Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4914177ybb; Tue, 24 Mar 2020 07:37:40 -0700 (PDT) X-Google-Smtp-Source: ADFU+vviqKhfVktPvEGVTOkUz1ZDBmgSVZ19vtfAQbYj/O2/4LYLjkehigjnEX42gqqHSjn4sa9h X-Received: by 2002:a4a:674f:: with SMTP id j15mr2097853oof.41.1585060660359; Tue, 24 Mar 2020 07:37:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585060660; cv=none; d=google.com; s=arc-20160816; b=L/dIHIcEMoYaGwBOYbMyBVxrpZ0EeGIMqvvEGhKB2PjgcrzUv6kf0v4m95lC9rA5N9 jASDNgHixxh29wGeysqHmWWYQwy36Mh49RdPYXPfShqQ0Bpu61eTIOb8uY7QM/8CV1v2 rScTSK+nvTQwFbxwDIWvUtKld7En82EZPQ6nY20WWVTLY0619TyoRTJPc8vMXNAjFjOL 0+TelfGQ5fjzIiorTemklR2Fvp1AwFaKBUXhB6tlStEp90NFNymDhmCirDLrdSB4ZaED gvLK8cM/xjE5PRawwToFTf2eVj3UuUOhMTnzb1aYHTJt+qBsTrHDkiZzLqxNJqfOexG9 oOVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=+6SMs9HN8ojrvC2ckrrp6QggN8jhqny5rSNhL6g0zy0=; b=u53+dygjcQacQYNUn/KcLSJfWTIv1X3Rl1sHdAqddIKK+3nZrQKWw/wC6HlpVwYFgu N+WdMDtj9eaIa6y44qrPHHZ22JYkwJSyWEHO+WaVgMuv4f5uU2dg0/OiPKE+HLd8AKod ypTg8+g75/g6NxkGmwrR9bKPF0qdoUoTIy/PP5LQhh46cZkZx/o/PW5alXSWs2fv8+By iYgHwRKLhSPhnYVAxhS0tU8rzQCzWnk/41TgkOhXh4FMlWT2xW3hNCD4Fbpi+owoperI gErkynXtsrGTSOgPo+uoMPJQ5b3IaC7WWcIxbfEwv2L7uDvZvYXMmtJfgYxVL1L3Jr2H izvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=A7Sl4XsL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i21si2899799otc.183.2020.03.24.07.37.26; Tue, 24 Mar 2020 07:37:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=A7Sl4XsL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727906AbgCXOgo (ORCPT + 99 others); Tue, 24 Mar 2020 10:36:44 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:38313 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727507AbgCXOgn (ORCPT ); Tue, 24 Mar 2020 10:36:43 -0400 Received: by mail-ot1-f68.google.com with SMTP id t28so17204252ott.5; Tue, 24 Mar 2020 07:36:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=+6SMs9HN8ojrvC2ckrrp6QggN8jhqny5rSNhL6g0zy0=; b=A7Sl4XsLguqmsw36gXsfa1E9F7sla5Tdk4vBaonLFEyk/m4f2iD20AgIq7UBBA0Ry6 0BQymON2HkI6geWK93zhHtCTfG5xCHkPl+1XFVgsp4Z7M6xfHfcT0SnlUuMvzibLXujd pJFP4BGpsvC60cohMobtQChzlcMwwpTv1MFMmBkVEBYE6jinpXH4OQPhZJTk3iEALDHX xscregkJDHTd1uvQLyBGYtLgRJ6H89TyV6rbJvxzH0Nj1TNtzRMaSUtk5jGx5POVpqs1 +BLX0F+cvVyyKibTP4K0UxVABhzagBfVsshvsyjff16VOM39jOuZe1KabiJzle0MCzyn KrlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=+6SMs9HN8ojrvC2ckrrp6QggN8jhqny5rSNhL6g0zy0=; b=Tl9/+iBw9EezC+8rZRtSkyGfLGO4ZPhqoXr5nFX6TPr/oSvaKxqTM5rWAPsIZFoF9o tSSUvhtLiiaAd83acF1iD1bR89WuHre4Qjv6ycwj04TMkzAxreXnFko0IDs+dHcmmyjH iVATsZ8ZwCWE26DxPcX17m4IPksWKpqJVevXNnXmrPLrtRaSMF331Yp3JbbeW5dVVmmf PR0PzivBJruCw0d3ubkLKrwpj4oltWbpBvhjQ2FDDM1TGb0Tq3cnU+QFaX4mT+4osLVa bNqWruD2NGUV/CBl2aoFIgtJVm9NmCogCmUeHDQECPbvqkodvAxZShuLtSURPqwvqZTT 8HYg== X-Gm-Message-State: ANhLgQ1OfK65wBjIOUWZlTXMjmEhW3454UgB6YWOWHHW8bV+SDEZwVQJ 2u913V3cE4GxWH2Bop9q2pPeLNsYmr6qAhLeQd0= X-Received: by 2002:a4a:6841:: with SMTP id a1mr2067234oof.18.1585060602808; Tue, 24 Mar 2020 07:36:42 -0700 (PDT) MIME-Version: 1.0 References: <20200323164415.12943-1-kpsingh@chromium.org> <20200323164415.12943-6-kpsingh@chromium.org> <6d45de0d-c59d-4ca7-fcc5-3965a48b5997@schaufler-ca.com> <20200324015217.GA28487@chromium.org> In-Reply-To: <20200324015217.GA28487@chromium.org> From: Stephen Smalley Date: Tue, 24 Mar 2020 10:37:51 -0400 Message-ID: Subject: Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks To: KP Singh Cc: Casey Schaufler , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, LSM List , Brendan Jackman , Florent Revest , Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 23, 2020 at 9:52 PM KP Singh wrote: > > On 23-M=C3=A4r 18:13, Casey Schaufler wrote: > > On 3/23/2020 9:44 AM, KP Singh wrote: > > > From: KP Singh > > > > > > The bpf_lsm_ nops are initialized into the LSM framework like any oth= er > > > LSM. Some LSM hooks do not have 0 as their default return value. The > > > __weak symbol for these hooks is overridden by a corresponding > > > definition in security/bpf/hooks.c > > > > > > + return 0; > > [...] > > > > +} > > > + > > > +DEFINE_LSM(bpf) =3D { > > > + .name =3D "bpf", > > > + .init =3D bpf_lsm_init, > > > > Have you given up on the "BPF must be last" requirement? > > Yes, we dropped it for as the BPF programs require CAP_SYS_ADMIN > anwyays so the position ~shouldn't~ matter. (based on some of the > discussions we had on the BPF_MODIFY_RETURN patches). > > However, This can be added later (in a separate patch) if really > deemed necessary. It matters for SELinux, as I previously explained. A process that has CAP_SYS_ADMIN is not assumed to be able to circumvent MAC policy. And executing prior to SELinux allows the bpf program to access and potentially leak to userspace information that wouldn't be visible to the process itself. However, I thought you were handling the order issue by putting it last in the list of lsms?