Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp969232ybb; Sat, 28 Mar 2020 14:52:24 -0700 (PDT) X-Google-Smtp-Source: ADFU+vuJOHVs77+SvHjCmUtQKU6otoy3i0cjdduiaQBfWYgBieQIQWP03+wjNcAr28EVVbdQF284 X-Received: by 2002:a05:6830:1556:: with SMTP id l22mr4241681otp.61.1585432344785; Sat, 28 Mar 2020 14:52:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585432344; cv=none; d=google.com; s=arc-20160816; b=fiOC1gz8H/Ix9gwlpWvMnDfpsTVIoFgRrjx+yRulUdc/T//mzBNIcr58GfipgAXae8 yTHzX0Ohtal8Mp+q/XgmCiudMCEJW2lKverpgzXh8AdX94cYYBWAHko3q46l9UdT5GE7 WtJv3SKt5Qa0l+eZsiMtIIHRN+tOR+h4Rk/DO4CoShjeLZ4Nbt5gWt8U0snmMHQASB1L EZfCLG6D+X+cIg/FlwbYsk3KGCCdUEWPmjvQwCWG07QYduX4qNsE9liFPyyZaMiAVRkJ yooAsnTBkMKSIyLo9PnbnMLQkS2Mt+hBJKFhy+NucJAnCFRCNC3KgYIM6EAnDi24T4LL okxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=fRb5IsEMXQfgboPnAgWj3+2vIpSyjSusXFWfLG3LqXc=; b=hwuO+yPr284JZ+WviCMNQ/+aAs417GOjYxVuLkdVnEOUUE1MzJ/yrKzMCocRi9ttJZ OIvafbL/mE/58yiIj7lbz37ndr6Hc7jBBTRcoGPVKQnsg/f6UVAx7TJ87zxYhr6zBx3N 91PF6wRjlVbA2VW4LzKPqhMfmS9VSWRlb0tMpN2TbBxP/XR0sFzZAO/tIWMuucVXUJQ7 DxUn4EWcy9aHQYLLx0kKpTmDxfTJ9uIozg7/vDvW5Bq2sqNuCV162A/XX9CRIxiiHM2L uadXYZKpxQWaGmbEHrF8tjpa6WzHz+qIOnkrXlU2khh8bmpp5ldAfnqnJZufCIJQwCv5 R/Eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CvU8SQl5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n24si1854315otr.217.2020.03.28.14.52.11; Sat, 28 Mar 2020 14:52:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CvU8SQl5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727795AbgC1VuR (ORCPT + 99 others); Sat, 28 Mar 2020 17:50:17 -0400 Received: from mail-pj1-f68.google.com ([209.85.216.68]:35588 "EHLO mail-pj1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726604AbgC1VuR (ORCPT ); Sat, 28 Mar 2020 17:50:17 -0400 Received: by mail-pj1-f68.google.com with SMTP id g9so5491844pjp.0 for ; Sat, 28 Mar 2020 14:50:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=fRb5IsEMXQfgboPnAgWj3+2vIpSyjSusXFWfLG3LqXc=; b=CvU8SQl5E+YmYbDxDmbskBQ2t0JHHJQ8sASp0i2I0gH2ECAI5tRnkGDbtdi/C0KT5R LbajgCaWikJ72Ca+qnR7CDrJck+PCmajv50Re1zqDdZjjyRVXL4YMc9/4bUJWPVD1kum wnnHIQxObr7V1lZf1r4WgKqWIy6wY+zGWsFq0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=fRb5IsEMXQfgboPnAgWj3+2vIpSyjSusXFWfLG3LqXc=; b=IR9HieVB7RupC9K2Rt9HDKiNbVP4tbaYYhOvjdTWSTPBtjRpraYzxc1nfVbGTglcz0 raZaXoUpUQYysrHX5uH5Z4J/Tq8mcq2cFP60iUQe/WtBx89A2MfL8AtdjfnXcRks/8wb 7/l7OswRnaX1ydqPCYMEmxyBPAYTEjNMAawbjDVvfITS3CvgBsKcncBWsrxih4NbpQlK o5wEpo4Y5dRdw4KqFN+56Gq6/03EA1gWuFC7a6Q73ad6vlQWwsYP/6W1AaXlDacBTCq7 W+rOD+/Z3FXwlcXbYbAL3mZkk6SX6gYqb60SIXtidOQXNUsMTWIfmFNH6S0UVnN2ipf9 5vMg== X-Gm-Message-State: ANhLgQ0j3eiLEj39xuEzHkoe5Z03NuWKmfLCPTqw6bOcVRzoHWc8t1s1 oqstbt0NvYAYE0aI5ZBIa3wi7Q== X-Received: by 2002:a17:90a:5d96:: with SMTP id t22mr7300491pji.132.1585432216326; Sat, 28 Mar 2020 14:50:16 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 189sm6820905pfg.170.2020.03.28.14.50.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Mar 2020 14:50:15 -0700 (PDT) Date: Sat, 28 Mar 2020 14:50:14 -0700 From: Kees Cook To: KP Singh Cc: Daniel Borkmann , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, Alexei Starovoitov , James Morris , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman Subject: Re: [PATCH bpf-next v8 0/8] MAC and Audit policy using eBPF (KRSI) Message-ID: <202003281449.333BDAF6@keescook> References: <20200327192854.31150-1-kpsingh@chromium.org> <4e5a09bb-04c4-39b8-10d4-59496ffb5eee@iogearbox.net> <20200328195636.GA95544@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200328195636.GA95544@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 28, 2020 at 08:56:36PM +0100, KP Singh wrote: > Since the attachment succeeds and the hook does not get called, it > seems like "bpf" LSM is not being initialized and the hook, although > present, does not get called. > > This indicates that "bpf" is not in CONFIG_LSM. It should, however, be > there by default as we added it to default value of CONFIG_LSM and > also for other DEFAULT_SECURITY_* options. > > Let me know if that's the case and it fixes it. Is the selftest expected to at least fail cleanly (i.e. not segfault) when the BPF LSF is not built into the kernel? -- Kees Cook