Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3159017pxb; Mon, 16 Nov 2020 07:17:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJxoAJw48d0noIfyYO5pYFQoTgob4W5noIzNp0cKn6jpZj+YTrJJiVOYkOfLSRu5grZPiOro X-Received: by 2002:a17:906:860b:: with SMTP id o11mr8162181ejx.252.1605539825492; Mon, 16 Nov 2020 07:17:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605539825; cv=none; d=google.com; s=arc-20160816; b=S1SF9BEqXMBLBFaVoVKqjDd+Z59n3Go120qOUpH6EtK7VOAKOBm/o9xq6Y0gr3xXoJ Y3VDs3T8gWY1jSIaBMPTCb7/0syVK6WE6r+YleiQhs/Frh1pUkMRW4jHv39zJ0aV+C+M 5y3mdd9xO7PJFlnoTc1jUlxioxAdtabsNzi+oVcclEHH+XmG//pzNv0jwpeogrHJinRb eEyOEJQ5NEFQhVM0NUyOBkpmvSjwe6RtSPzBeHDp0d48QsLI0W2URXePoZdUZJEmFest WbWRlFHlWICko4TXWRD+gvSzWN5DzVgtrvz9RS/IQwtsjhJFqklGAI20ef3v2EKKJXJo cCmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=HgLURzfqiv0ZCdd5Uo14pifchP7mURcxspxKcwm4l+I=; b=oPFZm/X2rPkyy0P8+044XujbyYBpVLgGKE6D6M3DTvnc6aqJDs1CVUj8idBU6FRdtW janW1ZA8qlHo8aOh5icxrEKRGhmWK844arSUrMGUp8TJ8l8GBp1Zb390cZVCODUQF0MU z/ReD2abmEpAw2r1MPDUTEXhK6zHe0+e7eU2tCndupChJsa5NLqGpP5GIn1H9HiFS7YV ZOroGgPByfB66knLTYPDCDkvBpX2GpYMpfwsmvoR32kn4LmgvKBbNeyA0M/oM0+lBCrI 6uxmy/wsT48l2WSPEoRnm8Wikvb26+zf4j/iOHXBsUWXmWuRwEORDagSVNL6cvMriiEm 6ddg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o91si986320eda.564.2020.11.16.07.16.40; Mon, 16 Nov 2020 07:17:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730982AbgKPPLy (ORCPT + 99 others); Mon, 16 Nov 2020 10:11:54 -0500 Received: from www62.your-server.de ([213.133.104.62]:40190 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728029AbgKPPLx (ORCPT ); Mon, 16 Nov 2020 10:11:53 -0500 Received: from sslproxy02.your-server.de ([78.47.166.47]) by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1kegAY-0000q5-Nk; Mon, 16 Nov 2020 16:11:50 +0100 Received: from [85.7.101.30] (helo=pc-9.home) by sslproxy02.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kegAY-000Sto-Eo; Mon, 16 Nov 2020 16:11:50 +0100 Subject: Re: [PATCH bpf-next 1/2] bpf: Add bpf_lsm_set_bprm_opts helper To: KP Singh , linux-kernel@vger.kernel.org, bpf@vger.kernel.org Cc: Alexei Starovoitov , Martin KaFai Lau , Song Liu , Paul Turner , Pauline Middelink References: <20201116140110.1412642-1-kpsingh@chromium.org> From: Daniel Borkmann Message-ID: <793acf23-b263-6ae5-2206-18fcdfa991eb@iogearbox.net> Date: Mon, 16 Nov 2020 16:11:49 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20201116140110.1412642-1-kpsingh@chromium.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.4/25990/Mon Nov 16 14:19:13 2020) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/16/20 3:01 PM, KP Singh wrote: > From: KP Singh > > The helper allows modification of certain bits on the linux_binprm > struct starting with the secureexec bit which can be updated using the > BPF_LSM_F_BPRM_SECUREEXEC flag. > > secureexec can be set by the LSM for privilege gaining executions to set > the AT_SECURE auxv for glibc. When set, the dynamic linker disables the > use of certain environment variables (like LD_PRELOAD). > > Signed-off-by: KP Singh [...] > /* integer value in 'imm' field of BPF_CALL instruction selects which helper > @@ -4119,6 +4128,11 @@ enum bpf_lwt_encap_mode { > BPF_LWT_ENCAP_IP, > }; > > +/* Flags for LSM helpers */ > +enum { > + BPF_LSM_F_BPRM_SECUREEXEC = (1ULL << 0), > +}; > + > #define __bpf_md_ptr(type, name) \ > union { \ > type name; \ > diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c > index 553107f4706a..4d04fc490a14 100644 > --- a/kernel/bpf/bpf_lsm.c > +++ b/kernel/bpf/bpf_lsm.c > @@ -7,6 +7,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -51,6 +52,23 @@ int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, > return 0; > } > > +BPF_CALL_2(bpf_lsm_set_bprm_opts, struct linux_binprm *, bprm, u64, flags) > +{ This should also reject invalid flags. I'd rather change this helper from RET_VOID to RET_INTEGER and throw -EINVAL for everything other than BPF_LSM_F_BPRM_SECUREEXEC passed in here including zero so it can be extended in future. > + bprm->secureexec = (flags & BPF_LSM_F_BPRM_SECUREEXEC); > + return 0; > +} > + > +BTF_ID_LIST_SINGLE(bpf_lsm_set_bprm_opts_btf_ids, struct, linux_binprm) > + > +const static struct bpf_func_proto bpf_lsm_set_bprm_opts_proto = { > + .func = bpf_lsm_set_bprm_opts, > + .gpl_only = false, > + .ret_type = RET_VOID, > + .arg1_type = ARG_PTR_TO_BTF_ID, > + .arg1_btf_id = &bpf_lsm_set_bprm_opts_btf_ids[0], > + .arg2_type = ARG_ANYTHING, > +}; > +