Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp1216316ybd; Wed, 26 Jun 2019 13:24:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqzvteLEJVY6GcDKGa66ylbLTKZIj3KTSn+7H6xsmRzHMhM/niqvD1836rscmpm18QOmp64M X-Received: by 2002:a63:dd53:: with SMTP id g19mr4557289pgj.3.1561580645588; Wed, 26 Jun 2019 13:24:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561580645; cv=none; d=google.com; s=arc-20160816; b=fR04vPSJxDZbCRoGPkLDhN1OEJoBSwN3d2ZHVZamgsuoWGaF35Onda4XXF8mqkffQE AXcUG/VjBtdYo5K/Z3zcpN+JO5G2kdTKel07ndEyqibNZScteomVx6MC2TmCqpCdSJzh dW8iRXRVVVuzFe7MkrxzIcZEEh4UvAOdHV0lfp/VtWEMqrPLkCHZEw+dGe/2aZ4ILn+E bU821ZSeq6mzY273KM6JApcCdoEBLQSvuwBYYVlRXwCAIzdFuGgdAOBDmEes40uk/5fQ PYeJ2LUGKd1QwQm/qeFn5H0XcNfw0J4ff694sGpbnf7gWWU0K08qJr4aljUYObTy6M0L Oswg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=V23F617rm/cJi3VrCfdR/BeVWZWPld5Xyj95NRdspi8=; b=MCBjgo2odJv6w2jJcwnHKM0hV7u6AChuDUf/pjmxqSNh9eIxhi8hkfXW437H3esgFz i/YRO0AJOZGuMlSHNeA0R5n+kP3GSMFGk+Saaef5G+p7xp/x8dWFjNVMu1/jkGY5d7/H Ce2osFlg/Ih+1yaPpMNOTwaEAmROqSQbB/G6lFZ/6cHUMYgyv1lqnJ9diCAKRFAiFzmW l7nwPA1sPIwUH7n7bsnT4bEEBN4Tye2Sy86k5c74T5Y9LFmxCcnykWim413wxR1MFRFe 61dIx2tND5s9g5N2TlP24sh7h0ZpcF8fskOlEqfnS35uKFXV2+H7Ih7OktN5hhOSn+6L SS6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70si96200pla.2.2019.06.26.13.23.49; Wed, 26 Jun 2019 13:24:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbfFZUX0 (ORCPT + 99 others); Wed, 26 Jun 2019 16:23:26 -0400 Received: from namei.org ([65.99.196.166]:48562 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726227AbfFZUXZ (ORCPT ); Wed, 26 Jun 2019 16:23:25 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x5QKMlwI029314; Wed, 26 Jun 2019 20:22:47 GMT Date: Thu, 27 Jun 2019 06:22:47 +1000 (AEST) From: James Morris To: Andy Lutomirski cc: Matthew Garrett , linux-security@vger.kernel.org, LKML , Linux API , David Howells , Alexei Starovoitov , Matthew Garrett , Network Development , Chun-Yi Lee , Daniel Borkmann , linux-security-module@vger.kernel.org Subject: Re: [PATCH V33 24/30] bpf: Restrict bpf when kernel lockdown is in confidentiality mode In-Reply-To: Message-ID: References: <20190621011941.186255-1-matthewgarrett@google.com> <20190621011941.186255-25-matthewgarrett@google.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [Adding the LSM mailing list: missed this patchset initially] On Thu, 20 Jun 2019, Andy Lutomirski wrote: > This patch exemplifies why I don't like this approach: > > > @@ -97,6 +97,7 @@ enum lockdown_reason { > > LOCKDOWN_INTEGRITY_MAX, > > LOCKDOWN_KCORE, > > LOCKDOWN_KPROBES, > > + LOCKDOWN_BPF, > > LOCKDOWN_CONFIDENTIALITY_MAX, > > > --- a/security/lockdown/lockdown.c > > +++ b/security/lockdown/lockdown.c > > @@ -33,6 +33,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { > > [LOCKDOWN_INTEGRITY_MAX] = "integrity", > > [LOCKDOWN_KCORE] = "/proc/kcore access", > > [LOCKDOWN_KPROBES] = "use of kprobes", > > + [LOCKDOWN_BPF] = "use of bpf", > > [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", > > The text here says "use of bpf", but what this patch is *really* doing > is locking down use of BPF to read kernel memory. If the details > change, then every LSM needs to get updated, and we risk breaking user > policies that are based on LSMs that offer excessively fine > granularity. Can you give an example of how the details might change? > I'd be more comfortable if the LSM only got to see "confidentiality" > or "integrity". These are not sufficient for creating a useful policy for the SELinux case. -- James Morris