Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp1088907ybx; Tue, 5 Nov 2019 10:07:28 -0800 (PST) X-Google-Smtp-Source: APXvYqwqeEQLdV5b0aQCGykjgggba3azaSpzGhY86IfVEKb8Ez2kwXK/NCTWMd633qVFSh9ysweb X-Received: by 2002:a50:eacc:: with SMTP id u12mr37492826edp.290.1572977248503; Tue, 05 Nov 2019 10:07:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572977248; cv=none; d=google.com; s=arc-20160816; b=IfM5bSIMwwtRsHQMN2ohCni+w7xYyq0ZCHZCSspICGkPOvaQtK1ya9lXINZHAQN/4F sadJ7fC9H5BHXsp5iA02XXPwRWEcxLhCLwpVDg2OxZBh04VIDDES+XJhDxoC/JR6ES3C O0zSBWqoxINxqHFbUQcn1BQI5ukuFOcX9uTThhDe2+Lh9/sGFuTV6fcVDcKcFNWHx3mu zOo/5oApQ8ps8qYBTdiMNcHsx7Blh8vBc2EiVVnKx9wfciDZnjqwpdMCPfkbqx2/Iplv rXMV49zLk/CtjHt/+nhSa0dAMfbhyQ0/pmo7eN2w1EDuSRcDcOp2RGlw0XuECp/zwSAL n8DA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject; bh=9CEohqEyit+qSr6o91oRLDcUFg1Yics/s1abcSSHeQ0=; b=G5Kydp0u5eKJ9W4oOL+sfrOUn2THfGF/joeOcGd96b4uo3TEEpXziN0VnLywOwb+Hg dRV5ghddVTM1IOul+FN23Z3RZ8Fz4xxsjT24IW5L2wV96pjWCRqIP+bCiB63kTzEBwKe zeWH1leO93SvgRo/y8fxLfaLDKx2vyZXOZK3UM73EEPrlZ4MA58xIgCThToOd8Vpl0Ps oia91F3HatGH5nD7jMfkR4BOi87jMNv12eGpuwqfB1CysiGipmLy5AGe1VQbScEgnZkN +tJGs1A+rKPJ+5BqFAY6L120IDNZC+LHcu/+bjBs/A10lLyuB3HKtUN+5QH1Ed0J5nxL IRmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id gu7si13412454ejb.405.2019.11.05.10.07.03; Tue, 05 Nov 2019 10:07:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390612AbfKESED (ORCPT + 99 others); Tue, 5 Nov 2019 13:04:03 -0500 Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:36975 "EHLO smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388711AbfKESED (ORCPT ); Tue, 5 Nov 2019 13:04:03 -0500 Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh2.infomaniak.ch (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id xA5I1n5F051832 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 Nov 2019 19:01:49 +0100 Received: from ns3096276.ip-94-23-54.eu (ns3096276.ip-94-23-54.eu [94.23.54.103]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id xA5I1fcs055903 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 5 Nov 2019 19:01:42 +0100 Subject: Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks To: Alexei Starovoitov Cc: linux-kernel@vger.kernel.org, Alexei Starovoitov , Andy Lutomirski , Casey Schaufler , Daniel Borkmann , David Drysdale , Florent Revest , James Morris , Jann Horn , John Johansen , Jonathan Corbet , Kees Cook , KP Singh , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Stephen Smalley , Tejun Heo , Tetsuo Handa , Tycho Andersen , Will Drewry , bpf@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org References: <20191104172146.30797-1-mic@digikod.net> <20191104172146.30797-5-mic@digikod.net> <20191105171824.dfve44gjiftpnvy7@ast-mbp.dhcp.thefacebook.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Openpgp: preference=signencrypt Message-ID: <23acf523-dbc4-855b-ca49-2bbfa5e7117e@digikod.net> Date: Tue, 5 Nov 2019 19:01:41 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <20191105171824.dfve44gjiftpnvy7@ast-mbp.dhcp.thefacebook.com> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/11/2019 18:18, Alexei Starovoitov wrote: > On Mon, Nov 04, 2019 at 06:21:43PM +0100, Micka?l Sala?n wrote: >> Add a first Landlock hook that can be used to enforce a security policy >> or to audit some process activities. For a sandboxing use-case, it is >> needed to inform the kernel if a task can legitimately debug another. >> ptrace(2) can also be used by an attacker to impersonate another task >> and remain undetected while performing malicious activities. >> >> Using ptrace(2) and related features on a target process can lead to a >> privilege escalation. A sandboxed task must then be able to tell the >> kernel if another task is more privileged, via ptrace_may_access(). >> >> Signed-off-by: Micka?l Sala?n > ... >> +static int check_ptrace(struct landlock_domain *domain, >> + struct task_struct *tracer, struct task_struct *tracee) >> +{ >> + struct landlock_hook_ctx_ptrace ctx_ptrace = { >> + .prog_ctx = { >> + .tracer = (uintptr_t)tracer, >> + .tracee = (uintptr_t)tracee, >> + }, >> + }; > > So you're passing two kernel pointers obfuscated as u64 into bpf program > yet claiming that the end goal is to make landlock unprivileged?! > The most basic security hole in the tool that is aiming to provide security. How could you used these pointers without dedicated BPF helpers? This context items are typed as PTR_TO_TASK and can't be used without a dedicated helper able to deal with ARG_PTR_TO_TASK. Moreover, pointer arithmetic is explicitly forbidden (and I added tests for that). Did I miss something? > > I think the only way bpf-based LSM can land is both landlock and KRSI > developers work together on a design that solves all use cases. As I said in a previous cover letter [1], that would be great. I think that the current Landlock bases (almost everything from this series except the seccomp interface) should meet both needs, but I would like to have the point of view of the KRSI developers. [1] https://lore.kernel.org/lkml/20191029171505.6650-1-mic@digikod.net/ > BPF is capable > to be a superset of all existing LSMs whereas landlock and KRSI propsals today > are custom solutions to specific security concerns. BPF subsystem was extended > with custom things in the past. In networking we have lwt, skb, tc, xdp, sk > program types with a lot of overlapping functionality. We couldn't figure out > how to generalize them into single 'networking' program. Now we can and we > should. Accepting two partially overlapping bpf-based LSMs would be repeating > the same mistake again. I'll let the LSM maintainers comment on whether BPF could be a superset of all LSM, but given the complexity of an access-control system, I have some doubts though. Anyway, we need to start somewhere and then iterate. This patch series is a first step.