used here.
> >>>>>>>>> xattr_permission also makes little sense in this context.
> >>>>>>>>> If anything it can be a different kfunc if there is a use case,
> >>>>>>>>> but I don't see it yet.
> >>>>>>>>> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> >>>>>>>>> call it directly. It's the kernel that is doing its security thing.
> >>>>>>>> Right, but LSMs usually only retrieve their own xattr namespace (ima,
> >>>>>>>> selinux, smack) or they calculate hashes for xattrs based on the raw
> >>>>>>>> filesystem xattr values (evm).
> >>>>>>>>
> >>>>>>>> But this new bpf_getxattr() is different. It allows to retrieve _any_
> >>>>>>>> xattr in any security hook it can be attached to. So someone can write a
> >>>>>>>> bpf program that retrieves filesystem capabilites or posix acls. And
> >>>>>>>> these are xattrs that require higher-level vfs involvement to be
> >>>>>>>> sensible in most contexts.
> >>>>>>>>
> >>>> [...]
> >>>>
> >>>>>>>> This hooks a bpf-lsm program to the security_bprm_committed_creds()
> >>>>>>>> hook. It then retrieves the extended attributes of the file to be
> >>>>>>>> executed. The hook currently always retrieves the raw filesystem values.
> >>>>>>>>
> >>>>>>>> But for example any XATTR_NAME_CAPS filesystem capabilities that
> >>>>>>>> might've been stored will be taken into account during exec. And both
> >>>>>>>> the idmapping of the mount and the caller matter when determing whether
> >>>>>>>> they are used or not.
> >>>>>>>>
> >>>>>>>> But the current implementation of bpf_getxattr() just ignores both. It
> >>>>>>>> will always retrieve the raw filesystem values. So if one invokes this
> >>>>>>>> hook they're not actually retrieving the values as they are seen by
> >>>>>>>> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> >>>>>>>> some use-cases it might very well become a security issue in others if
> >>>>>>>> access decisions are always based on the raw values.
> >>>>>>>>
> >>>>>>>> I'm not well-versed in this so bear with me, please.
> >>>>>>> If this is really just about retrieving the "security.bpf" xattr and no
> >>>>>>> other xattr then the bpf_getxattr() variant should somehow hard-code
> >>>>>>> that to ensure that no other xattrs can be retrieved, imho.
> >>>>>> All of these restrictions look very artificial to me.
> >>>>>> Especially the part "might very well become a security issue"
> >>>>>> just doesn't click.
> >>>>>> We're talking about bpf-lsm progs here that implement security.
> >>>>>> Can somebody implement a poor bpf-lsm that doesn't enforce
> >>>>>> any actual security? Sure. It's a code.
> >>>>> The point is that with the current implementation of bpf_getxattr() you
> >>>>> are able to retrieve any xattrs and we have way less control over a
> >>>>> bpf-lsm program than we do over selinux which a simple git grep
> >>>>> __vfs_getxattr() is all we need.
> >>>>>
> >>>>> The thing is that with bpf_getxattr() as it stands it is currently
> >>>>> impossible to retrieve xattr values - specifically filesystem
> >>>>> capabilities and posix acls - and see them exactly like the code you're
> >>>>> trying to supervise is. And that seems very strange from a security
> >>>>> perspective. So if someone were to write
> >>>>>
> >>>>> SEC("lsm.s/bprm_creds_from_file")
> >>>>> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> >>>>> {
> >>>>>         struct task_struct *current = bpf_get_current_task_btf();
> >>>>>
> >>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>                                 bprm->file->f_path.dentry->d_inode,
> >>>>>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> >>>>>         // or
> >>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>                                 bprm->file->f_path.dentry->d_inode,
> >>>>>                                 XATTR_NAME_CAPS, ..);
> >>>>>
> >>>>> }
> >>>>>
> >>>>> they'd get the raw nscaps and the raw xattrs back. But now, as just a
> >>>>> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> >>>>> ACLs make zero sense in this context.
> >>>>>
> >>>>> And what's more there's no way for the bpf-lsm program to turn them into
> >>>>> something that makes sense in the context of the hook they are retrieved
> >>>>> in. It lacks all the necessary helpers to do so afaict.
> >>>>>
> >>>>>> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> >>>>>> in the existing LSMs like selinux.
> >>>>> Selinux only cares about its own xattr namespace. It doesn't retrieve
> >>>>> fscaps or posix acls and it's not possible to write selinux programs
> >>>>> that do so. With the bpf-lsm that's very much possible.
> >>>>>
> >>>>> And if we'd notice selinux would start retrieving random xattrs we'd ask
> >>>>> the same questions we do here.
> >>>>>
> >>>>>> No one complains about its usage in out of tree LSMs.
> >>>>>> Is that a security issue? Of course not.
> >>>>>> __vfs_getxattr is a kernel mechanism that LSMs use to implement
> >>>>>> the security features they need.
> >>>>>> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> >>>>>> with a big difference that it's EXPORT_SYMBOL_GPL.
> >>>>>> BPF land doesn't have an equivalent of non-gpl export and is not going
> >>>>>> to get one.
> >>>> I want to reiterate what Alexei is saying here:
> >>>>
> >>>> *Please* consider this as a simple wrapper around __vfs_getxattr
> >>>> with a limited attach surface and extra verification checks and
> >>>> and nothing else.
> >>>>
> >>>> What you are saying is __vfs_getxattr does not make sense in some
> >>>> contexts. But kernel modules can still use it right?
> >>>>
> >>>> The user is implementing an LSM, if they chose to do things that don't make
> >>>> sense, then they can surely cause a lot more harm:
> >>>>
> >>>> SEC("lsm/bprm_check_security")
> >>>> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> >>>> {
> >>>>      return -EPERM;
> >>>> }
> >>>>
> >>>>> This discussion would probably be a lot shorter if this series were sent
> >>>>> with a proper explanation of how this supposed to work and what it's
> >>>>> used for.
> >>>> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> >>>> but it won't just be used in LSM programs but some (allow-listed)
> >>>> tracing programs too.
> >>>>
> >>>> We want to leave the flexibility to the implementer of the LSM hooks. If the
> >>>> implementer choses to retrieve posix_acl_* we can also expose
> >>>> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> >>>> but that would be a separate kfunc (and a separate use-case).
> >>> No, sorry. That's what I feared and that's why I think this low-level
> >>> exposure of __vfs_getxattr() is wrong:
> >>> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> >>> get_file_caps() will not be exported. We're not going to export that
> >> I don't want to expose them and I don't want any others to be
> >> exposed either.
> >>
> >>> deeply internal vfs machinery. So I would NACK that. If you want that -
> >>> and that's what I'm saying here - you need to encapsulate this into your
> >>> vfs_*xattr() helper that you can call from your kfuncs.
> >> It seems like __vfs_getxattr is already exposed and does the wrong thing in
> >> some contexts, why can't we just "fix" __vfs_getxattr then?
> > To me having either a version of bpf_getxattr() that restricts access to
> > certain xattrs or a version that takes care to perform the neccesary
> > translations is what seems to make the most sense. I suggested that in
> > one of my first mails.
> >
> > The one thing where the way the xattrs are retrieved really matters is
> > for vfscaps (see get_vfs_caps_from_disk()) you really need something
> > like that function in order for vfs caps to make any sense and be
> > interpretable by the user of the hook.
> >
> > But again, I might just misunderstand the context here and for the
> > bpf-lsm all of this isn't really a concern. If your new series comes out
> > I'll try to get more into the wider context.
> > If the security folks are happy with this then I won't argue.
>
> A security module (BPF) using another security module's (Smack)
> xattrs without that module's (Smack) explicit approval would be
> considered extremely rude.  Smack and SELinux use published interfaces
> of the capability security module, but never access the capability
> attributes directly. The details of a security module's implementation
> are not a factor. The fact that BPF uses loadable programs as opposed
> to loadable policy is not relevant. The only security.xattr values
> that the BPF security module should allow the programs it runs to
> access are the ones it is managing. If you decided to create an eBPF

What about kernel modules who can use __vfs_getxattr already as
it's an exported symbol? This can still end up influencing
security policy or using them in any way they like.

Anyways, I think, for now, for the use case we have, it can work with
a restriction to security.bpf xattrs.



> implementation of SELinux you would still have to use attributes
> specific to the BPF security module. If, on the other hand, you wanted
> to extend Smack using eBPF programs, and the Smack maintainer liked
> the idea, it would be OK for the BPF security module to access some
> of the security.SMACK64 attributes.
>
> I want it to be clear that BPF is a Linux Security Module (LSM) and
> a collection of eBPF programs is *not* an LSM. BPF is responsible
> for being a good kernel citizen, and must ensure that it does not
> allow a set of configuration data that violates proper behavior.
> You can't write an SELinux policy that monster-mashes an ACL.
> You can't allow BPF to permit that either. You can't count on the
> good intentions, wisdom or skill of the author of an unreviewed,
> out of tree, eBPF program. I believe that this was understood during
> the review process of the BPF LSM.
>
>

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[KP Singh]

On Thu, Jun 30, 2022 at 6:29 PM Amir Goldstein <amir73il@gmail.com> wrote:
>
> > >
> > > This discussion would probably be a lot shorter if this series were sent
> > > with a proper explanation of how this supposed to work and what it's
> > > used for.
> >
> > It's currently scoped to BPF LSM (albeit limited to LSM for now)
> > but it won't just be used in LSM programs but some (allow-listed)
> > tracing programs too.
> >
>
> KP,
>
> Without taking sides in the discussion about the security aspect of
> bpf_getxattr(),
> I wanted to say that we have plans to add BPF hooks for fanotify event
> filters and
> AFAIK Alessio's team is working on adding BPF hooks for FUSE bypass decisions.
>
> In both those cases, being able to tag files with some xattr and use
> that as part of
> criteria in the hook would be very useful IMO, but I don't think that
> it should be a
> problem to limit the scope of the allowed namespace to security.bpf.* for these
> use cases.

Thanks Amir, I agree, this does seem like a practical way to move forward.

Cheers,
- KP

>
> Thanks,
> Amir.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Casey Schaufler]

On 6/30/2022 3:23 PM, KP Singh wrote:
> On Thu, Jun 30, 2022 at 6:10 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 6/30/2022 6:47 AM, Christian Brauner wrote:
>>> On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
>>>> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
>>>>> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
>>>>>> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
>>>>>>> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
>>>>>>>> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
>>>>>> [...]
>>>>>>
>>>>>>>>>>>>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
>>>>>>>>>>>>>> ---
>>>>>>>>>>>>>>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
>>>>>>>>>>>> [...]
>>>>>>>>>>>>
>>>>>>>>>>>>>> +SEC("lsm.s/bprm_committed_creds")
>>>>>>>>>>>>>> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
>>>>>>>>>>>>>> +{
>>>>>>>>>>>>>> +     struct task_struct *current = bpf_get_current_task_btf();
>>>>>>>>>>>>>> +     char dir_xattr_value[64] = {0};
>>>>>>>>>>>>>> +     int xattr_sz = 0;
>>>>>>>>>>>>>> +
>>>>>>>>>>>>>> +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>>>>>>>>>> +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
>>>>>>>>>>>>>> +                             dir_xattr_value, 64);
>>>>>>>>>>>>> Yeah, this isn't right. You're not accounting for the caller's userns
>>>>>>>>>>>>> nor for the idmapped mount. If this is supposed to work you will need a
>>>>>>>>>>>>> variant of vfs_getxattr() that takes the mount's idmapping into account
>>>>>>>>>>>>> afaict. See what needs to happen after do_getxattr().
>>>>>>>>>>>> Thanks for taking a look.
>>>>>>>>>>>>
>>>>>> [...]
>>>>>>
>>>>>>>>>>> That will not be correct.
>>>>>>>>>>> posix_acl_fix_xattr_to_user checking current_user_ns()
>>>>>>>>>>> is checking random tasks that happen to be running
>>>>>>>>>>> when lsm hook got invoked.
>>>>>>>>>>>
>>>>>>>>>>> KP,
>>>>>>>>>>> we probably have to document clearly that neither 'current*'
>>>>>>>>>>> should not be used here.
>>>>>>>>>>> xattr_permission also makes little sense in this context.
>>>>>>>>>>> If anything it can be a different kfunc if there is a use case,
>>>>>>>>>>> but I don't see it yet.
>>>>>>>>>>> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
>>>>>>>>>>> call it directly. It's the kernel that is doing its security thing.
>>>>>>>>>> Right, but LSMs usually only retrieve their own xattr namespace (ima,
>>>>>>>>>> selinux, smack) or they calculate hashes for xattrs based on the raw
>>>>>>>>>> filesystem xattr values (evm).
>>>>>>>>>>
>>>>>>>>>> But this new bpf_getxattr() is different. It allows to retrieve _any_
>>>>>>>>>> xattr in any security hook it can be attached to. So someone can write a
>>>>>>>>>> bpf program that retrieves filesystem capabilites or posix acls. And
>>>>>>>>>> these are xattrs that require higher-level vfs involvement to be
>>>>>>>>>> sensible in most contexts.
>>>>>>>>>>
>>>>>> [...]
>>>>>>
>>>>>>>>>> This hooks a bpf-lsm program to the security_bprm_committed_creds()
>>>>>>>>>> hook. It then retrieves the extended attributes of the file to be
>>>>>>>>>> executed. The hook currently always retrieves the raw filesystem values.
>>>>>>>>>>
>>>>>>>>>> But for example any XATTR_NAME_CAPS filesystem capabilities that
>>>>>>>>>> might've been stored will be taken into account during exec. And both
>>>>>>>>>> the idmapping of the mount and the caller matter when determing whether
>>>>>>>>>> they are used or not.
>>>>>>>>>>
>>>>>>>>>> But the current implementation of bpf_getxattr() just ignores both. It
>>>>>>>>>> will always retrieve the raw filesystem values. So if one invokes this
>>>>>>>>>> hook they're not actually retrieving the values as they are seen by
>>>>>>>>>> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
>>>>>>>>>> some use-cases it might very well become a security issue in others if
>>>>>>>>>> access decisions are always based on the raw values.
>>>>>>>>>>
>>>>>>>>>> I'm not well-versed in this so bear with me, please.
>>>>>>>>> If this is really just about retrieving the "security.bpf" xattr and no
>>>>>>>>> other xattr then the bpf_getxattr() variant should somehow hard-code
>>>>>>>>> that to ensure that no other xattrs can be retrieved, imho.
>>>>>>>> All of these restrictions look very artificial to me.
>>>>>>>> Especially the part "might very well become a security issue"
>>>>>>>> just doesn't click.
>>>>>>>> We're talking about bpf-lsm progs here that implement security.
>>>>>>>> Can somebody implement a poor bpf-lsm that doesn't enforce
>>>>>>>> any actual security? Sure. It's a code.
>>>>>>> The point is that with the current implementation of bpf_getxattr() you
>>>>>>> are able to retrieve any xattrs and we have way less control over a
>>>>>>> bpf-lsm program than we do over selinux which a simple git grep
>>>>>>> __vfs_getxattr() is all we need.
>>>>>>>
>>>>>>> The thing is that with bpf_getxattr() as it stands it is currently
>>>>>>> impossible to retrieve xattr values - specifically filesystem
>>>>>>> capabilities and posix acls - and see them exactly like the code you're
>>>>>>> trying to supervise is. And that seems very strange from a security
>>>>>>> perspective. So if someone were to write
>>>>>>>
>>>>>>> SEC("lsm.s/bprm_creds_from_file")
>>>>>>> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
>>>>>>> {
>>>>>>>         struct task_struct *current = bpf_get_current_task_btf();
>>>>>>>
>>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>>>                                 bprm->file->f_path.dentry->d_inode,
>>>>>>>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
>>>>>>>         // or
>>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
>>>>>>>                                 bprm->file->f_path.dentry->d_inode,
>>>>>>>                                 XATTR_NAME_CAPS, ..);
>>>>>>>
>>>>>>> }
>>>>>>>
>>>>>>> they'd get the raw nscaps and the raw xattrs back. But now, as just a
>>>>>>> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
>>>>>>> ACLs make zero sense in this context.
>>>>>>>
>>>>>>> And what's more there's no way for the bpf-lsm program to turn them into
>>>>>>> something that makes sense in the context of the hook they are retrieved
>>>>>>> in. It lacks all the necessary helpers to do so afaict.
>>>>>>>
>>>>>>>> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
>>>>>>>> in the existing LSMs like selinux.
>>>>>>> Selinux only cares about its own xattr namespace. It doesn't retrieve
>>>>>>> fscaps or posix acls and it's not possible to write selinux programs
>>>>>>> that do so. With the bpf-lsm that's very much possible.
>>>>>>>
>>>>>>> And if we'd notice selinux would start retrieving random xattrs we'd ask
>>>>>>> the same questions we do here.
>>>>>>>
>>>>>>>> No one complains about its usage in out of tree LSMs.
>>>>>>>> Is that a security issue? Of course not.
>>>>>>>> __vfs_getxattr is a kernel mechanism that LSMs use to implement
>>>>>>>> the security features they need.
>>>>>>>> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
>>>>>>>> with a big difference that it's EXPORT_SYMBOL_GPL.
>>>>>>>> BPF land doesn't have an equivalent of non-gpl export and is not going
>>>>>>>> to get one.
>>>>>> I want to reiterate what Alexei is saying here:
>>>>>>
>>>>>> *Please* consider this as a simple wrapper around __vfs_getxattr
>>>>>> with a limited attach surface and extra verification checks and
>>>>>> and nothing else.
>>>>>>
>>>>>> What you are saying is __vfs_getxattr does not make sense in some
>>>>>> contexts. But kernel modules can still use it right?
>>>>>>
>>>>>> The user is implementing an LSM, if they chose to do things that don't make
>>>>>> sense, then they can surely cause a lot more harm:
>>>>>>
>>>>>> SEC("lsm/bprm_check_security")
>>>>>> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
>>>>>> {
>>>>>>      return -EPERM;
>>>>>> }
>>>>>>
>>>>>>> This discussion would probably be a lot shorter if this series were sent
>>>>>>> with a proper explanation of how this supposed to work and what it's
>>>>>>> used for.
>>>>>> It's currently scoped to BPF LSM (albeit limited to LSM for now)
>>>>>> but it won't just be used in LSM programs but some (allow-listed)
>>>>>> tracing programs too.
>>>>>>
>>>>>> We want to leave the flexibility to the implementer of the LSM hooks. If the
>>>>>> implementer choses to retrieve posix_acl_* we can also expose
>>>>>> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
>>>>>> but that would be a separate kfunc (and a separate use-case).
>>>>> No, sorry. That's what I feared and that's why I think this low-level
>>>>> exposure of __vfs_getxattr() is wrong:
>>>>> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
>>>>> get_file_caps() will not be exported. We're not going to export that
>>>> I don't want to expose them and I don't want any others to be
>>>> exposed either.
>>>>
>>>>> deeply internal vfs machinery. So I would NACK that. If you want that -
>>>>> and that's what I'm saying here - you need to encapsulate this into your
>>>>> vfs_*xattr() helper that you can call from your kfuncs.
>>>> It seems like __vfs_getxattr is already exposed and does the wrong thing in
>>>> some contexts, why can't we just "fix" __vfs_getxattr then?
>>> To me having either a version of bpf_getxattr() that restricts access to
>>> certain xattrs or a version that takes care to perform the neccesary
>>> translations is what seems to make the most sense. I suggested that in
>>> one of my first mails.
>>>
>>> The one thing where the way the xattrs are retrieved really matters is
>>> for vfscaps (see get_vfs_caps_from_disk()) you really need something
>>> like that function in order for vfs caps to make any sense and be
>>> interpretable by the user of the hook.
>>>
>>> But again, I might just misunderstand the context here and for the
>>> bpf-lsm all of this isn't really a concern. If your new series comes out
>>> I'll try to get more into the wider context.
>>> If the security folks are happy with this then I won't argue.
>> A security module (BPF) using another security module's (Smack)
>> xattrs without that module's (Smack) explicit approval would be
>> considered extremely rude.  Smack and SELinux use published interfaces
>> of the capability security module, but never access the capability
>> attributes directly. The details of a security module's implementation
>> are not a factor. The fact that BPF uses loadable programs as opposed
>> to loadable policy is not relevant. The only security.xattr values
>> that the BPF security module should allow the programs it runs to
>> access are the ones it is managing. If you decided to create an eBPF
> What about kernel modules who can use __vfs_getxattr already as
> it's an exported symbol? This can still end up influencing
> security policy or using them in any way they like.

If I put code in Smack to read SELinux attributes I would expect
to get a possibly polite but definitely strongly worded email
from Paul Moore regarding that behavior. The integrity subsystem
looks at Smack and SELinux attributes, but that's upstream and
we can see what nefarious things are being done with them. Because
I can see the upstream kernel code I can convince myself that
regardless of the SELinux policy loaded SELinux isn't going to
muck with the Smack attributes. I can't say the same for eBPF
programs that aren't going to be in Linus' tree.

> Anyways, I think, for now, for the use case we have, it can work with
> a restriction to security.bpf xattrs.

I can't say that this whole discussion is making me feel better
about the BPF LSM concept. The approval was based on the notion
that eBPF programs were restricted to "safe" behavior. It's
hard to see how allowing access to security.selinux could be
guaranteed to be in support of safe behavior.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Amir Goldstein]

On Fri, Jul 1, 2022 at 2:39 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 6/30/2022 3:23 PM, KP Singh wrote:
> > On Thu, Jun 30, 2022 at 6:10 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >> On 6/30/2022 6:47 AM, Christian Brauner wrote:
> >>> On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
> >>>> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
> >>>>> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> >>>>>> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> >>>>>>> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> >>>>>>>> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> >>>>>> [...]
> >>>>>>
> >>>>>>>>>>>>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
> >>>>>>>>>>>>>> ---
> >>>>>>>>>>>>>>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> >>>>>>>>>>>> [...]
> >>>>>>>>>>>>
> >>>>>>>>>>>>>> +SEC("lsm.s/bprm_committed_creds")
> >>>>>>>>>>>>>> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> >>>>>>>>>>>>>> +{
> >>>>>>>>>>>>>> +     struct task_struct *current = bpf_get_current_task_btf();
> >>>>>>>>>>>>>> +     char dir_xattr_value[64] = {0};
> >>>>>>>>>>>>>> +     int xattr_sz = 0;
> >>>>>>>>>>>>>> +
> >>>>>>>>>>>>>> +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>>>>>>>>>> +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> >>>>>>>>>>>>>> +                             dir_xattr_value, 64);
> >>>>>>>>>>>>> Yeah, this isn't right. You're not accounting for the caller's userns
> >>>>>>>>>>>>> nor for the idmapped mount. If this is supposed to work you will need a
> >>>>>>>>>>>>> variant of vfs_getxattr() that takes the mount's idmapping into account
> >>>>>>>>>>>>> afaict. See what needs to happen after do_getxattr().
> >>>>>>>>>>>> Thanks for taking a look.
> >>>>>>>>>>>>
> >>>>>> [...]
> >>>>>>
> >>>>>>>>>>> That will not be correct.
> >>>>>>>>>>> posix_acl_fix_xattr_to_user checking current_user_ns()
> >>>>>>>>>>> is checking random tasks that happen to be running
> >>>>>>>>>>> when lsm hook got invoked.
> >>>>>>>>>>>
> >>>>>>>>>>> KP,
> >>>>>>>>>>> we probably have to document clearly that neither 'current*'
> >>>>>>>>>>> should not be used here.
> >>>>>>>>>>> xattr_permission also makes little sense in this context.
> >>>>>>>>>>> If anything it can be a different kfunc if there is a use case,
> >>>>>>>>>>> but I don't see it yet.
> >>>>>>>>>>> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> >>>>>>>>>>> call it directly. It's the kernel that is doing its security thing.
> >>>>>>>>>> Right, but LSMs usually only retrieve their own xattr namespace (ima,
> >>>>>>>>>> selinux, smack) or they calculate hashes for xattrs based on the raw
> >>>>>>>>>> filesystem xattr values (evm).
> >>>>>>>>>>
> >>>>>>>>>> But this new bpf_getxattr() is different. It allows to retrieve _any_
> >>>>>>>>>> xattr in any security hook it can be attached to. So someone can write a
> >>>>>>>>>> bpf program that retrieves filesystem capabilites or posix acls. And
> >>>>>>>>>> these are xattrs that require higher-level vfs involvement to be
> >>>>>>>>>> sensible in most contexts.
> >>>>>>>>>>
> >>>>>> [...]
> >>>>>>
> >>>>>>>>>> This hooks a bpf-lsm program to the security_bprm_committed_creds()
> >>>>>>>>>> hook. It then retrieves the extended attributes of the file to be
> >>>>>>>>>> executed. The hook currently always retrieves the raw filesystem values.
> >>>>>>>>>>
> >>>>>>>>>> But for example any XATTR_NAME_CAPS filesystem capabilities that
> >>>>>>>>>> might've been stored will be taken into account during exec. And both
> >>>>>>>>>> the idmapping of the mount and the caller matter when determing whether
> >>>>>>>>>> they are used or not.
> >>>>>>>>>>
> >>>>>>>>>> But the current implementation of bpf_getxattr() just ignores both. It
> >>>>>>>>>> will always retrieve the raw filesystem values. So if one invokes this
> >>>>>>>>>> hook they're not actually retrieving the values as they are seen by
> >>>>>>>>>> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> >>>>>>>>>> some use-cases it might very well become a security issue in others if
> >>>>>>>>>> access decisions are always based on the raw values.
> >>>>>>>>>>
> >>>>>>>>>> I'm not well-versed in this so bear with me, please.
> >>>>>>>>> If this is really just about retrieving the "security.bpf" xattr and no
> >>>>>>>>> other xattr then the bpf_getxattr() variant should somehow hard-code
> >>>>>>>>> that to ensure that no other xattrs can be retrieved, imho.
> >>>>>>>> All of these restrictions look very artificial to me.
> >>>>>>>> Especially the part "might very well become a security issue"
> >>>>>>>> just doesn't click.
> >>>>>>>> We're talking about bpf-lsm progs here that implement security.
> >>>>>>>> Can somebody implement a poor bpf-lsm that doesn't enforce
> >>>>>>>> any actual security? Sure. It's a code.
> >>>>>>> The point is that with the current implementation of bpf_getxattr() you
> >>>>>>> are able to retrieve any xattrs and we have way less control over a
> >>>>>>> bpf-lsm program than we do over selinux which a simple git grep
> >>>>>>> __vfs_getxattr() is all we need.
> >>>>>>>
> >>>>>>> The thing is that with bpf_getxattr() as it stands it is currently
> >>>>>>> impossible to retrieve xattr values - specifically filesystem
> >>>>>>> capabilities and posix acls - and see them exactly like the code you're
> >>>>>>> trying to supervise is. And that seems very strange from a security
> >>>>>>> perspective. So if someone were to write
> >>>>>>>
> >>>>>>> SEC("lsm.s/bprm_creds_from_file")
> >>>>>>> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> >>>>>>> {
> >>>>>>>         struct task_struct *current = bpf_get_current_task_btf();
> >>>>>>>
> >>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>>>                                 bprm->file->f_path.dentry->d_inode,
> >>>>>>>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> >>>>>>>         // or
> >>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> >>>>>>>                                 bprm->file->f_path.dentry->d_inode,
> >>>>>>>                                 XATTR_NAME_CAPS, ..);
> >>>>>>>
> >>>>>>> }
> >>>>>>>
> >>>>>>> they'd get the raw nscaps and the raw xattrs back. But now, as just a
> >>>>>>> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> >>>>>>> ACLs make zero sense in this context.
> >>>>>>>
> >>>>>>> And what's more there's no way for the bpf-lsm program to turn them into
> >>>>>>> something that makes sense in the context of the hook they are retrieved
> >>>>>>> in. It lacks all the necessary helpers to do so afaict.
> >>>>>>>
> >>>>>>>> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> >>>>>>>> in the existing LSMs like selinux.
> >>>>>>> Selinux only cares about its own xattr namespace. It doesn't retrieve
> >>>>>>> fscaps or posix acls and it's not possible to write selinux programs
> >>>>>>> that do so. With the bpf-lsm that's very much possible.
> >>>>>>>
> >>>>>>> And if we'd notice selinux would start retrieving random xattrs we'd ask
> >>>>>>> the same questions we do here.
> >>>>>>>
> >>>>>>>> No one complains about its usage in out of tree LSMs.
> >>>>>>>> Is that a security issue? Of course not.
> >>>>>>>> __vfs_getxattr is a kernel mechanism that LSMs use to implement
> >>>>>>>> the security features they need.
> >>>>>>>> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> >>>>>>>> with a big difference that it's EXPORT_SYMBOL_GPL.
> >>>>>>>> BPF land doesn't have an equivalent of non-gpl export and is not going
> >>>>>>>> to get one.
> >>>>>> I want to reiterate what Alexei is saying here:
> >>>>>>
> >>>>>> *Please* consider this as a simple wrapper around __vfs_getxattr
> >>>>>> with a limited attach surface and extra verification checks and
> >>>>>> and nothing else.
> >>>>>>
> >>>>>> What you are saying is __vfs_getxattr does not make sense in some
> >>>>>> contexts. But kernel modules can still use it right?
> >>>>>>
> >>>>>> The user is implementing an LSM, if they chose to do things that don't make
> >>>>>> sense, then they can surely cause a lot more harm:
> >>>>>>
> >>>>>> SEC("lsm/bprm_check_security")
> >>>>>> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> >>>>>> {
> >>>>>>      return -EPERM;
> >>>>>> }
> >>>>>>
> >>>>>>> This discussion would probably be a lot shorter if this series were sent
> >>>>>>> with a proper explanation of how this supposed to work and what it's
> >>>>>>> used for.
> >>>>>> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> >>>>>> but it won't just be used in LSM programs but some (allow-listed)
> >>>>>> tracing programs too.
> >>>>>>
> >>>>>> We want to leave the flexibility to the implementer of the LSM hooks. If the
> >>>>>> implementer choses to retrieve posix_acl_* we can also expose
> >>>>>> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> >>>>>> but that would be a separate kfunc (and a separate use-case).
> >>>>> No, sorry. That's what I feared and that's why I think this low-level
> >>>>> exposure of __vfs_getxattr() is wrong:
> >>>>> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> >>>>> get_file_caps() will not be exported. We're not going to export that
> >>>> I don't want to expose them and I don't want any others to be
> >>>> exposed either.
> >>>>
> >>>>> deeply internal vfs machinery. So I would NACK that. If you want that -
> >>>>> and that's what I'm saying here - you need to encapsulate this into your
> >>>>> vfs_*xattr() helper that you can call from your kfuncs.
> >>>> It seems like __vfs_getxattr is already exposed and does the wrong thing in
> >>>> some contexts, why can't we just "fix" __vfs_getxattr then?
> >>> To me having either a version of bpf_getxattr() that restricts access to
> >>> certain xattrs or a version that takes care to perform the neccesary
> >>> translations is what seems to make the most sense. I suggested that in
> >>> one of my first mails.
> >>>
> >>> The one thing where the way the xattrs are retrieved really matters is
> >>> for vfscaps (see get_vfs_caps_from_disk()) you really need something
> >>> like that function in order for vfs caps to make any sense and be
> >>> interpretable by the user of the hook.
> >>>
> >>> But again, I might just misunderstand the context here and for the
> >>> bpf-lsm all of this isn't really a concern. If your new series comes out
> >>> I'll try to get more into the wider context.
> >>> If the security folks are happy with this then I won't argue.
> >> A security module (BPF) using another security module's (Smack)
> >> xattrs without that module's (Smack) explicit approval would be
> >> considered extremely rude.  Smack and SELinux use published interfaces
> >> of the capability security module, but never access the capability
> >> attributes directly. The details of a security module's implementation
> >> are not a factor. The fact that BPF uses loadable programs as opposed
> >> to loadable policy is not relevant. The only security.xattr values
> >> that the BPF security module should allow the programs it runs to
> >> access are the ones it is managing. If you decided to create an eBPF
> > What about kernel modules who can use __vfs_getxattr already as
> > it's an exported symbol? This can still end up influencing
> > security policy or using them in any way they like.
>
> If I put code in Smack to read SELinux attributes I would expect
> to get a possibly polite but definitely strongly worded email
> from Paul Moore regarding that behavior. The integrity subsystem
> looks at Smack and SELinux attributes, but that's upstream and
> we can see what nefarious things are being done with them. Because
> I can see the upstream kernel code I can convince myself that
> regardless of the SELinux policy loaded SELinux isn't going to
> muck with the Smack attributes. I can't say the same for eBPF
> programs that aren't going to be in Linus' tree.
>
> > Anyways, I think, for now, for the use case we have, it can work with
> > a restriction to security.bpf xattrs.
>
> I can't say that this whole discussion is making me feel better
> about the BPF LSM concept. The approval was based on the notion
> that eBPF programs were restricted to "safe" behavior. It's
> hard to see how allowing access to security.selinux could be
> guaranteed to be in support of safe behavior.
>

Apropos __vfs_getxattr(), looks like ecryptfs_getxattr_lower()
is abusing it.
Christian, not sure if you intend to spend time of idmapped
mount support of ecryptfs lower layer, but anyway that's that.

Thanks,
Amir.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Christian Brauner]

On Fri, Jul 01, 2022 at 11:32:55AM +0300, Amir Goldstein wrote:
> On Fri, Jul 1, 2022 at 2:39 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> > On 6/30/2022 3:23 PM, KP Singh wrote:
> > > On Thu, Jun 30, 2022 at 6:10 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > >> On 6/30/2022 6:47 AM, Christian Brauner wrote:
> > >>> On Thu, Jun 30, 2022 at 03:29:53PM +0200, KP Singh wrote:
> > >>>> On Thu, Jun 30, 2022 at 3:26 PM Christian Brauner <brauner@kernel.org> wrote:
> > >>>>> On Thu, Jun 30, 2022 at 02:21:56PM +0200, KP Singh wrote:
> > >>>>>> On Thu, Jun 30, 2022 at 1:45 PM Christian Brauner <brauner@kernel.org> wrote:
> > >>>>>>> On Wed, Jun 29, 2022 at 08:02:50PM -0700, Alexei Starovoitov wrote:
> > >>>>>>>> On Wed, Jun 29, 2022 at 2:56 AM Christian Brauner <brauner@kernel.org> wrote:
> > >>>>>> [...]
> > >>>>>>
> > >>>>>>>>>>>>>> Signed-off-by: KP Singh <kpsingh@kernel.org>
> > >>>>>>>>>>>>>> ---
> > >>>>>>>>>>>>>>  .../testing/selftests/bpf/prog_tests/xattr.c  | 54 +++++++++++++++++++
> > >>>>>>>>>>>> [...]
> > >>>>>>>>>>>>
> > >>>>>>>>>>>>>> +SEC("lsm.s/bprm_committed_creds")
> > >>>>>>>>>>>>>> +void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > >>>>>>>>>>>>>> +{
> > >>>>>>>>>>>>>> +     struct task_struct *current = bpf_get_current_task_btf();
> > >>>>>>>>>>>>>> +     char dir_xattr_value[64] = {0};
> > >>>>>>>>>>>>>> +     int xattr_sz = 0;
> > >>>>>>>>>>>>>> +
> > >>>>>>>>>>>>>> +     xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >>>>>>>>>>>>>> +                             bprm->file->f_path.dentry->d_inode, XATTR_NAME,
> > >>>>>>>>>>>>>> +                             dir_xattr_value, 64);
> > >>>>>>>>>>>>> Yeah, this isn't right. You're not accounting for the caller's userns
> > >>>>>>>>>>>>> nor for the idmapped mount. If this is supposed to work you will need a
> > >>>>>>>>>>>>> variant of vfs_getxattr() that takes the mount's idmapping into account
> > >>>>>>>>>>>>> afaict. See what needs to happen after do_getxattr().
> > >>>>>>>>>>>> Thanks for taking a look.
> > >>>>>>>>>>>>
> > >>>>>> [...]
> > >>>>>>
> > >>>>>>>>>>> That will not be correct.
> > >>>>>>>>>>> posix_acl_fix_xattr_to_user checking current_user_ns()
> > >>>>>>>>>>> is checking random tasks that happen to be running
> > >>>>>>>>>>> when lsm hook got invoked.
> > >>>>>>>>>>>
> > >>>>>>>>>>> KP,
> > >>>>>>>>>>> we probably have to document clearly that neither 'current*'
> > >>>>>>>>>>> should not be used here.
> > >>>>>>>>>>> xattr_permission also makes little sense in this context.
> > >>>>>>>>>>> If anything it can be a different kfunc if there is a use case,
> > >>>>>>>>>>> but I don't see it yet.
> > >>>>>>>>>>> bpf-lsm prog calling __vfs_getxattr is just like other lsm-s that
> > >>>>>>>>>>> call it directly. It's the kernel that is doing its security thing.
> > >>>>>>>>>> Right, but LSMs usually only retrieve their own xattr namespace (ima,
> > >>>>>>>>>> selinux, smack) or they calculate hashes for xattrs based on the raw
> > >>>>>>>>>> filesystem xattr values (evm).
> > >>>>>>>>>>
> > >>>>>>>>>> But this new bpf_getxattr() is different. It allows to retrieve _any_
> > >>>>>>>>>> xattr in any security hook it can be attached to. So someone can write a
> > >>>>>>>>>> bpf program that retrieves filesystem capabilites or posix acls. And
> > >>>>>>>>>> these are xattrs that require higher-level vfs involvement to be
> > >>>>>>>>>> sensible in most contexts.
> > >>>>>>>>>>
> > >>>>>> [...]
> > >>>>>>
> > >>>>>>>>>> This hooks a bpf-lsm program to the security_bprm_committed_creds()
> > >>>>>>>>>> hook. It then retrieves the extended attributes of the file to be
> > >>>>>>>>>> executed. The hook currently always retrieves the raw filesystem values.
> > >>>>>>>>>>
> > >>>>>>>>>> But for example any XATTR_NAME_CAPS filesystem capabilities that
> > >>>>>>>>>> might've been stored will be taken into account during exec. And both
> > >>>>>>>>>> the idmapping of the mount and the caller matter when determing whether
> > >>>>>>>>>> they are used or not.
> > >>>>>>>>>>
> > >>>>>>>>>> But the current implementation of bpf_getxattr() just ignores both. It
> > >>>>>>>>>> will always retrieve the raw filesystem values. So if one invokes this
> > >>>>>>>>>> hook they're not actually retrieving the values as they are seen by
> > >>>>>>>>>> fs/exec.c. And I'm wondering why that is ok? And even if this is ok for
> > >>>>>>>>>> some use-cases it might very well become a security issue in others if
> > >>>>>>>>>> access decisions are always based on the raw values.
> > >>>>>>>>>>
> > >>>>>>>>>> I'm not well-versed in this so bear with me, please.
> > >>>>>>>>> If this is really just about retrieving the "security.bpf" xattr and no
> > >>>>>>>>> other xattr then the bpf_getxattr() variant should somehow hard-code
> > >>>>>>>>> that to ensure that no other xattrs can be retrieved, imho.
> > >>>>>>>> All of these restrictions look very artificial to me.
> > >>>>>>>> Especially the part "might very well become a security issue"
> > >>>>>>>> just doesn't click.
> > >>>>>>>> We're talking about bpf-lsm progs here that implement security.
> > >>>>>>>> Can somebody implement a poor bpf-lsm that doesn't enforce
> > >>>>>>>> any actual security? Sure. It's a code.
> > >>>>>>> The point is that with the current implementation of bpf_getxattr() you
> > >>>>>>> are able to retrieve any xattrs and we have way less control over a
> > >>>>>>> bpf-lsm program than we do over selinux which a simple git grep
> > >>>>>>> __vfs_getxattr() is all we need.
> > >>>>>>>
> > >>>>>>> The thing is that with bpf_getxattr() as it stands it is currently
> > >>>>>>> impossible to retrieve xattr values - specifically filesystem
> > >>>>>>> capabilities and posix acls - and see them exactly like the code you're
> > >>>>>>> trying to supervise is. And that seems very strange from a security
> > >>>>>>> perspective. So if someone were to write
> > >>>>>>>
> > >>>>>>> SEC("lsm.s/bprm_creds_from_file")
> > >>>>>>> void BPF_PROG(bprm_cc, struct linux_binprm *bprm)
> > >>>>>>> {
> > >>>>>>>         struct task_struct *current = bpf_get_current_task_btf();
> > >>>>>>>
> > >>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >>>>>>>                                 bprm->file->f_path.dentry->d_inode,
> > >>>>>>>                                 XATTR_NAME_POSIX_ACL_ACCESS, ..);
> > >>>>>>>         // or
> > >>>>>>>         xattr_sz = bpf_getxattr(bprm->file->f_path.dentry,
> > >>>>>>>                                 bprm->file->f_path.dentry->d_inode,
> > >>>>>>>                                 XATTR_NAME_CAPS, ..);
> > >>>>>>>
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> they'd get the raw nscaps and the raw xattrs back. But now, as just a
> > >>>>>>> tiny example, the nscaps->rootuid and the ->e_id fields in the posix
> > >>>>>>> ACLs make zero sense in this context.
> > >>>>>>>
> > >>>>>>> And what's more there's no way for the bpf-lsm program to turn them into
> > >>>>>>> something that makes sense in the context of the hook they are retrieved
> > >>>>>>> in. It lacks all the necessary helpers to do so afaict.
> > >>>>>>>
> > >>>>>>>> No one complains about the usage of EXPORT_SYMBOL(__vfs_getxattr)
> > >>>>>>>> in the existing LSMs like selinux.
> > >>>>>>> Selinux only cares about its own xattr namespace. It doesn't retrieve
> > >>>>>>> fscaps or posix acls and it's not possible to write selinux programs
> > >>>>>>> that do so. With the bpf-lsm that's very much possible.
> > >>>>>>>
> > >>>>>>> And if we'd notice selinux would start retrieving random xattrs we'd ask
> > >>>>>>> the same questions we do here.
> > >>>>>>>
> > >>>>>>>> No one complains about its usage in out of tree LSMs.
> > >>>>>>>> Is that a security issue? Of course not.
> > >>>>>>>> __vfs_getxattr is a kernel mechanism that LSMs use to implement
> > >>>>>>>> the security features they need.
> > >>>>>>>> __vfs_getxattr as kfunc here is pretty much the same as EXPORT_SYMBOL
> > >>>>>>>> with a big difference that it's EXPORT_SYMBOL_GPL.
> > >>>>>>>> BPF land doesn't have an equivalent of non-gpl export and is not going
> > >>>>>>>> to get one.
> > >>>>>> I want to reiterate what Alexei is saying here:
> > >>>>>>
> > >>>>>> *Please* consider this as a simple wrapper around __vfs_getxattr
> > >>>>>> with a limited attach surface and extra verification checks and
> > >>>>>> and nothing else.
> > >>>>>>
> > >>>>>> What you are saying is __vfs_getxattr does not make sense in some
> > >>>>>> contexts. But kernel modules can still use it right?
> > >>>>>>
> > >>>>>> The user is implementing an LSM, if they chose to do things that don't make
> > >>>>>> sense, then they can surely cause a lot more harm:
> > >>>>>>
> > >>>>>> SEC("lsm/bprm_check_security")
> > >>>>>> int BPF_PROG(bprm_check, struct linux_binprm *bprm)
> > >>>>>> {
> > >>>>>>      return -EPERM;
> > >>>>>> }
> > >>>>>>
> > >>>>>>> This discussion would probably be a lot shorter if this series were sent
> > >>>>>>> with a proper explanation of how this supposed to work and what it's
> > >>>>>>> used for.
> > >>>>>> It's currently scoped to BPF LSM (albeit limited to LSM for now)
> > >>>>>> but it won't just be used in LSM programs but some (allow-listed)
> > >>>>>> tracing programs too.
> > >>>>>>
> > >>>>>> We want to leave the flexibility to the implementer of the LSM hooks. If the
> > >>>>>> implementer choses to retrieve posix_acl_* we can also expose
> > >>>>>> posix_acl_fix_xattr_to_user or a different kfunc that adds this logic too
> > >>>>>> but that would be a separate kfunc (and a separate use-case).
> > >>>>> No, sorry. That's what I feared and that's why I think this low-level
> > >>>>> exposure of __vfs_getxattr() is wrong:
> > >>>>> The posix_acl_fix_xattr_*() helpers, as well as the helpers like
> > >>>>> get_file_caps() will not be exported. We're not going to export that
> > >>>> I don't want to expose them and I don't want any others to be
> > >>>> exposed either.
> > >>>>
> > >>>>> deeply internal vfs machinery. So I would NACK that. If you want that -
> > >>>>> and that's what I'm saying here - you need to encapsulate this into your
> > >>>>> vfs_*xattr() helper that you can call from your kfuncs.
> > >>>> It seems like __vfs_getxattr is already exposed and does the wrong thing in
> > >>>> some contexts, why can't we just "fix" __vfs_getxattr then?
> > >>> To me having either a version of bpf_getxattr() that restricts access to
> > >>> certain xattrs or a version that takes care to perform the neccesary
> > >>> translations is what seems to make the most sense. I suggested that in
> > >>> one of my first mails.
> > >>>
> > >>> The one thing where the way the xattrs are retrieved really matters is
> > >>> for vfscaps (see get_vfs_caps_from_disk()) you really need something
> > >>> like that function in order for vfs caps to make any sense and be
> > >>> interpretable by the user of the hook.
> > >>>
> > >>> But again, I might just misunderstand the context here and for the
> > >>> bpf-lsm all of this isn't really a concern. If your new series comes out
> > >>> I'll try to get more into the wider context.
> > >>> If the security folks are happy with this then I won't argue.
> > >> A security module (BPF) using another security module's (Smack)
> > >> xattrs without that module's (Smack) explicit approval would be
> > >> considered extremely rude.  Smack and SELinux use published interfaces
> > >> of the capability security module, but never access the capability
> > >> attributes directly. The details of a security module's implementation
> > >> are not a factor. The fact that BPF uses loadable programs as opposed
> > >> to loadable policy is not relevant. The only security.xattr values
> > >> that the BPF security module should allow the programs it runs to
> > >> access are the ones it is managing. If you decided to create an eBPF
> > > What about kernel modules who can use __vfs_getxattr already as
> > > it's an exported symbol? This can still end up influencing
> > > security policy or using them in any way they like.
> >
> > If I put code in Smack to read SELinux attributes I would expect
> > to get a possibly polite but definitely strongly worded email
> > from Paul Moore regarding that behavior. The integrity subsystem
> > looks at Smack and SELinux attributes, but that's upstream and
> > we can see what nefarious things are being done with them. Because
> > I can see the upstream kernel code I can convince myself that
> > regardless of the SELinux policy loaded SELinux isn't going to
> > muck with the Smack attributes. I can't say the same for eBPF
> > programs that aren't going to be in Linus' tree.
> >
> > > Anyways, I think, for now, for the use case we have, it can work with
> > > a restriction to security.bpf xattrs.
> >
> > I can't say that this whole discussion is making me feel better
> > about the BPF LSM concept. The approval was based on the notion
> > that eBPF programs were restricted to "safe" behavior. It's
> > hard to see how allowing access to security.selinux could be
> > guaranteed to be in support of safe behavior.
> >
> 
> Apropos __vfs_getxattr(), looks like ecryptfs_getxattr_lower()
> is abusing it.

Heh, quoting what I wrote to KP yesterday off-list about
__vfs_getxattr():

"it's [__vfs_getxattr()] exported but [afaict] it's not used in kernel
modules. afaict it's only exposed because of ecryptfs"

So right at the beginning I had already pondered whether we should just
rip out __vfs_getxattr() from ecryptfs and unexport the helper
completely because there's barely a reason to use it. Module/driver code
should not use something as low-level as __vfs_getxattr() imho.

Overlayfs does it correctly and uses vfs_getxattr() but maybe ecryptfs
needs to use it for for some reason?. I haven't looked yet.

> Christian, not sure if you intend to spend time of idmapped
> mount support of ecryptfs lower layer, but anyway that's that.

Not really. Remember the conversation we had with Tyler at LSFMM where
he considered marking it deprecated. I don't think it's worth putting in
the work.

Re: [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr

[Amir Goldstein]

> >
> > Apropos __vfs_getxattr(), looks like ecryptfs_getxattr_lower()
> > is abusing it.
>
> Heh, quoting what I wrote to KP yesterday off-list about
> __vfs_getxattr():
>
> "it's [__vfs_getxattr()] exported but [afaict] it's not used in kernel
> modules. afaict it's only exposed because of ecryptfs"
>
> So right at the beginning I had already pondered whether we should just
> rip out __vfs_getxattr() from ecryptfs and unexport the helper
> completely because there's barely a reason to use it. Module/driver code
> should not use something as low-level as __vfs_getxattr() imho.
>
> Overlayfs does it correctly and uses vfs_getxattr() but maybe ecryptfs
> needs to use it for for some reason?. I haven't looked yet.
>

No reason AFAIK (CC Tyler+Miklos)

Most lower ecryptfs operations use vfs_XXX()
48b512e68571 ("ecryptfs: call vfs_setxattr() in ecryptfs_setxattr()")
fixed vfs_setxattr() which was later changed to __vfs_setxattr_locked(),
but left __vfs_getxattr(), __vfs_removexattr() and i_op->listxattr().

> > Christian, not sure if you intend to spend time of idmapped
> > mount support of ecryptfs lower layer, but anyway that's that.
>
> Not really. Remember the conversation we had with Tyler at LSFMM where
> he considered marking it deprecated. I don't think it's worth putting in
> the work.

OK, so just need a volunteer to close the security hole and
possibly unexport __vfs_getxattr().

Does anybody know of any out of tree modules that use it
for a good reason?

Thanks,
Amir.