Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5716418ybf; Thu, 5 Mar 2020 05:51:24 -0800 (PST) X-Google-Smtp-Source: ADFU+vvImFvlcZpRyN70QxfPLh209fhyvdlK2Re/eMM9sgc7gP9MYaDVpDt2ZWlhuNGmCn4tvB2w X-Received: by 2002:aca:a997:: with SMTP id s145mr4119724oie.140.1583416283574; Thu, 05 Mar 2020 05:51:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583416283; cv=none; d=google.com; s=arc-20160816; b=RhenVFlUciMdaxfqIu48uZ4OW+6dYCGc5u3rOm85IKCx4aTqTkdgDS7u15o6l6TacD gmtkM1jz8QQiQE4MWpDD9MiOP4jEtGnGMJ9Ht/SU1VbNkYndjZ2/Gyusx63+mVAH68FP Vwh1Tdz2Giko+yxosK2Mv9Dj7mnfZN54pBAs1AVELYYKrc+jmgZxXMP0DlgeX3tNIPhw 2EN2hndt9ZmkzygpUNXG/tG+LVk0U91H+L25zRq43S2lPFNEBlEVRuVk5u7PUkOfrvKw hgOcea0g5Q9yIU6LCzgPpJ/P617DpJfb0R5SMnipFqvA9GXmfMdidJqXPjrjXUattkPD Hncg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=fcCTfa/+b2H8bD6/l2jkw8E4TRC6mBDpyhRVH0rkeuw=; b=N0S/IlDHVOLzcsahL/myA5H/cuRIjB4jJhUCtUJ1r/UIaJwa9XqJQKlsObwl6FvK5e vtPxZrSnRBME+6LhO1upPBRnXyRpMCa8e1AH9QSBigMCvDcDPezeEl9RbVgG6zaHx++I wuwmeqIba+05VsTRvNmKpvfd5ScQAhg5pfHddFmQ6mhkUw2ecUtubz2o0uobdXSt1S47 P1LOZQ+uWmvOujFZfht2YUCS5J+pYoHhaGXw34FwFUNrXdc4LU6K9Mv2hJ/kQDJ04YJo rxWFC0sVYxjrFCFshjOWKmV4OIpEnptMh1zaCeqZqXOtwYOMijAEkLGQUhil4RM+RZh7 hqjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bob5i7Hx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 45si3304700otg.7.2020.03.05.05.51.10; Thu, 05 Mar 2020 05:51:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bob5i7Hx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726191AbgCENup (ORCPT + 99 others); Thu, 5 Mar 2020 08:50:45 -0500 Received: from mail-oi1-f196.google.com ([209.85.167.196]:38338 "EHLO mail-oi1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725991AbgCENup (ORCPT ); Thu, 5 Mar 2020 08:50:45 -0500 Received: by mail-oi1-f196.google.com with SMTP id x75so5990445oix.5; Thu, 05 Mar 2020 05:50:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fcCTfa/+b2H8bD6/l2jkw8E4TRC6mBDpyhRVH0rkeuw=; b=bob5i7Hx/1c84xrjeDHggoA7v1P27/LaFo+Tv1+2TxOFFyU6cuvCSz7SHlOOspW8Fs AgDpkhqBum4Tb5nRKQP5LEZNWteQW+XO5aV2rLWhs7C3kVnZWlXBBFpTW815/ib5loHl Lte9VAzb954Y+9kOYs3Zoj3CIawohp39tvMtbhkPH073pg8hSpC5HeRbJ9gsHlQIM2mA MMzNaJVtN1XHin5uT4UKfWT7HOlnGQCsSptHEWHriu7ByFd8D4K/wv66VvC+76qbNJGW i1XWeWsA6B67rMal1OugqQJWDfFLuDAGtWFC6tOloj7dkiBD7nAjtqjXz1c6lGuGJJZR ouFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fcCTfa/+b2H8bD6/l2jkw8E4TRC6mBDpyhRVH0rkeuw=; b=jHULGypSb6U4xMr3J0gXv7rjwXJVycoP79vibY8OzyWbSgr5v00N71xnBppfQqytcE cM+fWNlZGXEPPBdYkHl+U8nEN92Od9Ms5BrwlDnr1J1pSNTDr00W4u7znIOq3VewQ+mc Shb4WoDkQIkal9YQnm3LnRPNobbFFS7s9fi2wTKA5fSV49xZ8GdWarTZBwYal2qdkpGS huF3I90mY5+AV/MtVXioxY+kdC82mRnRr624VM3vZTHJZz2Bh7430DYAIIfb7kPFdZKJ XiFJGvnWw4z7SORdHGRNC6lftc0wydX2USFHYWMDmo051H01MskkTpW5JHuhP1sS0NPa m+7w== X-Gm-Message-State: ANhLgQ3ZaozaziZsff7vSgM1CUHcuCKyCqn0tRB97wEBAbjH6zq3mzSy hyE2cR+uF3O2dSAb/tVgtbcuTvfWGMVReTiRqGE= X-Received: by 2002:aca:3544:: with SMTP id c65mr5488952oia.160.1583416244454; Thu, 05 Mar 2020 05:50:44 -0800 (PST) MIME-Version: 1.0 References: <20200304191853.1529-1-kpsingh@chromium.org> <20200304191853.1529-4-kpsingh@chromium.org> In-Reply-To: <20200304191853.1529-4-kpsingh@chromium.org> From: Stephen Smalley Date: Thu, 5 Mar 2020 08:51:58 -0500 Message-ID: Subject: Re: [PATCH bpf-next v4 3/7] bpf: Introduce BPF_MODIFY_RETURN To: KP Singh Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , jmorris@namei.org, Paul Moore , casey@schaufler-ca.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 4, 2020 at 2:20 PM KP Singh wrote: > > From: KP Singh > > When multiple programs are attached, each program receives the return > value from the previous program on the stack and the last program > provides the return value to the attached function. > > The fmod_ret bpf programs are run after the fentry programs and before > the fexit programs. The original function is only called if all the > fmod_ret programs return 0 to avoid any unintended side-effects. The > success value, i.e. 0 is not currently configurable but can be made so > where user-space can specify it at load time. > > For example: > > int func_to_be_attached(int a, int b) > { <--- do_fentry > > do_fmod_ret: > > if (ret != 0) > goto do_fexit; > > original_function: > > > > } <--- do_fexit > > The fmod_ret program attached to this function can be defined as: > > SEC("fmod_ret/func_to_be_attached") > int BPF_PROG(func_name, int a, int b, int ret) > { > // This will skip the original function logic. > return 1; > } > > The first fmod_ret program is passed 0 in its return argument. > > Signed-off-by: KP Singh > Acked-by: Andrii Nakryiko IIUC you've switched from a model where the BPF program would be invoked after the original function logic and the BPF program is skipped if the original function logic returns non-zero to a model where the BPF program is invoked first and the original function logic is skipped if the BPF program returns non-zero. I'm not keen on that for userspace-loaded code attached to LSM hooks; it means that userspace BPF programs can run even if SELinux would have denied access and SELinux hooks get skipped entirely if the BPF program returns an error. I think Casey may have wrongly pointed you in this direction on the grounds it can already happen with the base DAC checking logic. But that's kernel DAC checking logic, not userspace-loaded code. And the existing checking on attachment is not sufficient for SELinux since CAP_MAC_ADMIN is not all powerful to SELinux. Be careful about designing your mechanisms around Smack because Smack is not the only LSM.