Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1388369pxj; Sat, 29 May 2021 11:51:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxMW1DgW1YZnlsu8lKq6cSm6yZEeRhHOI/F6AswHLYt/Ihxdv6lMh5Pg0DRfALwZk4+vGXs X-Received: by 2002:a05:6e02:1111:: with SMTP id u17mr86328ilk.307.1622314293910; Sat, 29 May 2021 11:51:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622314293; cv=none; d=google.com; s=arc-20160816; b=BQS/8rnqQRlB5MAhdl5CpcGyKE/xb+L+6RTP9TJFMyBu58yK7uzwTZFtd9FWmxW9W2 WqoT8Co1UltYkdfqy8MmOLwPAwvmBLO98AOlrUdIIZX6TVCMcxxVGovfVvQ6IrD5beAn r1dxjjaZzLjqJJ2xmsG/o2a/L4c6UZg5hqyggLCnyFj91cbT+SR1v/m3HymuHxeYONwm csYEl6Ud4deKRl9vXrPy9xy5Wb3l7eVsnrMC/dgsXk8AymVKCQzhbla+SX0LrCwNfwu+ 6mUV2QolZHLhW8ZIw4FC9Ig/ETLlsJ3Ery+Kb5Fg6UcWHV4CKaLvR8t6p+pGVKKlFoHe OVgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=PxkN5674Gdo7C/DvFwdmRlPrHnz0qD2VW7zEeao9HA0=; b=HHnke7l3giqpM2pWsaNjFWSGSld94n+RSUzSR/aJOOg/oxrN5VlX15KO4heGH2+ppI ZTC2lZawh0gwX2hXklEq4vcQIjQyPKQnsGV73M+8OQp+wgK1tlRvvrz1yphPR3UhdWkj VDqJvV7iXs/wQR4yAnraQ/+RV4+lo6SFJ5utPxHgB+bn1Cm86WQOQ7BxbkxikqhL5iPP Xi4aY3FabymDUcLA+CR0hjnjCzRG0lwY+wpu5QNASNLZCKD0zovXfTkphkmyZP6RUpHe gb/009UJjrFSP0NrJ9008LJElxxJEr0U0H+XENJh0o8gD1wMSbSioMU9mQXDf3fOsG0X k3jA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=egZtDVPv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h6si9634456jaj.29.2021.05.29.11.51.19; Sat, 29 May 2021 11:51:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=egZtDVPv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229876AbhE2SuX (ORCPT + 99 others); Sat, 29 May 2021 14:50:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229822AbhE2SuW (ORCPT ); Sat, 29 May 2021 14:50:22 -0400 Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C668EC0613CE for ; Sat, 29 May 2021 11:48:45 -0700 (PDT) Received: by mail-ed1-x52f.google.com with SMTP id df21so8635814edb.3 for ; Sat, 29 May 2021 11:48:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PxkN5674Gdo7C/DvFwdmRlPrHnz0qD2VW7zEeao9HA0=; b=egZtDVPv+pEmzpQcYmGqbrNNZyRf7Aqgebz64H8qjXLqaTKcUwlR3bcfeOXQVoQ0/I 7zwI+0FvRjoKaxZUkV7/qMK527UOii8JwIHXsmWt3289bVTzi9jLS7DrylJywuRK85RH XBY1R3AHPL69XeC7SFpUqb6jYFOv1/r8nNtp8fKORkkIuxQaK7l7pwk6KrKXFhlZQCGE EcOZJePRxsnnGa9NxCm+Hg9bBxdVgKUxA06srzViIJ8xJs6i38G7NVkfnqvzrPg5uWam tPUgQZGd1V/osaT50MNDtOL3E3SbY3nnfIen9INxBSbFY2ZNJ5UWnlfEyLDqOf4fSzeX BIxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PxkN5674Gdo7C/DvFwdmRlPrHnz0qD2VW7zEeao9HA0=; b=o0ual7G7BVlVOvDo1qmQPl2/4CdyUIrwwLb15GkRqj6Jr9miwibFQ2e3xrWe/Mj0za 2wbOYfzITFliEzydJh58yVKLZQlU+/5SOfqRnUZ+5qc0npyjZ232kdsXBeAI4/XYI4Au XsPNMedRVAuqGypuCZalqHItnUisOmJKL6vFcHIeXQbrMyQ8ZFj10G+5zMajgMrq9xXT s1PcY759dWszLq6uan7XHfyVDyl6TRoRG1B9QNzjlUqWrDUtDMJilKcMglLciQcybCHF V37Iya4hDF2Em4xgEygGa/+rJ0Ibo8My9wwQ76H1v5PdLOkPKSJFzMofxNtU4ypPK6Ea zhQg== X-Gm-Message-State: AOAM531EAyaXyw/Kt98Ywz2ufQwezadqYdIZ+1VT7c8DF4ZWlBgxr89p IzdCuo6CoJDUiLxR4Z6lGb7bH9NapnbwvXGgFo5E X-Received: by 2002:a05:6402:430b:: with SMTP id m11mr16690557edc.31.1622314124071; Sat, 29 May 2021 11:48:44 -0700 (PDT) MIME-Version: 1.0 References: <20210517092006.803332-1-omosnace@redhat.com> <01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net> In-Reply-To: From: Paul Moore Date: Sat, 29 May 2021 14:48:33 -0400 Message-ID: Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks To: Daniel Borkmann Cc: Ondrej Mosnacek , linux-security-module@vger.kernel.org, James Morris , Steven Rostedt , Ingo Molnar , Stephen Smalley , selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler , jolsa@redhat.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 28, 2021 at 2:28 PM Daniel Borkmann wrote: > In the case of tracing, it's different. You install small programs that are > triggered when certain events fire. Random example from bpftrace's README [0], > you want to generate a histogram of syscall counts by program. One-liner is: > > bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' > > bpftrace then goes and generates a BPF prog from this internally. One way of > doing it could be to call bpf_get_current_task() helper and then access > current->comm via one of bpf_probe_read_kernel{,_str}() helpers ... I think we can all agree that the BPF tracing is a bit chaotic in the sense that the tracing programs can be executed in various places/contexts and that presents some challenges with respect to access control and auditing. If you are following the io_uring stuff that is going on now you can see a little of what is required to make audit work properly in the various io_uring contexts and that is relatively small compared to what is possible with BPF tracing. Of course this assumes I've managed to understand bpf tracing properly this morning, and I very well may still be missing points and/or confused about some of the important details. Corrections are welcome. Daniel's patch side steps that worry by just doing the lockdown permission check when the BPF program is loaded, but that isn't a great solution if the policy changes afterward. I was hoping there might be some way to perform the permission check as needed, but the more I look the more that appears to be difficult, if not impossible (once again, corrections are welcome). I'm now wondering if the right solution here is to make use of the LSM notifier mechanism. I'm not yet entirely sure if this would work from a BPF perspective, but I could envision the BPF subsystem registering a LSM notification callback via register_blocking_lsm_notifier(), see if Infiniband code as an example, and then when the LSM(s) policy changes the BPF subsystem would get a notification and it could revalidate the existing BPF programs and take block/remove/whatever the offending BPF programs. This obviously requires a few things which I'm not sure are easily done, or even possible: 1. Somehow the BPF programs would need to be "marked" at load/verification time with respect to their lockdown requirements so that decisions can be made later. Perhaps a flag in bpf_prog_aux? 2. While it looks like it should be possible to iterate over all of the loaded BPF programs in the LSM notifier callback via idr_for_each(prog_idr, ...), it is not clear to me if it is possible to safely remove, or somehow disable, BPF programs once they have been loaded. Hopefully the BPF folks can help answer that question. 3. Disabling of BPF programs might be preferable to removing them entirely on LSM policy changes as it would be possible to make the lockdown state less restrictive at a future point in time, allowing for the BPF program to be executed again. Once again, not sure if this is even possible. Related, the lockdown LSM should probably also grow LSM notifier support similar to selinux_lsm_notifier_avc_callback(), for example either lock_kernel_down() or lockdown_write() might want to do a call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL) call. -- paul moore www.paul-moore.com