Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp2670367ybx; Fri, 8 Nov 2019 07:42:33 -0800 (PST) X-Google-Smtp-Source: APXvYqxtI9ScNNPWyzrJ5vQOoJnZTCJOVPLUrqdjcReC+wJ6W7/+MFrwrMDRB3SlyGD8abVg6IMT X-Received: by 2002:a50:90a8:: with SMTP id c37mr10859094eda.153.1573227753606; Fri, 08 Nov 2019 07:42:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573227753; cv=none; d=google.com; s=arc-20160816; b=OJNo3KHxRRCj6jkt4Pzl8yUP4Jrog2fxFzWXtJ8HPcVZ/1zRsMfa9eQFqutZkJRajE hyHqpib4ZLMlQ6LvX21zabBjxmdZ8/6NCPmBVkvwTxWOjIeUPUrjACG37wmDaOns6zdH PeVY2dz4PtAYZRiaO+oz8wVuM23y/MnGcSYeQGFuPc6qc5OvcGWISruAYTHJFRMg5VkZ YH/HaSVtcoGPJkNb5CkVteNKTouR7eOEtWoY5tEB/G8rBTzAVOu+4Uz4vq5wZRedpOdB Ibi3Ycj8oprJPG/01vfIhg6cxhjePH0NIEc4Zi7/M5+6PhKsZofLSmtJF0zHfNpENP8Y j51w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject; bh=VgUSwHnH0dETy4u4YBhPq7mSXSfmvwZtLhh/5dBtTP8=; b=e8V7eFzJyajKUO4IHI1fNpUlgJE1B6thELehTcZELb/mmLOjdda6UsP+4e0mPsiB5N gxLOBBffR+9WUmEKyIJf03XOBpzYaXuLQcwSwtYqJI6VN62N305yVgIy/zh3jCnOChUO PcWZqqLBul7UfVQzy7jwpInjyvVy9S+cvbuXMuRtm4pdXgwdtCvi/PYy4bRe+Wiem8O3 Gjb8gb2unbTO+tDo9Xuu2Nzih65v/m5TEvhsdI8xFmskQcgzTE0H4ccPsZHZxNGkgA56 YwOywAOdD55Fa1CXYxbUDgkg1IVFZCEQbNGLmAQVq7Cd5XdPHv7Cqws8AUcWhLQG5Ox2 P9RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f21si4747523ede.253.2019.11.08.07.42.10; Fri, 08 Nov 2019 07:42:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727108AbfKHPlM (ORCPT + 99 others); Fri, 8 Nov 2019 10:41:12 -0500 Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:36977 "EHLO smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726039AbfKHPlL (ORCPT ); Fri, 8 Nov 2019 10:41:11 -0500 Received: from smtp7.infomaniak.ch (smtp7.infomaniak.ch [83.166.132.30]) by smtp-sh2.infomaniak.ch (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id xA8Fe0wD187815 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 8 Nov 2019 16:40:00 +0100 Received: from ns3096276.ip-94-23-54.eu (ns3096276.ip-94-23-54.eu [94.23.54.103]) (authenticated bits=0) by smtp7.infomaniak.ch (8.14.5/8.14.5) with ESMTP id xA8FduEU195949 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 8 Nov 2019 16:39:56 +0100 Subject: Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks To: Daniel Borkmann Cc: KP Singh , Alexei Starovoitov , linux-kernel@vger.kernel.org, Alexei Starovoitov , Andy Lutomirski , Casey Schaufler , David Drysdale , Florent Revest , James Morris , Jann Horn , John Johansen , Jonathan Corbet , Kees Cook , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Stephen Smalley , Tejun Heo , Tetsuo Handa , Tycho Andersen , Will Drewry , bpf@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org References: <20191104172146.30797-1-mic@digikod.net> <20191104172146.30797-5-mic@digikod.net> <20191105171824.dfve44gjiftpnvy7@ast-mbp.dhcp.thefacebook.com> <23acf523-dbc4-855b-ca49-2bbfa5e7117e@digikod.net> <20191105193446.s4pswwwhrmgk6hcx@ast-mbp.dhcp.thefacebook.com> <20191106100655.GA18815@chromium.org> <813cedde-8ed7-2d3b-883d-909efa978d41@digikod.net> <20191106214526.GA22244@chromium.org> <3e208632-e7ab-3405-5196-ab1d770e20c3@digikod.net> <5d0f1dc5-5a99-bd6a-4acc-0cdcd062a0c9@iogearbox.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Openpgp: preference=signencrypt Message-ID: <78b75ea3-3a7c-103c-ee00-a9c6c41bcd9c@digikod.net> Date: Fri, 8 Nov 2019 16:39:55 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <5d0f1dc5-5a99-bd6a-4acc-0cdcd062a0c9@iogearbox.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/11/2019 15:34, Daniel Borkmann wrote: > On 11/8/19 3:08 PM, Mickaël Salaün wrote: >> On 06/11/2019 22:45, KP Singh wrote: >>> On 06-Nov 17:55, Mickaël Salaün wrote: >>>> On 06/11/2019 11:06, KP Singh wrote: >>>>> On 05-Nov 11:34, Alexei Starovoitov wrote: >>>>>> On Tue, Nov 05, 2019 at 07:01:41PM +0100, Mickaël Salaün wrote: >>>>>>> On 05/11/2019 18:18, Alexei Starovoitov wrote: > [...] >>> * Use a single BPF program type; this is necessary for a key requirement >>>    of KRSI, i.e. runtime instrumentation. The upcoming prototype should >>>    illustrate how this works for KRSI - note that it’s possible to vary >>>    the context types exposed by different hooks. >> >> Why a single BPF program type? Do you mean *attach* types? Landlock only >> use one program type, but will use multiple attach types. >> >> Why do you think it is necessary for KRSI or for runtime instrumentation? >> >> If it is justified, it could be a dedicated program attach type (e.g. >> BPF_LANDLOCK_INTROSPECTION). >> >> What is the advantage to have the possibility to vary the context types >> over dedicated *typed* contexts? I don't see any advantages, but at >> least one main drawback: to require runtime checks (when helpers use >> this generic context) instead of load time checks (thanks to static type >> checking of the context). > > Lets take security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) > as one specific example here: the running kernel has its own internal > btf_vmlinux and therefore a complete description of itself. From verifier > side we can retrieve & introspect the security_sock_rcv_skb signatue OK, this is indeed the signature defined by the kernel API. What happen if this API change (e.g. if struct sock is replaced with a struct sock_meta)? > and > thus know that the given BPF attachment point has struct sock and struct > sk_buff as input arguments How does the verifier know a given BPF attachment point for a program without relying on its type or attach type? How and where is registered this mapping? To say it another way, if there is no way to differentiate two program targeting different hook, I don't understand how the verifier could check if a given program can legitimately call a helper which could read the tracer and tracee fields (legitimate for a ptrace hook), whereas this program may be attached to a sock_rcv_skb hook (and there is no way to know that). > which can then be accessed generically by the > prog in order to allow sk_filter_trim_cap() to pass or to drop the skb. > The same generic approach can be done for many of the other lsm hooks, so > single program type would be enough there and context is derived > automatically, > no dedicated extra context per attach type would be needed and no runtime > checks as you mentioned above since its still all asserted at verification > time. I mentioned runtime check because I though a helper should handle the case when it doesn't make sense for a program attached to a specific point/hook (e.g. ptrace) to use an input argument (e.g. sk) defined for another point/hook (e.g. sock_rcv_skb). > > Thanks, > Daniel > Thanks for this explanation Daniel.