Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp517767ybt; Fri, 19 Jun 2020 07:20:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8CaL97vs+JLB7dmWGb1b4zWhCPbUnz+d23YWW1Hyu5cVqf+epr1aRJVF/qvnuNBZBCYb7 X-Received: by 2002:a05:6402:459:: with SMTP id p25mr3471842edw.383.1592576402004; Fri, 19 Jun 2020 07:20:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592576401; cv=none; d=google.com; s=arc-20160816; b=w0lxtOofh2vQxOlGoUoqd9WEDsE8neZJLuP8lQnCmLht9azFKQBMEYFHHZd71JG11L nQLaGnHChdjo2jUnSEhH4uCV0dt1lIGMm/XFuWheheauc54P6dpqTb0bx8J7alBI+cTL v5bcVi8i56PHVksdc8gaQpdSsMpAGtkSKC9xJmo8NnLXUCmn4fWwwnHjoMv0mm2fjWbv Wp7n/rD/urXorOkcbBIL3CrqXitbvNJwCY72pQXJfx7qrRxrMRBzLHErXfW0miyvBNjk eVon+9PdCuhaUiXxZZadL4vC4SzFh1zKI7MmeN5MLoEpdPfphiqWZihxtkpO+/5smnqm uM0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=kLi8OmcpAn5G3kBd5W0qjMBKSdfFGH1S+Rf0efF4Xls=; b=TWPEeIbENbcTalGBzZPtV24Q6AHxWrAGOOTIGn4iwZ+SGQVPR6ASu2XR3fqf1ti3S+ J2IfHffbsztpekKcduSHa+8nB8sxh0eXVi6NSWRnGyQ98NECvh7ExcooEGgGJOr1ov6V Xlw65dItclmBaqFI8wcHJobrmlS/uYHgUcCJawdlivD7ZliLnAcdtbJnmb7b5OvLtIOX vTNgE80DNDACMvS15aVJaz+cYrUAJmyci9SexSMcwCoaBlC7En803QzN9xri8ngJwOoA 79QPCwJgEouUWX7YTtjHsrHLyoKHDmT9kwDMCpHXglJXcY355TJs+91LMAQ7SYgdhyv6 oHcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ToHuUnTG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ds16si4996233ejc.112.2020.06.19.07.19.39; Fri, 19 Jun 2020 07:20:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ToHuUnTG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732813AbgFSORO (ORCPT + 99 others); Fri, 19 Jun 2020 10:17:14 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:34811 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727041AbgFSORN (ORCPT ); Fri, 19 Jun 2020 10:17:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1592576231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kLi8OmcpAn5G3kBd5W0qjMBKSdfFGH1S+Rf0efF4Xls=; b=ToHuUnTGQoKP1l8fROYJ5p7aaSx0sOcyM6hmJ6C6sus8NodkI1I0sSmRlEVP7C7i7SH4yX J0COYUaDe6keS5/QSqGOVLW02mO0+282CT2zirG7btchSnwAjfgHvNDvfFcYf1yqpzlUpS Arnq+ATjsGo0zPnfSHlI6iiUD6YryHk= Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-70-jytJfvQWPnSqYrxXUzbAzw-1; Fri, 19 Jun 2020 10:17:09 -0400 X-MC-Unique: jytJfvQWPnSqYrxXUzbAzw-1 Received: by mail-lf1-f72.google.com with SMTP id a75so1505041lfd.0 for ; Fri, 19 Jun 2020 07:17:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kLi8OmcpAn5G3kBd5W0qjMBKSdfFGH1S+Rf0efF4Xls=; b=Jt/U1j/4+0N4Z0XHWKQCS4+z4P2PpN6h8U3lCL4re7aDFPodeXOP7MuPxlFE0EC41R hxZwt6w/LeY3+yxahvLZcu8eYTjua3zKqi7lziccDjUj+ba1f8SY+qpdBvbhLrljajWf 1kSHoVAv2846BJY8O5/9Qu1gdz+5GI/Uh/mBEyPFWZsWLZGphx4zMnTWf5lW0mmrdhds is871zMC80clmvn5Pu4cfLtqx8MFPNbhrY8vCH1K8c2OV1H8EZWrFo5qV9HtkxtM3MGd X0EwvmINbxw+wqOf46t8Wt5vH4tZo4ipU2HToM5bqXqgrz7QhpVMWY8tM/0Wx0CuXbes YLEQ== X-Gm-Message-State: AOAM531zrizOwFHAl6mw2yolMjCXwfIunHdTT0SzKmXVuX6Qiln1trAP N5popSijSEp1cEldrZO3S6Mjq7XTaFqqYxu3+h5plpcDFYNfDX3EGuq4jxkSPzBbd/rsYHzSUnr tLwvxEzvrlGIH7GzM6mc5YWNt3BMfNGhkucazpBY7 X-Received: by 2002:a05:651c:288:: with SMTP id b8mr2016189ljo.337.1592576227290; Fri, 19 Jun 2020 07:17:07 -0700 (PDT) X-Received: by 2002:a05:651c:288:: with SMTP id b8mr2016174ljo.337.1592576226986; Fri, 19 Jun 2020 07:17:06 -0700 (PDT) MIME-Version: 1.0 References: <20200520125616.193765-1-kpsingh@chromium.org> In-Reply-To: From: Ondrej Mosnacek Date: Fri, 19 Jun 2020 16:16:56 +0200 Message-ID: Subject: Re: [PATCH bpf] security: Fix hook iteration for secid_to_secctx To: KP Singh Cc: Linux kernel mailing list , bpf , Linux Security Module list , Alexei Starovoitov , Daniel Borkmann , James Morris , Anders Roxell , Casey Schaufler , Peter Zijlstra , Josh Poimboeuf Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 19, 2020 at 3:13 PM KP Singh wrote: > Hi, > > On Fri, Jun 19, 2020 at 2:49 PM Ondrej Mosnacek wrote: > > > > On Wed, May 20, 2020 at 2:56 PM KP Singh wrote: > > > From: KP Singh > > > > > > secid_to_secctx is not stackable, and since the BPF LSM registers this > > > hook by default, the call_int_hook logic is not suitable which > > > "bails-on-fail" and casues issues when other LSMs register this hook and > > > eventually breaks Audit. > > > > > > In order to fix this, directly iterate over the security hooks instead > > > of using call_int_hook as suggested in: > > > > > > https: //lore.kernel.org/bpf/9d0eb6c6-803a-ff3a-5603-9ad6d9edfc00@schaufler-ca.com/#t > > > > > > Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") > > > Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx hook" > > > Reported-by: Alexei Starovoitov > > > Signed-off-by: KP Singh > > [...] > > > > Sorry for being late to the party, but doesn't this (and the > > associated default return value patch) just paper over a bigger > > problem? What if I have only the BPF LSM enabled and I attach a BPF > > program to this hook that just returns 0? Doesn't that allow anything > > privileged enough to do this to force the kernel to try and send > > memory from uninitialized pointers to userspace and/or copy such > > memory around and/or free uninitialized pointers? > > > > Why on earth does the BPF LSM directly expose *all* of the hooks, even > > those that are not being used for any security decisions (and are > > "useful" in this context only for borking the kernel...)? Feel free to > > prove me wrong, but this lazy approach of "let's just take all the > > hooks as they are and stick BPF programs to them" doesn't seem like a > > The plan was definitely to not hook everywhere but only call the hooks > that do have a BPF program registered. This was one of the versions > we proposed in the initial patches where the call to the BPF LSM was > guarded by a static key with it being enabled only when there's a > BPF program attached to the hook. > > https://lore.kernel.org/bpf/20200220175250.10795-5-kpsingh@chromium.org/ > > However, this special-cased BPF in the LSM framework, and, was met > with opposition. Our plan is to still achieve this, but we want to do this > with DEFINE_STATIC_CALL patches: > > https://lore.kernel.org/lkml/cover.1547073843.git.jpoimboe@redhat.com > > Using these, only can we enable the call into the hook based on whether > a program is attached, we can also eliminate the indirect call overhead which > currently affects the "slow" way which was decided in the discussion: > > https://lore.kernel.org/bpf/202002241136.C4F9F7DFF@keescook/ Perhaps you are misunderstanding me... I don't have a problem with BPF LSM registering callbacks for all the hooks. My point is about what you can trigger once you attach programs to certain hooks. All the above seem to be just optimizations/implementation details that do not affect the problem I'm pointing to. > > > good choice... IMHO you should either limit the set of hooks that can > > be attached to only those that aren't used to return back values via > > I am not sure if limiting the hooks is required here once we have > the ability to call into BPF only when a program is attached. If the > the user provides a BPF program, deliberately returns 0 (or any > other value) then it is working as intended. Even if we limit this in the > bpf LSM, deliberate privileged users can still achieve this with > other means. The point is that for this particular hook (secid_to_secctx) and a couple others, the consequences of having control over the return value are more serious than with other hooks. For most hooks, the implementation usually just returns 0 (OK), -EACCESS (access denied) or -E... (error) and the caller either continues as normal or handles the error. But here if you return 0, you signal that you have initialized the pointer and size to valid values. So suddenly the BPF prog doesn't just control allow/deny decisions, but can now easily trigger kernel panic. And when you look at the semantics of the hook, you will realize that it doesn't really make sense to implement it via BPF, since it can never populate the output values and the only meaningful implementation would be to just return -EOPNOTSUPP. Maybe I have it all wrong, but isn't the whole point of BPF programs to provide a tight sandbox where you can only implement pure input -> output functions + read/modify some internal state? Is it really "working as intended" if you can crash the kernel by attaching a simple BPF program to a certain hook? I mean yes, you can make the system pretty much unusable already using the classic hooks by simply returning -EACCESS for everything, but IMO that's quite different from causing the kernel to do an invalid memory access. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.