Received: by 10.223.185.116 with SMTP id b49csp4563724wrg; Mon, 26 Feb 2018 21:33:41 -0800 (PST) X-Google-Smtp-Source: AG47ELtbNY6I2tXf4LZc4G2Kibu6Eygw0VpIm2vdeNLPmYhj8YHNWBNNnXH3EPfLVDDjEedsOv2T X-Received: by 10.99.179.14 with SMTP id i14mr3101817pgf.45.1519709621256; Mon, 26 Feb 2018 21:33:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519709621; cv=none; d=google.com; s=arc-20160816; b=wvcs81lxqfL13HkYZwdU5SbRC5jHRqnrpglPYxTrfGcEX+cZ9LRSBE/PhDPDjS2lku 0s7UwbfEaB/Q1XtqYot7/FvkNO+IT7pVM5Pl0zHhtFqjU2yibjfmHdMSene6ZdK8pzkI vk95qDRI4dxynjunfLu13/mMKKibJ1xuZuAT1e6QpJd6Z1CQ9ZIPM7g7qHNYVKw6z4Cc cvj6AroZutAv+0pJIfdUBOAxaXl8fzapU52+7p7YtmCYn9vXVmnZVd1JZyUVo6F2jYGx HyslRKm2sWxSmZRjSOTlOgobzmS0FjP0OZdD+3oF2sus6hNKP2RyVWMkh9WjrF7UgBv+ WmVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=EJnSut7bf0m0on0KJEkVAZY23/jM007oVQbroFUCHl0=; b=fwa9+OUs6jgefqoB8agMLoERLEMz88EIIVNHDH+mIjA6hjhTSzNgipTndh/ncLCTjB /qPwILar2SDRbo10U0b142PZkMPE3vUSl1pkNbt5NmLDlLXkhy2N2eyjEhSFhMK+xvxa qKnRyhUdiN8KznM7h/TpKyPLmticTe7JEvX1IVM2V0EmnNARYK/gsh6WdwtCY1gwd0+E YatWmDlQUtbjGP872qm/1t91EQSorOdDcTLj4BFlt+91H9NfR3LUyNUspZZ9QOXgoSfE ZxFxWFJ4VJ32YKY0C3Jx1PxVFadb7QPYTXnB8R1qZ7mmmwHdjbJUKHZJRdl5lCjnSTFT DEjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c7-v6si7806648plo.743.2018.02.26.21.33.26; Mon, 26 Feb 2018 21:33:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752001AbeB0FVS convert rfc822-to-8bit (ORCPT + 99 others); Tue, 27 Feb 2018 00:21:18 -0500 Received: from mail.kernel.org ([198.145.29.99]:46840 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751037AbeB0FVR (ORCPT ); Tue, 27 Feb 2018 00:21:17 -0500 Received: from mail-io0-f182.google.com (mail-io0-f182.google.com [209.85.223.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 816F5217A1 for ; Tue, 27 Feb 2018 05:21:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 816F5217A1 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f182.google.com with SMTP id 30so19828091iog.2 for ; Mon, 26 Feb 2018 21:21:16 -0800 (PST) X-Gm-Message-State: APf1xPBPdkY8mUJMP88OuVm4TDWFyKRmvsDULJOfbyZCv3R9lBY3rlKB Wpq9k90ZDdn7djuWUzPcbrjpDqJWU2d8zOi9hQlGsw== X-Received: by 10.107.88.10 with SMTP id m10mr13294016iob.144.1519708875714; Mon, 26 Feb 2018 21:21:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Mon, 26 Feb 2018 21:20:55 -0800 (PST) In-Reply-To: <20180227045458.wjrbbsxf3po656du@ast-mbp> References: <20180227004121.3633-1-mic@digikod.net> <20180227004121.3633-6-mic@digikod.net> <20180227020856.teq4hobw3zwussu2@ast-mbp> <20180227045458.wjrbbsxf3po656du@ast-mbp> From: Andy Lutomirski Date: Tue, 27 Feb 2018 05:20:55 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy To: Alexei Starovoitov Cc: Andy Lutomirski , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development , Andrew Morton Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 04:40:34AM +0000, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov >> wrote: >> > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: >> >> The seccomp(2) syscall can be used by a task to apply a Landlock program >> >> to itself. As a seccomp filter, a Landlock program is enforced for the >> >> current task and all its future children. A program is immutable and a >> >> task can only add new restricting programs to itself, forming a list of >> >> programss. >> >> >> >> A Landlock program is tied to a Landlock hook. If the action on a kernel >> >> object is allowed by the other Linux security mechanisms (e.g. DAC, >> >> capabilities, other LSM), then a Landlock hook related to this kind of >> >> object is triggered. The list of programs for this hook is then >> >> evaluated. Each program return a 32-bit value which can deny the action >> >> on a kernel object with a non-zero value. If every programs of the list >> >> return zero, then the action on the object is allowed. >> >> >> >> Multiple Landlock programs can be chained to share a 64-bits value for a >> >> call chain (e.g. evaluating multiple elements of a file path). This >> >> chaining is restricted when a process construct this chain by loading a >> >> program, but additional checks are performed when it requests to apply >> >> this chain of programs to itself. The restrictions ensure that it is >> >> not possible to call multiple programs in a way that would imply to >> >> handle multiple shared values (i.e. cookies) for one chain. For now, >> >> only a fs_pick program can be chained to the same type of program, >> >> because it may make sense if they have different triggers (cf. next >> >> commits). This restrictions still allows to reuse Landlock programs in >> >> a safe way (e.g. use the same loaded fs_walk program with multiple >> >> chains of fs_pick programs). >> >> >> >> Signed-off-by: Mickaël Salaün >> > >> > ... >> > >> >> +struct landlock_prog_set *landlock_prepend_prog( >> >> + struct landlock_prog_set *current_prog_set, >> >> + struct bpf_prog *prog) >> >> +{ >> >> + struct landlock_prog_set *new_prog_set = current_prog_set; >> >> + unsigned long pages; >> >> + int err; >> >> + size_t i; >> >> + struct landlock_prog_set tmp_prog_set = {}; >> >> + >> >> + if (prog->type != BPF_PROG_TYPE_LANDLOCK_HOOK) >> >> + return ERR_PTR(-EINVAL); >> >> + >> >> + /* validate memory size allocation */ >> >> + pages = prog->pages; >> >> + if (current_prog_set) { >> >> + size_t i; >> >> + >> >> + for (i = 0; i < ARRAY_SIZE(current_prog_set->programs); i++) { >> >> + struct landlock_prog_list *walker_p; >> >> + >> >> + for (walker_p = current_prog_set->programs[i]; >> >> + walker_p; walker_p = walker_p->prev) >> >> + pages += walker_p->prog->pages; >> >> + } >> >> + /* count a struct landlock_prog_set if we need to allocate one */ >> >> + if (refcount_read(¤t_prog_set->usage) != 1) >> >> + pages += round_up(sizeof(*current_prog_set), PAGE_SIZE) >> >> + / PAGE_SIZE; >> >> + } >> >> + if (pages > LANDLOCK_PROGRAMS_MAX_PAGES) >> >> + return ERR_PTR(-E2BIG); >> >> + >> >> + /* ensure early that we can allocate enough memory for the new >> >> + * prog_lists */ >> >> + err = store_landlock_prog(&tmp_prog_set, current_prog_set, prog); >> >> + if (err) >> >> + return ERR_PTR(err); >> >> + >> >> + /* >> >> + * Each task_struct points to an array of prog list pointers. These >> >> + * tables are duplicated when additions are made (which means each >> >> + * table needs to be refcounted for the processes using it). When a new >> >> + * table is created, all the refcounters on the prog_list are bumped (to >> >> + * track each table that references the prog). When a new prog is >> >> + * added, it's just prepended to the list for the new table to point >> >> + * at. >> >> + * >> >> + * Manage all the possible errors before this step to not uselessly >> >> + * duplicate current_prog_set and avoid a rollback. >> >> + */ >> >> + if (!new_prog_set) { >> >> + /* >> >> + * If there is no Landlock program set used by the current task, >> >> + * then create a new one. >> >> + */ >> >> + new_prog_set = new_landlock_prog_set(); >> >> + if (IS_ERR(new_prog_set)) >> >> + goto put_tmp_lists; >> >> + } else if (refcount_read(¤t_prog_set->usage) > 1) { >> >> + /* >> >> + * If the current task is not the sole user of its Landlock >> >> + * program set, then duplicate them. >> >> + */ >> >> + new_prog_set = new_landlock_prog_set(); >> >> + if (IS_ERR(new_prog_set)) >> >> + goto put_tmp_lists; >> >> + for (i = 0; i < ARRAY_SIZE(new_prog_set->programs); i++) { >> >> + new_prog_set->programs[i] = >> >> + READ_ONCE(current_prog_set->programs[i]); >> >> + if (new_prog_set->programs[i]) >> >> + refcount_inc(&new_prog_set->programs[i]->usage); >> >> + } >> >> + >> >> + /* >> >> + * Landlock program set from the current task will not be freed >> >> + * here because the usage is strictly greater than 1. It is >> >> + * only prevented to be freed by another task thanks to the >> >> + * caller of landlock_prepend_prog() which should be locked if >> >> + * needed. >> >> + */ >> >> + landlock_put_prog_set(current_prog_set); >> >> + } >> >> + >> >> + /* prepend tmp_prog_set to new_prog_set */ >> >> + for (i = 0; i < ARRAY_SIZE(tmp_prog_set.programs); i++) { >> >> + /* get the last new list */ >> >> + struct landlock_prog_list *last_list = >> >> + tmp_prog_set.programs[i]; >> >> + >> >> + if (last_list) { >> >> + while (last_list->prev) >> >> + last_list = last_list->prev; >> >> + /* no need to increment usage (pointer replacement) */ >> >> + last_list->prev = new_prog_set->programs[i]; >> >> + new_prog_set->programs[i] = tmp_prog_set.programs[i]; >> >> + } >> >> + } >> >> + new_prog_set->chain_last = tmp_prog_set.chain_last; >> >> + return new_prog_set; >> >> + >> >> +put_tmp_lists: >> >> + for (i = 0; i < ARRAY_SIZE(tmp_prog_set.programs); i++) >> >> + put_landlock_prog_list(tmp_prog_set.programs[i]); >> >> + return new_prog_set; >> >> +} >> > >> > Nack on the chaining concept. >> > Please do not reinvent the wheel. >> > There is an existing mechanism for attaching/detaching/quering multiple >> > programs attached to cgroup and tracing hooks that are also >> > efficiently executed via BPF_PROG_RUN_ARRAY. >> > Please use that instead. >> > >> >> I don't see how that would help. Suppose you add a filter, then >> fork(), and then the child adds another filter. Do you want to >> duplicate the entire array? You certainly can't *modify* the array >> because you'll affect processes that shouldn't be affected. >> >> In contrast, doing this through seccomp like the earlier patches >> seemed just fine to me, and seccomp already had the right logic. > > it doesn't look to me that existing seccomp side of managing fork > situation can be reused. Here there is an attempt to add 'chaining' > concept which sort of an extension of existing seccomp style, > but somehow heavily done on bpf side and contradicts cgroup/tracing. > I don't see why the seccomp way can't be used. I agree with you that the seccomp *style* shouldn't be used in bpf code like this, but I think that Landlock programs can and should just live in the existing seccomp chain. If the existing seccomp code needs some modification to make this work, then so be it. In other words, the kernel already has two kinds of chaining: seccomp's and bpf's. bpf's doesn't work right for this type of usage across fork(), whereas seccomp's already handles that case correctly. (In contrast, seccomp's is totally wrong for cgroup-attached filters.) So IMO Landlock should use the seccomp core code and call into bpf for the actual filtering. For what it's worth, I haven't figured out that Mickaël means about chaining restrictions involving cookies. This seems like something wrong and the design is too complicated.