Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5708406ybf; Thu, 5 Mar 2020 05:42:34 -0800 (PST) X-Google-Smtp-Source: ADFU+vvcSCzaTwGKK09rYJSQsI/3Pj3MfjqaGUGzWSd2ommhpSs8dq8SYcrJz5wkogjL40XaYThI X-Received: by 2002:a9d:7d0c:: with SMTP id v12mr6706377otn.171.1583415754172; Thu, 05 Mar 2020 05:42:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583415754; cv=none; d=google.com; s=arc-20160816; b=PIo77qA882T39Ob9a9qV8sNtd7kJYBj2ezGxyqaO/cDYLNhkiQcIdCHbCLXoVluPig s1Kn3VbEcYaxGrzRzFfCJWVhoIiK5pUwlV67O8UBA7tAdXZ4+vRuf7EzizgH9chWr5R6 qzYwDNJ9R7y/drkhBo+OqLRwY8H4rghNCfPyacVrj6nXekSFVyRaW5e7iMGKXRESXMCU N+Do6HeLxKKrx59QJaitN3pQpFvK43kd4MiOOLFOAxFu/0vRdrhORuL1xKMvg3s9SyZ2 9qg3QFL82hxUoh+Gu9zAIf9rrVdAc6xY7B5PTL4s0ijbJGG3In1j+Vq9BOoyIgiUtyG5 qv3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Eg8qOXXxTZFH+avf9eVy3dxxHHbyWn0g+mO5XgLQ+LM=; b=GlbJSxV1ivHmcVUJCs2aTKr/lyxalWoh8iGPQNVOVPKC95msk7iBxQKngrJWjswaqK WMEZ606Nqm9zeFI9n1DZIlYtsm5hlz8SoSM7BIutk5e0pyprW2AiMmyosDgQkXokETgk yYMM6QQNqiH3GZRWgaSARnCIAEENdrL8cTX+JAxuuhHDfMz5w9xp1AlnSqFlSI54GpTN mN4BF2tf+4uRRcQpEIu0M464jYqiTsOIxTdGu38Z6Unjf0FYfWuZte1ESffHrUeQ2s0S fsyFjY6TMUFgM5LFWFy8U666TzKNRxQ2/T8aXahIvn1laZ5yctUmqYyxMQxy+P9zJ05Q pjlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FmtSTEvH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p15si3437058otq.215.2020.03.05.05.42.22; Thu, 05 Mar 2020 05:42:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FmtSTEvH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726083AbgCENl7 (ORCPT + 99 others); Thu, 5 Mar 2020 08:41:59 -0500 Received: from mail-oi1-f194.google.com ([209.85.167.194]:36062 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725989AbgCENl7 (ORCPT ); Thu, 5 Mar 2020 08:41:59 -0500 Received: by mail-oi1-f194.google.com with SMTP id t24so5993062oij.3; Thu, 05 Mar 2020 05:41:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Eg8qOXXxTZFH+avf9eVy3dxxHHbyWn0g+mO5XgLQ+LM=; b=FmtSTEvH4JMkzvU0rV87l8dSnNd84J4k4OZljnkIKeA+JdbhSP2k3UYVQHAj/RdzZo 3X0XIgdmwfssLPelrx2aDyIQUJYesIXKOkcKZNCtmXlc89vmsPXqkm+yQXN3ygynVjbx kA/QSQ/XlzuAL3x3oTPFD5Kkb7hT2/DZcQumspk3pMO31H0x5RSlrPF2krNULhOMuRRs 7gHmKFAPVWUPnfWSCSlJLvyV4AYkbm+vUQVwHSMiCzuwiIG2lHJFWjrz/R6fMGO+g2PT JIXFfICm6nMqSzkHWrXGgBrbUtNWAFrx7Ld2iLBooTpGfVfsdKb0XRNnsuhaqmnGm5Wr r19w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Eg8qOXXxTZFH+avf9eVy3dxxHHbyWn0g+mO5XgLQ+LM=; b=C91yfvNHiKvlUR5jUaZAWKFMaW/lhjwACwHYsQwIhpTgpa8BRH3fD3pPRZD4Ph6Cg5 2Ri+7b+2dal7Vm6CD/h2Z51HdfPnVgDfAn80eELCu14/ErlK9GtiUObqYFP4ojagSax2 /4BV8sEVV+vpCYpB8giSYQ3BDJ0oUuwBjoGnXel3uKi/p20o0UsjB6emfnyN7Sn9ZFVU mgenznFSeoyHv7zG184cQ8rNbLN0RgAGFh30nxzPVeLd4+zEdgNHk7cpzMWxgZK+mShy w/UshD8Fy9ebxxSrKG+UNNLOUaOqac+ymGlqm4xFcee6v/Khe58JDexTNwiFoYsWur0u auaw== X-Gm-Message-State: ANhLgQ3p3X7aZDuDXP7Hns2onQMMAOkuxvi/KmehvXO+C49nSsjykGaj Q3eCh4NoIo7aIufiNudLCSyN9INXDJPkiJFpBYI= X-Received: by 2002:aca:3544:: with SMTP id c65mr5466604oia.160.1583415718336; Thu, 05 Mar 2020 05:41:58 -0800 (PST) MIME-Version: 1.0 References: <20200304191853.1529-1-kpsingh@chromium.org> <20200304191853.1529-5-kpsingh@chromium.org> In-Reply-To: <20200304191853.1529-5-kpsingh@chromium.org> From: Stephen Smalley Date: Thu, 5 Mar 2020 08:43:11 -0500 Message-ID: Subject: Re: [PATCH bpf-next v4 4/7] bpf: Attachment verification for BPF_MODIFY_RETURN To: KP Singh Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Paul Moore , jmorris@namei.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 4, 2020 at 2:20 PM KP Singh wrote: > > From: KP Singh > > - Allow BPF_MODIFY_RETURN attachment only to functions that are: > > * Whitelisted for error injection by checking > within_error_injection_list. Similar discussions happened for the > bpf_override_return helper. > > * security hooks, this is expected to be cleaned up with the LSM > changes after the KRSI patches introduce the LSM_HOOK macro: > > https://lore.kernel.org/bpf/20200220175250.10795-1-kpsingh@chromium.org/ > > - The attachment is currently limited to functions that return an int. > This can be extended later other types (e.g. PTR). > > Signed-off-by: KP Singh > Acked-by: Andrii Nakryiko > --- > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 2460c8e6b5be..ae32517d4ccd 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9800,6 +9801,33 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env) > > return 0; > } > +#define SECURITY_PREFIX "security_" > + > +static int check_attach_modify_return(struct bpf_verifier_env *env) > +{ > + struct bpf_prog *prog = env->prog; > + unsigned long addr = (unsigned long) prog->aux->trampoline->func.addr; > + > + if (within_error_injection_list(addr)) > + return 0; > + > + /* This is expected to be cleaned up in the future with the KRSI effort > + * introducing the LSM_HOOK macro for cleaning up lsm_hooks.h. > + */ > + if (!strncmp(SECURITY_PREFIX, prog->aux->attach_func_name, > + sizeof(SECURITY_PREFIX) - 1)) { > + > + if (!capable(CAP_MAC_ADMIN)) > + return -EPERM; CAP_MAC_ADMIN was originally introduced for Smack and is not all-powerful wrt SELinux, so this is not a sufficient check for SELinux. We would want an actual security hook called here so we can implement a specific check over userspace being able to attach BPF progs to LSM hooks. CAP_MAC_ADMIN has other connotations to SELinux (presently the ability to set/get file security labels that are not known to the currently loaded policy).