Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1053751ybb; Sat, 28 Mar 2020 17:16:00 -0700 (PDT) X-Google-Smtp-Source: ADFU+vsSlMytfB5/8Mcytw6CXX8x+1bgHopS+kSHBHHMSB/GkPUxYunoLHakjmTLXwbfYYfdQKEe X-Received: by 2002:a4a:9c41:: with SMTP id c1mr4979370ook.43.1585440959985; Sat, 28 Mar 2020 17:15:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585440959; cv=none; d=google.com; s=arc-20160816; b=f+s/CyJs0s4u2oF6vhS3a8A/wA4d0Kprjs+TCExLrg2tVnKZOadLaVR4E/qiHaW0Xb 39DPUGt9NdOihDSx2a0kpsvGy27aFytxOyqBQJf5u193iIGm3lJBZWz9PGc34Y20CDSC QHnE/wbGz8CZgHfsbc4g+7ceD6EDoqSe87vi2MYkEh0W4NwCHWP7D8Jf01HLBC75tiDM zpE5i/Vj1FqI+c9CsIZIULE8R5sr4AYPr9uUCQVpfkkztA9jx53DK0Dm/B3cmb+Og94s 7p+WDIAmdBQRN3rAoVs0jowMIVT8Nn9ALLC1B6jNsOlSSlqVrzkUsXWQYlxCOOr9Osi8 emZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=PSsn2fxTtFEyMxwiuTl4GqNK4PSnpsSTR8BPcNmdBgk=; b=HqpvLpZONV0LaDR/reb8WH8sGBiEQj4tz/Yj/zmKFhe5gFtRm9l/DVjI20+gR/rlDi fZXzE6KdGjkuYuVrCcjBfrrr66mtGjzDteR+sNRFS5DlPwJ1+A/BlYzoJoNFY49+Zw9J PkCLcdtMqBW4qaIM09ptS0ef+njbtzOig7+fYQnaEclGCG7ryu0damNRSwZSe/AigF3l 3WjnAEcvb0rHYf6JB7W/6HWKRnkDhp4w4K1mqPKQrQ1DFFV1nkH12+EGHQtAAfzEyd41 w+97goKkd6Dh2QoC2x7q7LLyDpCCc6k2UR4Haj4x7PNciaoCj+15aDJzjLN9RvBsFkJI MjMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s70si4580934oos.6.2020.03.28.17.15.47; Sat, 28 Mar 2020 17:15:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727701AbgC2APZ (ORCPT + 99 others); Sat, 28 Mar 2020 20:15:25 -0400 Received: from www62.your-server.de ([213.133.104.62]:58768 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726604AbgC2APZ (ORCPT ); Sat, 28 Mar 2020 20:15:25 -0400 Received: from sslproxy05.your-server.de ([78.46.172.2]) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1jILbm-0005Oc-Ov; Sun, 29 Mar 2020 01:15:22 +0100 Received: from [178.195.186.98] (helo=pc-9.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jILbm-000IV8-Bo; Sun, 29 Mar 2020 01:15:22 +0100 Subject: Re: [PATCH bpf-next v8 0/8] MAC and Audit policy using eBPF (KRSI) To: KP Singh Cc: Kees Cook , open list , bpf , Linux Security Module list , Alexei Starovoitov , James Morris , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman References: <20200327192854.31150-1-kpsingh@chromium.org> <4e5a09bb-04c4-39b8-10d4-59496ffb5eee@iogearbox.net> <20200328195636.GA95544@google.com> <202003281449.333BDAF6@keescook> <20200329000738.GA230422@google.com> From: Daniel Borkmann Message-ID: Date: Sun, 29 Mar 2020 01:15:21 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20200329000738.GA230422@google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.2/25765/Sat Mar 28 14:16:42 2020) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/29/20 1:07 AM, KP Singh wrote: > On 28-Mar 23:30, KP Singh wrote: >> On Sat, Mar 28, 2020 at 10:50 PM Kees Cook wrote: >>> >>> On Sat, Mar 28, 2020 at 08:56:36PM +0100, KP Singh wrote: >>>> Since the attachment succeeds and the hook does not get called, it >>>> seems like "bpf" LSM is not being initialized and the hook, although >>>> present, does not get called. >>>> >>>> This indicates that "bpf" is not in CONFIG_LSM. It should, however, be >>>> there by default as we added it to default value of CONFIG_LSM and >>>> also for other DEFAULT_SECURITY_* options. >>>> >>>> Let me know if that's the case and it fixes it. >>> >>> Is the selftest expected to at least fail cleanly (i.e. not segfault) >> >> I am not sure where the crash comes from, it does not look like it's test_lsm, >> it seems to happen in test_overhead. Both seem to run fine for me. > > So I was able to reproduce the crash: > > * Remove "bpf" from CONFIG_LSM > > ./test_progs -n 66,67 > test_test_lsm:PASS:skel_load 0 nsec > test_test_lsm:PASS:attach 0 nsec > test_test_lsm:PASS:exec_cmd 0 nsec > test_test_lsm:FAIL:bprm_count bprm_count = 0 > test_test_lsm:FAIL:heap_mprotect want errno=EPERM, got 0 > #66 test_lsm:FAIL > Caught signal #11! > Stack trace: > ./test_progs(crash_handler+0x1f)[0x55b7f9867acf] > /lib/x86_64-linux-gnu/libpthread.so.0(+0x13520)[0x7fcf1467e520] > /lib/x86_64-linux-gnu/libc.so.6(+0x15f73d)[0x7fcf1460a73d] > /lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0x2ca)[0x7fcf1453286a] > /usr/lib/x86_64-linux-gnu/libelf.so.1(+0x37 > > [snip] > > * The crash went away when I removed the heap_mprotect call, now the BPF > hook attached did not allow this operation, so it had no side-effects. > Which lead me to believe the crash could be a side-effect of this > operation. So I did: > > --- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c > +++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c > @@ -29,7 +29,7 @@ int heap_mprotect(void) > if (buf == NULL) > return -ENOMEM; > > - ret = mprotect(buf, sz, PROT_READ | PROT_EXEC); > + ret = mprotect(buf, sz, PROT_READ | PROT_WRITE | PROT_EXEC); > free(buf); > return ret; > } > > and the crash went away. Which made me realize that the free > operation does not like memory without PROT_WRITE, So I did this: > > diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c > index fcd839e88540..78f125cc09b3 100644 > --- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c > +++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c > @@ -30,7 +30,7 @@ int heap_mprotect(void) > return -ENOMEM; > > ret = mprotect(buf, sz, PROT_READ | PROT_EXEC); > - free(buf); > + // free(buf); > return ret; > } > > and the crash went away as well. So it indeed was a combination of: > > * CONFIG_LSM not enabling the hook > * mprotect marking the memory as non-writeable > * free being called on the memory. > > I will send a v9 which has the PROT_WRITE on the mprotect. Thanks > for noticing this! And also explains the stack trace for __libc_calloc() where it's trying to zero the area later on. Thanks for the quick debugging, Daniel