Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp780701pxj; Fri, 28 May 2021 15:54:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVqluQhj9qAgyxlKOJCNkHI304gB7O1jvuD55v/5FjqCUGKD+bzbnVFM1pmISXWlrfr2pr X-Received: by 2002:a05:6e02:590:: with SMTP id c16mr3653238ils.215.1622242450476; Fri, 28 May 2021 15:54:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622242450; cv=none; d=google.com; s=arc-20160816; b=wNvDMlK1mAxbshXP18XCCM8vdHvKxPcv9v4fdcPi440mSTuUlLBSHJ+TEEMBbdPEPp eDRuWYzCGDj5QljzJhitw1bzCIihGFpbjt9GxovKtvbPPkv4tgdSFvncT9VjQAeThzWz 7EoEy3mUMKnGkejfC4kuWNQmMfUyWFCKSp0/sePmtH/KTZB0wNfWemn/JFlUzwkpKerA Qg3oJGlgq5Jk3hny1A2MRG/Q77uNo3ASdEAneodDkfjELPtUoinnrQQIFucpu13gc2T7 VcpLJa2xr+C3EFzRdoWeyn8jgtu+Jiwe7plzZ3xBa0BUa35I3k0jBem8IEabv1WKUK4g Ak0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=hYw5L9uovAkFsfHnHeXQzSMU5L4IRTMjhY6/K5rzT9U=; b=DP+q+OKg6+ICtmEO7QUP6M2EgtqfGLuM84ACPX46g+Wz2WgvqrW/nvncOsKPVubGFJ ADeo15KwHUdM2fWQKAni3XJQcpYhGfStGnAIVO7fM94Kd+YvvKAZtK5J/Mf5PtJWuOeX 3gq34IY4mZChv0oC9xirCHOq/S6XGSVMS3rZQQXbVAlT/4Bc2F+kNcmRgjLntk7iVxkC pqV+U3Rb8qwzECBXMzv/u3CQfjFy2RWr2MXLi/TqVlRs2KCfsrVkGBinBplBb8rk416v QJTKni842fz5mVcB+3yOuZffkC+lY4fzpeHqnRi169OTtMUfnPsRn4CviFLJvEtBzKkz ldbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=yuNgeXWN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d20si8044290jak.40.2021.05.28.15.53.56; Fri, 28 May 2021 15:54:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=yuNgeXWN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229652AbhE1Wy1 (ORCPT + 99 others); Fri, 28 May 2021 18:54:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229620AbhE1WyY (ORCPT ); Fri, 28 May 2021 18:54:24 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A697DC06174A for ; Fri, 28 May 2021 15:52:47 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id z12so7679782ejw.0 for ; Fri, 28 May 2021 15:52:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hYw5L9uovAkFsfHnHeXQzSMU5L4IRTMjhY6/K5rzT9U=; b=yuNgeXWN+6xWyHkZN3hopiuhLwOwLkMW4jfx/Ke9qnP+4D2F8F70wSggXfODvDfJTi ILz10rk+8ClZi8HbQdGtQbcSvgtB1sGOONGOZStOBth62K6Hz5gg9CX1vrt+j4VA5tlX Ix+Nfa7RDnmnOhfUmMbJi+8cg+u3ye37cM6IYBcAIMHhRDDaEBkVCskOi0kOs7gnKSdI mXKdCDDvyo3dLsxWV8KBORTR/cOBJBOknrc9qVd3Bzm0TtTxq1bM5m5gMw8Uhs9lgJXG aX1MQzG+pMBsWwu0lszw5ECGLix/RDqMzdlR8Bx+v92dGBI1vhRO3aOIv5eom6bntiJ4 /j8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hYw5L9uovAkFsfHnHeXQzSMU5L4IRTMjhY6/K5rzT9U=; b=N+OtMxecCuVo50WTlcndEUUBOdzA8CPPKNSGOEJoK4jEB9wPQ9AK9dIGiTI416hP6k ZMa9Q8eL0xJAKb8Mr4zpITREqiyBvy9deYCNWadJII9jHlKZMzpGpRFFeSi8NLX6hFcC HvjZENLo3U11tSz9MolQo1G/qYevxjn9Jm/SCkrKJHplmKeAAcgS1Q/W5fsLy6lnowdQ vdWledF8tpvraPpnbs4IaXDsu5krXxMzrhw6DbSe4YWCRhhLTIKRNcuP5Vu7YOfCygWJ 2/K0hFS/J/vMpEmNlQDnMt7d2rI2tdq3ljn3nn2jjThrpB3x9AikSjJtHVSoFbVINaG/ ci2Q== X-Gm-Message-State: AOAM532bucdHTArbqgaLyQZI5FXPG/2BU8tlnIuv9/9FrB5XjwCwbE5C G2ywWnHIATfb9/gq10fm0hMKACtiMnvRKkdl/ekZ X-Received: by 2002:a17:906:4111:: with SMTP id j17mr1665351ejk.488.1622242365987; Fri, 28 May 2021 15:52:45 -0700 (PDT) MIME-Version: 1.0 References: <20210517092006.803332-1-omosnace@redhat.com> <01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net> In-Reply-To: From: Paul Moore Date: Fri, 28 May 2021 18:52:34 -0400 Message-ID: Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks To: Daniel Borkmann Cc: Ondrej Mosnacek , linux-security-module@vger.kernel.org, James Morris , Steven Rostedt , Ingo Molnar , Stephen Smalley , selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler , jolsa@redhat.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 28, 2021 at 2:28 PM Daniel Borkmann wrote: > On 5/28/21 5:47 PM, Paul Moore wrote: > > Let's reset. > > Sure, yep, lets shortly take one step back. :) > > > What task_struct is running the BPF tracing program which is calling > > into security_locked_down()? My current feeling is that it is this > > context/domain/cred that should be used for the access control check; > > in the cases where it is a kernel thread, I think passing NULL is > > reasonable, but I think the proper thing for SELinux is to interpret > > NULL as kernel_t. > > If this was a typical LSM hook and, say, your app calls into bind(2) where > we then invoke security_socket_bind() and check 'current' task, then I'm all > with you, because this was _explicitly initiated_ by the httpd app, so that > allow/deny policy belongs in the context of httpd. > > In the case of tracing, it's different. You install small programs that are > triggered when certain events fire. Random example from bpftrace's README [0], > you want to generate a histogram of syscall counts by program. One-liner is: > > bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' > > bpftrace then goes and generates a BPF prog from this internally. One way of > doing it could be to call bpf_get_current_task() helper and then access > current->comm via one of bpf_probe_read_kernel{,_str}() helpers. So the > program itself has nothing to do with httpd or any other random app doing > a syscall here. The BPF prog _explicitly initiated_ the lockdown check. > The allow/deny policy belongs in the context of bpftrace: meaning, you want > to grant bpftrace access to use these helpers, but other tracers on the > systems like my_random_tracer not. While this works for prior mentioned > cases of security_locked_down() with open_kcore() for /proc/kcore access > or the module_sig_check(), it is broken for tracing as-is, and the patch > I sent earlier fixes this. Sigh. Generally it's helpful when someone asks a question if you answer it directly before going off and answering your own questions. Listen, I get it, you wrote a patch and it fixes your problem (you've mentioned that already) and it's wonderful and all that, but the rest of us (maybe just me) need to sort this out too and talking past questions isn't a great way to help us get there (once again, maybe just me). I think I can infer an answer from you, but you've made me grumpy now so I'm not ACK'ing or NACK'ing anything right now; I clearly need to go spend some time reading through BPF code. Woo. > [0] https://github.com/iovisor/bpftrace -- paul moore www.paul-moore.com