Re: [PATCH bpf-next v8 0/8] MAC and Audit policy using eBPF (KRSI)

[KP Singh <kpsingh@chromium.org>]

On 28-Mar 18:18, Daniel Borkmann wrote:
> Hey KP,
> 
> On 3/27/20 8:28 PM, KP Singh wrote:
> > From: KP Singh <kpsingh@google.com>
> > 
> > # v7 -> v8
> > 
> >    https://lore.kernel.org/bpf/20200326142823.26277-1-kpsingh@chromium.org/
> > 
> > * Removed CAP_MAC_ADMIN check from bpf_lsm_verify_prog. LSMs can add it
> >    in their own bpf_prog hook. This can be revisited as a separate patch.
> > * Added Andrii and James' Ack/Review tags.
> > * Fixed an indentation issue and missing newlines in selftest error
> >    a cases.
> > * Updated a comment as suggested by Alexei.
> > * Updated the documentation to use the newer libbpf API and some other
> >    fixes.
> > * Rebase
> > 
> > # v6 -> v7
> > 
> >    https://lore.kernel.org/bpf/20200325152629.6904-1-kpsingh@chromium.org/
> > 
> [...]
> > KP Singh (8):
> >    bpf: Introduce BPF_PROG_TYPE_LSM
> >    security: Refactor declaration of LSM hooks
> >    bpf: lsm: provide attachment points for BPF LSM programs
> >    bpf: lsm: Implement attach, detach and execution
> >    bpf: lsm: Initialize the BPF LSM hooks
> >    tools/libbpf: Add support for BPF_PROG_TYPE_LSM
> >    bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM
> >    bpf: lsm: Add Documentation
> 
> I was about to apply, but then I'm getting the following selftest issue on
> the added LSM one, ptal:
> 
> # ./test_progs
> [...]
> #65/1 test_global_func1.o:OK
> #65/2 test_global_func2.o:OK
> #65/3 test_global_func3.o:OK
> #65/4 test_global_func4.o:OK
> #65/5 test_global_func5.o:OK
> #65/6 test_global_func6.o:OK
> #65/7 test_global_func7.o:OK
> #65 test_global_funcs:OK
> test_test_lsm:PASS:skel_load 0 nsec
> test_test_lsm:PASS:attach 0 nsec
> test_test_lsm:PASS:exec_cmd 0 nsec
> test_test_lsm:FAIL:bprm_count bprm_count = 0
> test_test_lsm:FAIL:heap_mprotect want errno=EPERM, got 22

The test seems to pass for me [classic, "works on my machine" ;)]

  ./test_progs -t test_lsm
  #66 test_lsm:OK
  Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

and also in the complete run of test_progs.

Since the attachment succeeds and the hook does not get called, it
seems like "bpf" LSM is not being initialized and the hook, although
present, does not get called.

This indicates that "bpf" is not in CONFIG_LSM. It should, however, be
there by default as we added it to default value of CONFIG_LSM and
also for other DEFAULT_SECURITY_* options.

Let me know if that's the case and it fixes it.

- KP

> #66 test_lsm:FAIL
> test_test_overhead:PASS:obj_open_file 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> Caught signal #11!
> Stack trace:
> ./test_progs(crash_handler+0x31)[0x56100f25eb51]
> /lib/x86_64-linux-gnu/libpthread.so.0(+0x12890)[0x7f9d8d225890]
> /lib/x86_64-linux-gnu/libc.so.6(+0x18ef2d)[0x7f9d8cfb0f2d]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0x372)[0x7f9d8cebc3a2]
> /usr/local/lib/libelf.so.1(+0x33ce)[0x7f9d8d85a3ce]
> /usr/local/lib/libelf.so.1(+0x3fb2)[0x7f9d8d85afb2]
> ./test_progs(btf__parse_elf+0x15d)[0x56100f27a141]
> ./test_progs(libbpf_find_kernel_btf+0x169)[0x56100f27ee83]
> ./test_progs(+0x43906)[0x56100f266906]
> ./test_progs(bpf_object__load_xattr+0xe5)[0x56100f26e93c]
> ./test_progs(bpf_object__load+0x47)[0x56100f26eafd]
> ./test_progs(test_test_overhead+0x252)[0x56100f24a922]
> ./test_progs(main+0x212)[0x56100f22f772]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7f9d8ce43b97]
> ./test_progs(_start+0x2a)[0x56100f22f8fa]
> Segmentation fault (core dumped)
> #
> 
> (Before the series, it runs through fine on my side.)
> 
> Thanks,
> Daniel