Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1023218ybk;
        Wed, 20 May 2020 19:04:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw8BEav2Q8nVXIij3EDgX0XN+30suz+3cRfsQhhLbwegKnXfRbm39eOg4/2TaHr6wRES9Pg
X-Received: by 2002:aa7:cb8f:: with SMTP id r15mr6243601edt.120.1590026659374;
        Wed, 20 May 2020 19:04:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590026659; cv=none;
        d=google.com; s=arc-20160816;
        b=XlwthY4L7ec44QfjGiZ5gYQDGaZxQ9uJ2b+BYWuLdwKttWop2TvJ7evyyTVuEABq0P
         2oE0dCs7oLLyCLb5vj6Tbd8Hq+NH6x/C7d0LDoKIEcqU87Wq64UT5JUSTYhTOj9aWHo7
         N5SL7HGMwMyZgWA+hCxxnL3a33xKVlsdwgA38L9X0mwyMmDhtW/OCnvdB0Gzn2yUQsvS
         ZBhFZlGPaWniTEzLwo97MseCeZqsgwYgpTonG81Ls39Hr+SH4OTf4Xjg7vRkalAz9DRg
         ItXQjskSn1A4vEpRzGgqyxCrJmVk//O8mGZawD8IJ/uYlgBck5I3q6u0jW80wEoa9pFo
         ocrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=sgH4JgS3eS5E3MIrWjZqeteRgOqNiIkhFdIhHDg1mKc=;
        b=Fv3rX+4IaXr9mqHacKxBXrAhuTluBVL3aNA3AalLlkcrtiyM2L0bPd+9aaqoxgXFRY
         6WryzVjny4kflcyHmGPmKczh6kloZOlWysjqZJs79gJ4Ov3t13oxffTNohFV3fYs/rw6
         dngi2CjzsBc7EP4CuxdT16WAlaQi4n2sKGt+3bvkVOcb5V1dyBUpjoqP4SeVx5f84f0j
         cIoNcRdXEvr7PQHXGGypLMDzjfobHH6AMT8MiTm0nnsZsh702Cun6WKOQ/V2XmmnY4IR
         si6Jo5ZlHUQd7VulPRoj091Qr0YOfLj+g0GC+lG7CsfovY/c+K9Dh8/Rt+OcJIWDnsqU
         3n0Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id sa8si2640663ejb.222.2020.05.20.19.03.55;
        Wed, 20 May 2020 19:04:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726953AbgEUCC3 (ORCPT <rfc822;ostrlinux@gmail.com> + 99 others);
        Wed, 20 May 2020 22:02:29 -0400
Received: from namei.org ([65.99.196.166]:38560 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726833AbgEUCC2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 May 2020 22:02:28 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id 04L2288V031690;
        Thu, 21 May 2020 02:02:08 GMT
Date:   Thu, 21 May 2020 12:02:08 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Alexei Starovoitov <alexei.starovoitov@gmail.com>
cc:     Casey Schaufler <casey@schaufler-ca.com>,
        KP Singh <kpsingh@chromium.org>,
        LKML <linux-kernel@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Anders Roxell <anders.roxell@linaro.org>
Subject: Re: [PATCH bpf] security: Fix hook iteration for secid_to_secctx
In-Reply-To: <CAADnVQL_j3vGMTiQTfKWOZKhhuZxAQBQpU6W-BBeO+biTXrzSQ@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.2005211201410.2368@namei.org>
References: <20200520125616.193765-1-kpsingh@chromium.org> <5f540fb8-93ec-aa6b-eb30-b3907f5791ff@schaufler-ca.com> <CAADnVQL_j3vGMTiQTfKWOZKhhuZxAQBQpU6W-BBeO+biTXrzSQ@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 20 May 2020, Alexei Starovoitov wrote:

> On Wed, May 20, 2020 at 8:15 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> >
> > On 5/20/2020 5:56 AM, KP Singh wrote:
> > > From: KP Singh <kpsingh@google.com>
> > >
> > > secid_to_secctx is not stackable, and since the BPF LSM registers this
> > > hook by default, the call_int_hook logic is not suitable which
> > > "bails-on-fail" and casues issues when other LSMs register this hook and
> > > eventually breaks Audit.
> > >
> > > In order to fix this, directly iterate over the security hooks instead
> > > of using call_int_hook as suggested in:
> > >
> > > https: //lore.kernel.org/bpf/9d0eb6c6-803a-ff3a-5603-9ad6d9edfc00@schaufler-ca.com/#t
> > >
> > > Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
> > > Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx hook"
> > > Reported-by: Alexei Starovoitov <ast@kernel.org>
> > > Signed-off-by: KP Singh <kpsingh@google.com>
> >
> > This looks fine.
> 
> Tested. audit works now.
> I fixed missing ')' in the commit log
> and applied to bpf tree.
> It will be on the way to Linus tree soon.

Please add:


Acked-by: James Morris <jamorris@linux.microsoft.com>


-- 
James Morris
<jmorris@namei.org>