Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1064332ybi; Fri, 21 Jun 2019 13:07:02 -0700 (PDT) X-Google-Smtp-Source: APXvYqzFYwVPWLTx7u+t+yph4R56o0h6ZgdI9SIHPx8NggQ5YmPt82fueKIQDtLpraI+iboekO1U X-Received: by 2002:a63:31d1:: with SMTP id x200mr14905554pgx.312.1561147621784; Fri, 21 Jun 2019 13:07:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561147621; cv=none; d=google.com; s=arc-20160816; b=t0fwyeqTKOEFtXQ+DImpt0VadsqUG8R+Xex5qRAYJ5WPXv5bNnUbn9Izny79dnc5XK FcWLAIafhoaLEpMFKrGdC+WS5kwXa+R0fKypB1yv2p95Yv0aWogQfKlc20cNTMupzGz/ wctJABIt5l42Uat5VkpR2gr8e5wsBxcuCn2nEfvEazG64U2DedWDOhc7C+5LtLR7gtcK Y6ogVc0D1Yn0s0T55BFHz3w4vBkCuBSXSDyQcuuLyJsd27TKuQY7MW0V+UTc1fCWkNxv Gp23gAfXomY9KBoIrJp/xvif3O+26tk12ZCpqeOCLU6vWyayVTuR1KbhladDkXrM/VCI ls1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=DypY5fiIicrIoi3ORV0h3vKCopNCu2H79dLHF98Wk1s=; b=POChBLTVhaptHRR0nZ7/6jWHu9QkbWzUl3KbHZrWbSIepn3rwhQdCRRoqEg26NnhF/ GOJ/TR/tSeX31TZmExiHHmYYCaPFBdetTUl0RhQxEBL146MhWUgceFawb+DwyRy79qyZ uzbEsk0Wo8RUea6E3kNtDj0iEjCPIFPelSI2pJ6AUuSTMmPKVJ+Vzhk80WX3O59555OD nnS20p/+V3sE6Lx7v5QI3NvTUbETJiDPAmC/5PoE9+L75VzNWuGHqtFQ+GkQjIFQfsW7 3zNp7d4rdrpLrBKTHeuDevvv06kWsQO/qzm3Tk0lZKlnA/VK18Th7oLNGoJXkam7/KE+ yv1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BieFlEea; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m10si3195254pgq.420.2019.06.21.13.06.46; Fri, 21 Jun 2019 13:07:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=BieFlEea; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726221AbfFUUF5 (ORCPT + 99 others); Fri, 21 Jun 2019 16:05:57 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:39646 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725985AbfFUUF4 (ORCPT ); Fri, 21 Jun 2019 16:05:56 -0400 Received: by mail-io1-f67.google.com with SMTP id r185so1209524iod.6 for ; Fri, 21 Jun 2019 13:05:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DypY5fiIicrIoi3ORV0h3vKCopNCu2H79dLHF98Wk1s=; b=BieFlEeaOPgi+fafYZbwPJAk/rgzMYgJne9JdDRFRlJ67BByhxNbJeiWxMC9B5y/s9 Gp8olywbJtE8mi44Ji6k8zEHSqnnACQtDN7I28HDQcTwz/mye1jJMaedbY6/qHdXorLI Wfs9/larHy+OePAeGIpWCU4PVYoHRu54s+yDpX0ZYjNvvwg5OXzrDsxcjH6q8d7OOF7j 48AI5VhQZTNHr+JUkc9MWxW0n/4tx9Kt3taDC+fhcfCafvOZH8dO7US0xim1pWzmY5Eh uxPjC59ST8oJkI5UEY7MywS+dGHUEPH7uSwunhiu0xgIfllo0HFRZbPbo7RM3eC4BaAX +b3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DypY5fiIicrIoi3ORV0h3vKCopNCu2H79dLHF98Wk1s=; b=hwsMnXsS78VlZiWBZnhdWM7BILDXyP5ctTs3hYWqWdiWNebCaIJN1zUbqp3YRvQ7U9 YBT3FyHGVXJFk99oLlzJsvM8ido0uHPnoG+m2uDWdTjDfBB9L4pkF2wsAeiTMFl2O69T zhZOCVKVPtR+AGBcGFQyI/uMpYUnJunkgTZl8lqYiMppMBsOOeNFuv+6ceWD753wMPwF 6MGWa10SOcSYphbni5qQNTz4572SqMfD0mcD7k0/dAjkXGniiqmz2hpEoa3M3habrpMs OU1IdoGEaau9qFXwLNje+D/V3RWDq3kpdp5pxCEXPecU8JxC7u8Fa9fpS++nw7BoVzFd FDrg== X-Gm-Message-State: APjAAAVX4e2X0NvnAluppEpOOjngdGjtDhRrm63mBsa7RFsyNnzEkmzP LmxNVlaSiyX+4mEZA10yGNmSYnnAhZxYmxDeOxFS4g== X-Received: by 2002:a6b:8dcf:: with SMTP id p198mr36640213iod.46.1561147555624; Fri, 21 Jun 2019 13:05:55 -0700 (PDT) MIME-Version: 1.0 References: <20190621011941.186255-1-matthewgarrett@google.com> <20190621011941.186255-25-matthewgarrett@google.com> In-Reply-To: From: Matthew Garrett Date: Fri, 21 Jun 2019 13:05:44 -0700 Message-ID: Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode To: Andy Lutomirski Cc: James Morris , linux-security@vger.kernel.org, LKML , Linux API , David Howells , Alexei Starovoitov , Network Development , Chun-Yi Lee , Daniel Borkmann Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 20, 2019 at 10:22 PM Andy Lutomirski wrote: > On Thu, Jun 20, 2019 at 6:21 PM Matthew Garrett > wrote: > > --- a/security/lockdown/lockdown.c > > +++ b/security/lockdown/lockdown.c > > @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > > [LOCKDOWN_KCORE] = "/proc/kcore access", > > [LOCKDOWN_KPROBES] = "use of kprobes", > > + [LOCKDOWN_BPF] = "use of bpf", > > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > > The text here says "use of bpf", but what this patch is *really* doing > is locking down use of BPF to read kernel memory. If the details > change, then every LSM needs to get updated, and we risk breaking user > policies that are based on LSMs that offer excessively fine > granularity. The text is descriptive rather than normative, and no changes should be made that alter the semantics of a reason - it makes more sense to just add another reason. > I'd be more comfortable if the LSM only got to see "confidentiality" > or "integrity". If LSM authors can be trusted to do the right thing here, then I see no problem in providing additional data. I'm happy to defer to James on that.