Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp672035ybt; Fri, 19 Jun 2020 10:41:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw7OvQUKJ9SGPMQ+wFy3Ra0bMd1XoqrhNDpcu9aa2/6yEvJKJX6Fj/SrC0Cg+OCCdIsfSXo X-Received: by 2002:a05:6402:699:: with SMTP id f25mr4421335edy.281.1592588515292; Fri, 19 Jun 2020 10:41:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592588515; cv=none; d=google.com; s=arc-20160816; b=u0rQNiiSrbwGyjH2xXjZ2lDPT7DQnBBdggYIXOdO52fBy1w5dX73J9+5zyoJ0eAA9D Q+cr1F6fNtn3NpGVzGTkUhSTlhBFH7+XPaiJ44TiFTF/yZA3Z729e+N7+q0p965qlr1+ QV4LxJ0he34BR3qKaOTERgVgTIkO+SDEDnPahv8FA7rsts/J0kHx/vBQvIQeWVpY4VYM NHUo6hJnh10akpfaMPNj0PtguiuR3e+CFGmTNllgLD5rZex+T0X2HtK5ME5aXqouRIQC QftEkKI6Qk+pXN47uCC/NZle6EnP5jjybAHC5asBIYGqToJbspFgKJ0+roOwrLqravbv sWSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=/g/+YnCzud6gIE/myiatywuh+bgiNOQQZfOvz+r2RZM=; b=SLVc/fnhTb42QPNtiMQmW4zLKEm+TfsHWlSe05lsgsIgMXG4bIJwK0N96QLgPYhAXG lZOOIb9mNsPvBTUbze1xAVykcLcTV48flt8bTFFd9rDeZThGnPKl+/ehxLGx8tIvHwaZ gqp8m9uO+wB67Gz+s0Gq5bcTa/8Rbbv9Qt1pKiDvZ+thhhn4bN7FI3hrD4z+6LqMFEkh YPt2g9r0keJTrq2m15YZ8UzuWNN0E0Zftq3dOJPm4YNKaWYcx96qnLmSUJbwuOtU3NXR iNnrkswa/Qrq0AF529PW3BfqHEg+JC+kB0DuFk7fUzu44AVB2U4nXKmxLMrNLXS2EdlX ZLag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DJzpqNQL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id md18si4383848ejb.275.2020.06.19.10.41.32; Fri, 19 Jun 2020 10:41:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DJzpqNQL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732452AbgFSMt4 (ORCPT + 99 others); Fri, 19 Jun 2020 08:49:56 -0400 Received: from us-smtp-2.mimecast.com ([205.139.110.61]:51916 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1732278AbgFSMtq (ORCPT ); Fri, 19 Jun 2020 08:49:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1592570984; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/g/+YnCzud6gIE/myiatywuh+bgiNOQQZfOvz+r2RZM=; b=DJzpqNQL3Ct78b71K3She8S6lrhS3usL8RrHve8/Fe6OvbZlg6mL0+tQcu46JUkXre2a7j wCJeM5i67zqeqXPsz5Xb5HA/z0ezPbvt16HNIJ2y+2qfvWOaQ++M8/Hn63ImspXHOc9tbP HV9MlLeH/yVCwJNU1bYE/DUE4N0GBAs= Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-oZMYJzKHPZWIBTOOOU2agQ-1; Fri, 19 Jun 2020 08:49:42 -0400 X-MC-Unique: oZMYJzKHPZWIBTOOOU2agQ-1 Received: by mail-lf1-f71.google.com with SMTP id r10so3400791lfc.6 for ; Fri, 19 Jun 2020 05:49:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/g/+YnCzud6gIE/myiatywuh+bgiNOQQZfOvz+r2RZM=; b=T+KnlY9rBH5IDnIRMd2fUf3+h8g9njtB3ykPZjzOimaMleirDF66cPgV0RNoIDfw8c +ZqAy9paUyqU6+Ck6j+aFd2Be96iJlpHVyBFBR18H/cCc1jnddY0NZLBsYmG+YWS/JjV uoenfM0vL9i9CBqP3FI/zxC6mE978sJsznaz2zZv8NcAGRrj7ArfK3E1pYQRq91f53Ay 1FCkmVNTk8zODabuzHKgwZ9pKtYps3wEhz9WrOmrK/7lWM/M+1pWKbMij58aafnP9trg 10BSoHYzY/gs+AnUi9zFM6KMw9t2/wVlqz/1UN9CTTV/GV1kObrzolKF6wzE/BelJfE1 BgCQ== X-Gm-Message-State: AOAM530eQzQYUu1mNIgS3NYp+3WA/MduBF06eJQQCDQYQgCpRRphNyK2 y9j41dD+rgw6EeLLam68g/Vl/CJv+l+FKs/0+NN57T6E1XocRFG+DoxWfYyQxoZDMl6ZDPpQqEP oXDlXBi0K4lf5u333mKs8JvwhN6Vdn9nCqo8zzlb0 X-Received: by 2002:ac2:5604:: with SMTP id v4mr1946248lfd.124.1592570981118; Fri, 19 Jun 2020 05:49:41 -0700 (PDT) X-Received: by 2002:ac2:5604:: with SMTP id v4mr1946227lfd.124.1592570980848; Fri, 19 Jun 2020 05:49:40 -0700 (PDT) MIME-Version: 1.0 References: <20200520125616.193765-1-kpsingh@chromium.org> In-Reply-To: <20200520125616.193765-1-kpsingh@chromium.org> From: Ondrej Mosnacek Date: Fri, 19 Jun 2020 14:49:29 +0200 Message-ID: Subject: Re: [PATCH bpf] security: Fix hook iteration for secid_to_secctx To: KP Singh Cc: Linux kernel mailing list , bpf@vger.kernel.org, Linux Security Module list , Alexei Starovoitov , Daniel Borkmann , James Morris , Anders Roxell , Casey Schaufler Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 20, 2020 at 2:56 PM KP Singh wrote: > From: KP Singh > > secid_to_secctx is not stackable, and since the BPF LSM registers this > hook by default, the call_int_hook logic is not suitable which > "bails-on-fail" and casues issues when other LSMs register this hook and > eventually breaks Audit. > > In order to fix this, directly iterate over the security hooks instead > of using call_int_hook as suggested in: > > https: //lore.kernel.org/bpf/9d0eb6c6-803a-ff3a-5603-9ad6d9edfc00@schaufler-ca.com/#t > > Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") > Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx hook" > Reported-by: Alexei Starovoitov > Signed-off-by: KP Singh [...] Sorry for being late to the party, but doesn't this (and the associated default return value patch) just paper over a bigger problem? What if I have only the BPF LSM enabled and I attach a BPF program to this hook that just returns 0? Doesn't that allow anything privileged enough to do this to force the kernel to try and send memory from uninitialized pointers to userspace and/or copy such memory around and/or free uninitialized pointers? Why on earth does the BPF LSM directly expose *all* of the hooks, even those that are not being used for any security decisions (and are "useful" in this context only for borking the kernel...)? Feel free to prove me wrong, but this lazy approach of "let's just take all the hooks as they are and stick BPF programs to them" doesn't seem like a good choice... IMHO you should either limit the set of hooks that can be attached to only those that aren't used to return back values via pointers, or (if you really really need to do some state updates/logging in those hooks) use wrapper functions that will call the BPF progs via a simplified interface so that they cannot cause unsafe behavior. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.