From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D16ABC43331 for ; Tue, 24 Mar 2020 14:34:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9CB2420714 for ; Tue, 24 Mar 2020 14:34:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f6BbAEo/" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727186AbgCXOeJ (ORCPT ); Tue, 24 Mar 2020 10:34:09 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:45333 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726802AbgCXOeJ (ORCPT ); Tue, 24 Mar 2020 10:34:09 -0400 Received: by mail-ot1-f66.google.com with SMTP id c9so7018395otl.12; Tue, 24 Mar 2020 07:34:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V3bCztDeWL/Cm70pLIsnhEmjai7N2DWW/RXznGW8NR0=; b=f6BbAEo/pvipL9yVIKB3lQlaLTcxHYenVT99NwpzEFRjPD1WWdbVha7jrN4aBdqK/X 6n++cQrUvNAEQV6r/Nw2mKtxgyFV5YXU1KG3GPoqe7iiiNtDqf6gh5P5KJpZw8oJOIXy 29oBZSwoQ4QyVy0k/DEEtLrpDnasj6FxtRcc4O8B0TmBkTJ4+AeUO/Dw3vEX5g5nLOKH yEoD+1+VHmkAKFSdaknNS2y9gINj8OVS+v3A+ubcqLBu/c0/4xC5PwWlktJB4e0pi6R1 +OHnTgYJhvyuOv9RyMIg61+F2w6Wh0R3Rrolfpk6fVh9OSOxw2yCl93A/uOUm92g6dKr Fw1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V3bCztDeWL/Cm70pLIsnhEmjai7N2DWW/RXznGW8NR0=; b=doBuqw1ilVRQHm4UID6qqYxdmng6OT5QRFyqwq4uBAc6X+vwEp7ZzwxsNTxuiEQns0 LI7Oi1qwGbI2+w5Jh/4Cif+JsFSYFcBnCiU16YdSqGWudyoQqyIo8lK4QnGvB5DthKl2 aqgwalgGp61iLk5hSNyOTyPJekxO5IizGDYzGfaG5E0gaDVF078kei0ABghoCyBSdDx3 76cfnR7saygp09PdQ8/e6cfaZeERNE1IYuiz8hbyKverSG15OfoEahwtCiGPu+Baxui+ WSR10WLinaMcuK3VKyRS05K1QtqEA5xLyOHrbgZmye6ttvcb9cNN//PoXEK2RmEGepBq NjSg== X-Gm-Message-State: ANhLgQ1Bpdy/b5uifqBtL+XQCAyP7kmx4NR8MaiIACQ3AIHLR/IxKXfn zWRL5edopiMt59kKTnRYChc5LIwz5izj1z5Z7BY= X-Google-Smtp-Source: ADFU+vsNpb9KZt+QNv+56/OsWx42rl6MFpi6JRLMhP6ybGeZ5h5PA5DQBbzLbvjEFqINPzu0TEVwA8NF7AtEY94OYuo= X-Received: by 2002:a9d:6457:: with SMTP id m23mr22614344otl.162.1585060447978; Tue, 24 Mar 2020 07:34:07 -0700 (PDT) MIME-Version: 1.0 References: <20200323164415.12943-1-kpsingh@chromium.org> <20200323164415.12943-5-kpsingh@chromium.org> In-Reply-To: <20200323164415.12943-5-kpsingh@chromium.org> From: Stephen Smalley Date: Tue, 24 Mar 2020 10:35:16 -0400 Message-ID: Subject: Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution To: KP Singh Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, LSM List , Brendan Jackman , Florent Revest , Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman , Paul Moore Content-Type: text/plain; charset="UTF-8" Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Mon, Mar 23, 2020 at 12:46 PM KP Singh wrote: > > From: KP Singh > > JITed BPF programs are dynamically attached to the LSM hooks > using BPF trampolines. The trampoline prologue generates code to handle > conversion of the signature of the hook to the appropriate BPF context. > > The allocated trampoline programs are attached to the nop functions > initialized as LSM hooks. > > BPF_PROG_TYPE_LSM programs must have a GPL compatible license and > and need CAP_SYS_ADMIN (required for loading eBPF programs). > > Upon attachment: > > * A BPF fexit trampoline is used for LSM hooks with a void return type. > * A BPF fmod_ret trampoline is used for LSM hooks which return an > int. The attached programs can override the return value of the > bpf LSM hook to indicate a MAC Policy decision. > > Signed-off-by: KP Singh > Reviewed-by: Brendan Jackman > Reviewed-by: Florent Revest > --- > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 530d137f7a84..2a8131b640b8 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -9,6 +9,9 @@ > #include > #include > #include > +#include > +#include > +#include > > /* For every LSM hook that allows attachment of BPF programs, declare a NOP > * function where a BPF program can be attached as an fexit trampoline. > @@ -27,6 +30,32 @@ noinline __weak void bpf_lsm_##NAME(__VA_ARGS__) {} > #include > #undef LSM_HOOK > > +#define BPF_LSM_SYM_PREFX "bpf_lsm_" > + > +int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, > + const struct bpf_prog *prog) > +{ > + /* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks > + */ > + if (!capable(CAP_MAC_ADMIN)) > + return -EPERM; I had asked before, and will ask again: please provide an explicit LSM hook for mediating whether one can make changes to the LSM hooks. Neither CAP_MAC_ADMIN nor CAP_SYS_ADMIN suffices to check this for SELinux.