Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5948002ybf; Thu, 5 Mar 2020 10:02:54 -0800 (PST) X-Google-Smtp-Source: ADFU+vv4wJ+2uALS3tMs7oegT6352zzosy+OVVlXDQLTKc1o2kWg0HQeCpd+OUApBfJFKa72wWgT X-Received: by 2002:a9d:6753:: with SMTP id w19mr6984315otm.6.1583431374611; Thu, 05 Mar 2020 10:02:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583431374; cv=none; d=google.com; s=arc-20160816; b=WKI0Ncyrmmcjfatl4d7Q/WL5yaw7BCr9hK976CP0Pet7HZFxal5vjJtT6q9rU9Ncjk dbe4aVV7PLujq6Kpfn6g+UKqbt10hoZxnjpm8HO/gErFsy3/qUNEvXfL55qLUgf3a/HM VCCypj0fahUWgTbMiTAjd7MnJuXMWXq2uhWSVBvVSflqtwbOGtOwLEq369EzI/uxs/FA Q88vctf5q5iPwi2HjstOQdpBTSE2XfyNm3OwNPXud2TYMBX5ksA0tMfgdTSl2g1Ewi3i HWqIsQTyLpG8jirYc0XtjEocUpwyhwkMhfwXkk+/dLQjJ5OjAbTSNZhRaRLjKSNoAuhW 50Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bImCa8e75imP5OBiFn4OIcu9vGwfjFkhcN3Jk6EQf9c=; b=J9opnKXu6tcxXzD5YpIVrAcGXHdnvEzI+mCVaOVtnK63xgu3MRkopGHabeOc1kH781 ePAEH3aVRB4E3qKhjLlL2KPPPwMt3jmWuK7r75NPTY3B0zuVWDLs06dnrcBPR5QiDyye 3mZbzCXR3kLIzl4MESZ5PJZW6kTelf0ZyvAkICFSbHg/m0KRXAE8Ta1Obcq8vmjjA2de Uz3sXoJ9gjKGfbdyWwNfgxW/iTgeXkL6xzEgnjU8erBPrgC70qtS/jPmpaSNE+fLU24B zL57PCUdNKrcbW19E0uTFRdr1+c4NaFxVdePCbDb+dWWE71FA5BrcIt1tpNEuRY877t4 teeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UBjwhXXB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s28si135228otd.65.2020.03.05.10.02.40; Thu, 05 Mar 2020 10:02:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UBjwhXXB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726142AbgCESCV (ORCPT + 99 others); Thu, 5 Mar 2020 13:02:21 -0500 Received: from mail-ot1-f68.google.com ([209.85.210.68]:35724 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725993AbgCESCV (ORCPT ); Thu, 5 Mar 2020 13:02:21 -0500 Received: by mail-ot1-f68.google.com with SMTP id v10so6631460otp.2; Thu, 05 Mar 2020 10:02:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bImCa8e75imP5OBiFn4OIcu9vGwfjFkhcN3Jk6EQf9c=; b=UBjwhXXB7Z3eO7J/9T0RT1RI8fpcwomIFdsfs667Q3w3V4MrEqj1JxGClS1nCzLXtu OB4WkpY+EooNfPTvjY0qr7DuPSuAt7D3SqzFKq/ellIgtaM3DY5QKKfXbjyCEvvEnz4t hQgjGwsVgvNtcF/t15XaM8sJ0DczcuyEFDLQngNw/LaGa25bryQxdbXRJXbFyqwVr35S 4mc7xyA/NQFFk/74kv7IXPPe0E+jcGUm/mVR+WQR/dRZWyEB6xBf164GWiu62359avCj pNLVz2qmkVV68i19jQxzYExh6ecLV9Wd0N80e0/2f1v7GC1yxe8B96jBPoj4u9BcY+5t eiqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bImCa8e75imP5OBiFn4OIcu9vGwfjFkhcN3Jk6EQf9c=; b=nq0pSMsCcs7ZolZI5OpvXhCVJW6FXOtzhdFe6GrDCYNaCRPQGXgER8mmS1TbzKvpaS ycUV0tQWSsNS8cYIo7B2IFDoe2iCoMhRvGobiYE3xHxHAdulWCVCOFDwmCTpfI3AIB1e rHIWl9v8zjpIZGcvusBqR6l5XyHDmpm5qWvo6pyKs5ZEjRYtJK3iSslBldsZjdjrkmkr rx/PliuQ7U13hW0uRuIVEczDUYYN7w4J2SflhmUqNWWLF0OtO+nouM7PkiJPUIqlUDFM jFVZ0CwL04xqb85hB7R3V+rgoayogYqg5J7a+pGUGfNznBia/Ieh6vjwUqP0Q4WA31vN dpQQ== X-Gm-Message-State: ANhLgQ2P87WWWV8yZfXHMFQxw4OqxHF+VWFGmozxS9TP1IRHIT66U7nq QBFGEqI3lWIfvfomGVQXOIuxTm8SAbNoe+nXjJs= X-Received: by 2002:a05:6830:22f2:: with SMTP id t18mr7959676otc.165.1583431340611; Thu, 05 Mar 2020 10:02:20 -0800 (PST) MIME-Version: 1.0 References: <20200304191853.1529-1-kpsingh@chromium.org> <20200304191853.1529-4-kpsingh@chromium.org> <20200305155421.GA209155@google.com> In-Reply-To: From: Stephen Smalley Date: Thu, 5 Mar 2020 13:03:26 -0500 Message-ID: Subject: Re: [PATCH bpf-next v4 3/7] bpf: Introduce BPF_MODIFY_RETURN To: Casey Schaufler Cc: KP Singh , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , jmorris@namei.org, Paul Moore Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 5, 2020 at 12:35 PM Casey Schaufler wrote: > I believe that I have stated that order isn't my issue. > Go first, last or as specified in the lsm list, I really > don't care. We'll talk about what does matter in the KRSI > thread. Order matters when the security module logic (in this case, the BPF program) is loaded from userspace and the userspace process isn't already required to be fully privileged with respect to the in-kernel security modules. CAP_MAC_ADMIN was their (not unreasonable) attempt to check that requirement; it just doesn't happen to convey the same meaning for SELinux since SELinux predates the introduction of CAP_MAC_ADMIN (in Linux at least) and since SELinux was designed to confine even processes with capabilities. > Then I'm fine with using the LSM ordering mechanisms that Kees > thought through to run the BPF last. Although I think it's somewhat > concerning that SELinux cares what other security models might be > in place. If BPF programs can violate SELinux (or traditional DAC) > policies there are bigger issues than ordering. It is only safe for Smack because CAP_MAC_ADMIN already conveys all privileges with respect to Smack. Otherwise, the BPF program can access information about the object attributes, e.g. inode attributes, and leak that information to userspace even if SELinux would have denied the process that loaded the BPF program permissions to directly obtain that information. This is also why Landlock has to be last in the LSM list.