From: Casey Schaufler <casey@schaufler-ca.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Paul Moore <paul@paul-moore.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Ondrej Mosnacek <omosnace@redhat.com>,
LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@redhat.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org, ppc-dev <linuxppc-dev@lists.ozlabs.org>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, Jiri Olsa <jolsa@redhat.com>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks
Date: Sat, 5 Jun 2021 11:10:57 -0700 [thread overview]
Message-ID: <64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com> (raw)
In-Reply-To: <CAADnVQ+0bNtDj46Q8s-h=rqJgZz2JaGTeHpbmof3e7fBBQKuDQ@mail.gmail.com>
On 6/4/2021 5:08 PM, Alexei Starovoitov wrote:
> On Fri, Jun 4, 2021 at 4:34 PM Paul Moore <paul@paul-moore.com> wrote:
>>> Again, the problem is not limited to BPF at all. kprobes is doing register-
>>> the hooks which are equivalent to the one of BPF. Anything in run-time
>>> trying to prevent probe_read_kernel by kprobes or BPF is broken by design.
>> Not being an expert on kprobes I can't really comment on that, but
>> right now I'm focused on trying to make things work for the BPF
>> helpers. I suspect that if we can get the SELinux lockdown
>> implementation working properly for BPF the solution for kprobes won't
>> be far off.
> Paul,
>
> Both kprobe and bpf can call probe_read_kernel==copy_from_kernel_nofault
> from all contexts.
> Including NMI. Most of audit_log_* is not acceptable.
> Just removing a wakeup is not solving anything.
> Audit hooks don't belong in NMI.
> Audit design needs memory allocation. Hence it's not suitable
> for NMI and hardirq. But kprobes and bpf progs do run just fine there.
> BPF, for example, only uses pre-allocated memory.
You have fallen into a common fallacy. The fact that the "code runs"
does not assure that the "system works right". In the security world
we face this all the time, often with performance expectations. In this
case the BPF design has failed to accommodate the long standing needs
of audit and SELinux. Shifting the responsibility for these design flaws
to SELinux is inappropriate. Integration of sub-systems is usually the
burden of the newcomer, which in this case is BPF. Paul is doing the
bulk of your work for you. Maybe you could step up to your responsibility
and work with him, not against him.
next prev parent reply other threads:[~2021-06-05 18:11 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 9:20 [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks Ondrej Mosnacek
2021-05-17 11:00 ` Michael Ellerman
2021-05-26 11:44 ` Ondrej Mosnacek
2021-05-27 4:28 ` James Morris
2021-05-27 14:18 ` Paul Moore
2021-05-28 1:37 ` Paul Moore
2021-05-28 7:09 ` Daniel Borkmann
2021-05-28 9:53 ` Jiri Olsa
2021-05-28 9:56 ` Daniel Borkmann
2021-05-28 10:16 ` Jiri Olsa
2021-05-28 11:47 ` Jiri Olsa
2021-05-28 11:54 ` Daniel Borkmann
2021-05-28 13:42 ` Ondrej Mosnacek
2021-05-28 14:20 ` Daniel Borkmann
2021-05-28 15:54 ` Paul Moore
2021-05-28 15:47 ` Paul Moore
2021-05-28 18:10 ` Daniel Borkmann
2021-05-28 22:52 ` Paul Moore
2021-05-29 18:48 ` Paul Moore
2021-05-31 8:24 ` Daniel Borkmann
2021-06-01 20:47 ` Paul Moore
2021-06-02 12:40 ` Daniel Borkmann
2021-06-02 15:13 ` Paul Moore
2021-06-03 18:52 ` Daniel Borkmann
2021-06-04 4:50 ` Paul Moore
2021-06-04 18:02 ` Daniel Borkmann
2021-06-04 23:34 ` Paul Moore
2021-06-05 0:08 ` Alexei Starovoitov
2021-06-05 18:10 ` Casey Schaufler [this message]
2021-06-05 18:17 ` Linus Torvalds
2021-06-06 2:11 ` Paul Moore
2021-06-06 1:30 ` Paul Moore
2021-06-02 13:39 ` Ondrej Mosnacek
2021-06-03 17:46 ` Paul Moore
2021-06-08 11:01 ` Ondrej Mosnacek
2021-06-09 2:40 ` Paul Moore
2021-05-28 13:58 ` Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64552a82-d878-b6e6-e650-52423153b624@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=jolsa@redhat.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).