linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Roberto Sassu <roberto.sassu@huaweicloud.com>,
	KP Singh <kpsingh@kernel.org>,
	Florent Revest <revest@chromium.org>,
	Brendan Jackman <jackmanb@chromium.org>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>, bpf <bpf@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	nicolas.bouchinet@clip-os.org, Mimi Zohar <zohar@linux.ibm.com>,
	linux-integrity <linux-integrity@vger.kernel.org>
Subject: Re: [RFC][PATCH] bpf: Check xattr name/value pair from bpf_lsm_inode_init_security()
Date: Tue, 25 Oct 2022 23:37:02 -0700	[thread overview]
Message-ID: <CAADnVQLAXsZRNytPHG0KhYKar3K+=7bq2KPQG77VFOKbnTPHmg@mail.gmail.com> (raw)
In-Reply-To: <ffbdcfbe-0c63-2ced-62e3-a7248b7a24f0@schaufler-ca.com>

On Tue, Oct 25, 2022 at 7:58 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 10/25/2022 12:43 AM, Roberto Sassu wrote:
> > On Mon, 2022-10-24 at 19:13 -0700, Alexei Starovoitov wrote:
> >> I'm looking at security_inode_init_security() and it is indeed messy.
> >> Per file system initxattrs callback that processes kmalloc-ed
> >> strings.
> >> Yikes.
> >>
> >> In the short term we should denylist inode_init_security hook to
> >> disallow attaching bpf-lsm there. set/getxattr should be done
> >> through kfuncs instead of such kmalloc-a-string hack.
> > Inode_init_security is an example. It could be that the other hooks are
> > affected too. What happens if they get arbitrary positive values too?
>
> TL;DR - Things will go cattywampus.
>
> The LSM infrastructure is an interface that has "grown organically",
> and isn't necessarily consistent in what it requires of the security
> module implementations. There are cases where it assumes that the
> security module hooks are well behaved, as you've discovered. I have
> no small amount of fear that someone is going to provide an eBPF
> program for security_secid_to_secctx(). There has been an assumption,
> oft stated, that all security modules are going to be reviewed as
> part of the upstream process. The review process ought to catch hooks
> that return unacceptable values. Alas, we've lost that with BPF.
>
> It would take a(nother) major overhaul of the LSM infrastructure to
> make it safe against hooks that are not well behaved. From what I have
> seen so far it wouldn't be easy/convenient/performant to do it in the
> BPF security module either. I personally think that BPF needs to
> ensure that the eBPF implementations don't return inappropriate values,
> but I understand why that is problematic.

That's an accurate statement. Thank you.

Going back to the original question...
We fix bugs when we discover them.
Regardless of the subsystem they belong to.
No finger pointing.

  reply	other threads:[~2022-10-26  6:38 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-21 16:46 [RFC][PATCH] bpf: Check xattr name/value pair from bpf_lsm_inode_init_security() Roberto Sassu
2022-10-23 23:36 ` Alexei Starovoitov
2022-10-24  9:25   ` Roberto Sassu
2022-10-24 15:28     ` Roberto Sassu
2022-10-25  2:13       ` Alexei Starovoitov
2022-10-25  7:43         ` Roberto Sassu
2022-10-25 14:57           ` Casey Schaufler
2022-10-26  6:37             ` Alexei Starovoitov [this message]
2022-10-26  8:42               ` Roberto Sassu
2022-10-26 17:14                 ` Alexei Starovoitov
2022-10-27 10:39                   ` KP Singh
2022-10-27 15:52                     ` Casey Schaufler
2022-10-28  8:48                     ` Roberto Sassu
2022-10-28 15:01                       ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAADnVQLAXsZRNytPHG0KhYKar3K+=7bq2KPQG77VFOKbnTPHmg@mail.gmail.com' \
    --to=alexei.starovoitov@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=jackmanb@chromium.org \
    --cc=jmorris@namei.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nicolas.bouchinet@clip-os.org \
    --cc=paul@paul-moore.com \
    --cc=revest@chromium.org \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).