> On 15 Apr 2024, at 17:34, KP Singh <[email protected]> wrote:
>
>
>
> On Mon, 15 Apr 2024 at 16:23, Paul Moore <[email protected]> wrote:
> On Mon, Apr 15, 2024 at 9:21 AM Tetsuo Handa
> <[email protected]> wrote:
> > On 2024/04/15 17:26, KP Singh wrote:
> > > This seems like an odd config which does not enable STATIC_CALL, I am going to
> > > make CONFIG_SECURITY depend on CONFIG_STATIC_CALL and make the dependency explicit.
> >
> > If CONFIG_SECURITY depends on CONFIG_STATIC_CALL, architectures which do not
> > support CONFIG_STATIC_CALL can no longer use LSM ? That sounds a bad dependency.
>
> Agreed. If the arch doesn't support static calls we need a fallback
> solution for the LSM that is no worse than what we have now, and
> preferably would still solve the issue of the BPF hooks active even
> where this is no BPF program attached.
Actually I take it back, when CONFIG_STATIC_CALL is not available, the implementation falls back to an indirect call. This crash is unrelated, I will debug further and post back.
- KP
>
> --
> paul-moore.com
> On 15 Apr 2024, at 17:47, KP Singh <[email protected]> wrote:
>
>
[...]
>> <[email protected]> wrote:
>>> On 2024/04/15 17:26, KP Singh wrote:
>>>> This seems like an odd config which does not enable STATIC_CALL, I am going to
>>>> make CONFIG_SECURITY depend on CONFIG_STATIC_CALL and make the dependency explicit.
>>>
>>> If CONFIG_SECURITY depends on CONFIG_STATIC_CALL, architectures which do not
>>> support CONFIG_STATIC_CALL can no longer use LSM ? That sounds a bad dependency.
>>
>> Agreed. If the arch doesn't support static calls we need a fallback
>> solution for the LSM that is no worse than what we have now, and
>> preferably would still solve the issue of the BPF hooks active even
>> where this is no BPF program attached.
>
> Actually I take it back, when CONFIG_STATIC_CALL is not available, the implementation falls back to an indirect call. This crash is unrelated, I will debug further and post back.
Apparently, when I smoke tested, I had CONFIG_IMA disabled so did not hit the bug. Well, now IMA is an LSM, so the following fixes it:
kpsingh@kpsingh:~/projects/linux$ git diff
diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h
index dbb3c8573959..77803d117a30 100644
--- a/include/linux/lsm_count.h
+++ b/include/linux/lsm_count.h
@@ -78,6 +78,12 @@
#define BPF_LSM_ENABLED
#endif
+#if IS_ENABLED(CONFIG_IMA)
+#define IMA_ENABLED 1,
+#else
+#define IMA_ENABLED
+#endif
+
#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK)
#define LANDLOCK_ENABLED 1,
#else
@@ -103,6 +109,7 @@
LOCKDOWN_ENABLED \
SAFESETID_ENABLED \
BPF_LSM_ENABLED \
+ IMA_ENABLED \
LANDLOCK_ENABLED)
We don't need a CONFIG_STATIC_CALL dependency, th static_call code nicely falls back.
- KP
>
> - KP
>
>>
>> --
>> paul-moore.com
>
On 4/15/2024 1:42 PM, KP Singh wrote:
>
>> On 15 Apr 2024, at 17:47, KP Singh <[email protected]> wrote:
>>
>>
> [...]
>
>>> <[email protected]> wrote:
>>>> On 2024/04/15 17:26, KP Singh wrote:
>>>>> This seems like an odd config which does not enable STATIC_CALL, I am going to
>>>>> make CONFIG_SECURITY depend on CONFIG_STATIC_CALL and make the dependency explicit.
>>>> If CONFIG_SECURITY depends on CONFIG_STATIC_CALL, architectures which do not
>>>> support CONFIG_STATIC_CALL can no longer use LSM ? That sounds a bad dependency.
>>> Agreed. If the arch doesn't support static calls we need a fallback
>>> solution for the LSM that is no worse than what we have now, and
>>> preferably would still solve the issue of the BPF hooks active even
>>> where this is no BPF program attached.
>> Actually I take it back, when CONFIG_STATIC_CALL is not available, the implementation falls back to an indirect call. This crash is unrelated, I will debug further and post back.
> Apparently, when I smoke tested, I had CONFIG_IMA disabled so did not hit the bug. Well, now IMA is an LSM, so the following fixes it:
You'll want CONFIG_EVM as well, I bet.
> On 15 Apr 2024, at 22:54, Casey Schaufler <[email protected]> wrote:
>
> On 4/15/2024 1:42 PM, KP Singh wrote:
>>
>>> On 15 Apr 2024, at 17:47, KP Singh <[email protected]> wrote:
>>>
>>>
>> [...]
>>
>>>> <[email protected]> wrote:
>>>>> On 2024/04/15 17:26, KP Singh wrote:
>>>>>> This seems like an odd config which does not enable STATIC_CALL, I am going to
>>>>>> make CONFIG_SECURITY depend on CONFIG_STATIC_CALL and make the dependency explicit.
>>>>> If CONFIG_SECURITY depends on CONFIG_STATIC_CALL, architectures which do not
>>>>> support CONFIG_STATIC_CALL can no longer use LSM ? That sounds a bad dependency.
>>>> Agreed. If the arch doesn't support static calls we need a fallback
>>>> solution for the LSM that is no worse than what we have now, and
>>>> preferably would still solve the issue of the BPF hooks active even
>>>> where this is no BPF program attached.
>>> Actually I take it back, when CONFIG_STATIC_CALL is not available, the implementation falls back to an indirect call. This crash is unrelated, I will debug further and post back.
>> Apparently, when I smoke tested, I had CONFIG_IMA disabled so did not hit the bug. Well, now IMA is an LSM, so the following fixes it:
>
> You'll want CONFIG_EVM as well, I bet.
Indeed, thanks Casey!