Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp572057ybz; Wed, 29 Apr 2020 05:37:24 -0700 (PDT) X-Google-Smtp-Source: APiQypKl739Dg4szWWK9BFLTUv/6hSr7HtsCEFJ5O09+wVGY3+WeBds5mqflVLi1DykljXcvN8ih X-Received: by 2002:aa7:d4c1:: with SMTP id t1mr2313621edr.175.1588163844099; Wed, 29 Apr 2020 05:37:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588163844; cv=none; d=google.com; s=arc-20160816; b=F6SggayLmzQ3hQGIRhThbiDjRKE5IlAjfnmlfTITJfMrlxM2iMDOUjMIFgbA60XBHm 9dfT9Q5Krxg8TYIfIjyCgqZmRxxBmTGR2NTKiD73xmJfgjmkuSLAMEg0yCJx//9ZQS+T WEwaIJtVChpYp7CtSF687IWcgkTK788E69msU6+cxRcnALUd6ze8FPZofi3OfuL1qh5p nqY9a8KlnLOxrxh1HF+u0IoQOi7TrgVSpsN2gBZMg15RgApSmopcM70d6RJ2NLCz737l im+4YWsjRx8KK/3c4OCJhbQCzd0i0n0yyxL9vTUu89PWtvk06DmSjTo840U0TEI2X9Sj CfkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=P9voC+7Ag0IZtM5E39FKqVej4Yp+1sY356RInyCMBnw=; b=pxOv6QbDjmjtlZztB74a7Z+1ccu8MiMN3qzuMYXodu5i/wEiwviJpYmMBmJNlJLC1k JRyxp0I59u9yNxIuNJTqev6kBAvx+h53VLl0tNNmjVYT4GS+cg3eSX3Hd13eG+hBgPhq PDS2OiUSuSNwtU+bT5Xp/5PriVBkAW/59nvX2SEXrq9k/exz5Oqqceap3hFVlWa+tXRV VaG7sMKZ+3wx3lk8nlSJju3rM3yomy+zhpEhfnMIzjJISmEc6SBWnYXCLWsMIZGrA3nn tL521QZWZMFbQ4mUnW4Epf327SzWMQY3aSbF65hEDHst00LXA0x8OF/B5v5kbjUAGnlD GdDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=mkODMHu7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g15si3244638edu.131.2020.04.29.05.37.00; Wed, 29 Apr 2020 05:37:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=mkODMHu7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726637AbgD2MfM (ORCPT + 99 others); Wed, 29 Apr 2020 08:35:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726426AbgD2MfL (ORCPT ); Wed, 29 Apr 2020 08:35:11 -0400 Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A419C03C1AD for ; Wed, 29 Apr 2020 05:35:10 -0700 (PDT) Received: by mail-wm1-x341.google.com with SMTP id v4so4817707wme.1 for ; Wed, 29 Apr 2020 05:35:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P9voC+7Ag0IZtM5E39FKqVej4Yp+1sY356RInyCMBnw=; b=mkODMHu7QUFmQUE6GLJwwSv9uyrNKmg42KeS1mNJA+HZujxBKmp/6RbBvKRSukcycg aooQLdd+FQYADfUUYSwXv0XLQrl4u4yzjQ/EdDizxMgLsEnbmttxc6mgkkrf0E1+6mcq 7Nb1oqp92/bNtPx8YdNQZ6FvCC8pIzBCwzVtU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P9voC+7Ag0IZtM5E39FKqVej4Yp+1sY356RInyCMBnw=; b=JJlZJTCf0RpKzfe1a1lFO6eAT/cvMgBYriZfTPGu771B20AdRfU+83wh5QZkAcyjZQ C9TI+dp3zWwo86q/1jI1KhHznkgfLbroevyHPTdNZrj9bDQFJbksYhSqfKKcdXkoohat oFy1tBqVYNumD6g/3mPqGajM156S9p/nFGDlBaJCZfNzKbydd2O0CpZcB+FH3YvgBeXQ zCP+7gSxNqITnyOpbSYwwkhxuUvmrUpBNpfEV5Ivp4jtjYDCjSKSYK1d/sqwwOJoNalY VleQhsToKpc1d5vZmo19gnmZioxaYS9Fe82GE1p081dirFmQrCxQf2EnNuToZDB+52LG uGKQ== X-Gm-Message-State: AGi0PubEAvJB6NXlfpU0z328mWTXsidNRQR16Hxku4s62IuyIAz82E9i RtZLsIThoxPhGn7dfInNx31MO6DImhciAXGCZ2Pfig== X-Received: by 2002:a7b:c390:: with SMTP id s16mr2974236wmj.14.1588163708568; Wed, 29 Apr 2020 05:35:08 -0700 (PDT) MIME-Version: 1.0 References: <20200329004356.27286-1-kpsingh@chromium.org> <0165887d-e9d0-c03e-18b9-72e74a0cbd59@linux.intel.com> In-Reply-To: <0165887d-e9d0-c03e-18b9-72e74a0cbd59@linux.intel.com> From: KP Singh Date: Wed, 29 Apr 2020 14:34:57 +0200 Message-ID: Subject: Re: [PATCH bpf-next v9 0/8] MAC and Audit policy using eBPF (KRSI) To: Mikko Ylinen Cc: open list , bpf , Linux Security Module list , Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Paul Turner , Jann Horn , Florent Revest , Brendan Jackman , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for reporting this! Can you share your Kconfig please? On Wed, Apr 29, 2020 at 2:31 PM Mikko Ylinen wrote: > > Hi, > > On 29/03/2020 02:43, KP Singh wrote: > > # How does it work? > > > > The patchset introduces a new eBPF (https://docs.cilium.io/en/v1.6/bpf/) > > program type BPF_PROG_TYPE_LSM which can only be attached to LSM hooks. > > Loading and attachment of BPF programs requires CAP_SYS_ADMIN. > > > > The new LSM registers nop functions (bpf_lsm_) as LSM hook > > callbacks. Their purpose is to provide a definite point where BPF > > programs can be attached as BPF_TRAMP_MODIFY_RETURN trampoline programs > > for hooks that return an int, and BPF_TRAMP_FEXIT trampoline programs > > for void LSM hooks. > > I have two systems (a NUC and a qemu VM) that fail to boot if I enable > the BPF LSM without enabling SELinux first. Anything I might be missing > or are you able to trigger it too? > > For instance, the following additional cmdline args: "lsm.debug=1 > lsm="capability,apparmor,bpf" results in: > > [ 1.251889] Call Trace: > [ 1.252344] dump_stack+0x57/0x7a > [ 1.252951] panic+0xe6/0x2a4 > [ 1.253497] ? printk+0x43/0x45 > [ 1.254075] mount_block_root+0x30c/0x31b > [ 1.254798] mount_root+0x78/0x7b > [ 1.255417] prepare_namespace+0x13a/0x16b > [ 1.256168] kernel_init_freeable+0x210/0x222 > [ 1.257021] ? rest_init+0xa5/0xa5 > [ 1.257639] kernel_init+0x9/0xfb > [ 1.258074] ret_from_fork+0x35/0x40 > [ 1.258885] Kernel Offset: 0x11000000 from 0xffffffff81000000 > (relocation range: 0xffffffff80000000-0xffffffffbfffffff) > [ 1.264046] ---[ end Kernel panic - not syncing: VFS: Unable to mount > root fs on unknown-block(253,3) > > Taking out "bpf" or adding "selinux" before it boots OK. I've tried > with both 5.7-rc2 and -rc3. > > LSM logs: > > [ 0.267219] LSM: Security Framework initializing > [ 0.267844] LSM: first ordering: capability (enabled) > [ 0.267870] LSM: cmdline ignored: capability > [ 0.268869] LSM: cmdline ordering: apparmor (enabled) > [ 0.269508] LSM: cmdline ordering: bpf (enabled) > [ 0.269869] LSM: cmdline disabled: selinux > [ 0.270377] LSM: cmdline disabled: integrity > [ 0.270869] LSM: exclusive chosen: apparmor > [ 0.271869] LSM: cred blob size = 8 > [ 0.272354] LSM: file blob size = 24 > [ 0.272869] LSM: inode blob size = 0 > [ 0.273362] LSM: ipc blob size = 0 > [ 0.273869] LSM: msg_msg blob size = 0 > [ 0.274352] LSM: task blob size = 32 > [ 0.274873] LSM: initializing capability > [ 0.275381] LSM: initializing apparmor > [ 0.275880] AppArmor: AppArmor initialized > [ 0.276437] LSM: initializing bpf > [ 0.276871] LSM support for eBPF active > > -- Regards, Mikko