Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2247324pxj; Sat, 5 Jun 2021 18:40:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwiNKeuZtcTt8hC6fcf4nRmDHamJaIgL7UB7X3VS9XcmNHmaVFm8YpEMQ9yaFCHpuTFfzMX X-Received: by 2002:aa7:d7cf:: with SMTP id e15mr13217159eds.114.1622943658818; Sat, 05 Jun 2021 18:40:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622943658; cv=none; d=google.com; s=arc-20160816; b=Ond6DKqPECXnYUJfkmAvl7AiPV5XkwPR8ay1qAdnNZBHFWwUcmj7QmUB9Xhs1NUCwI WBIPauoYc1+G7a7sxZ1nQ0WnYfcuJn/apLo/p4eLq93C/+kQt8y1qm7Sa02GypUAjN0h nMBQyNwqMN34KwA6fizxdSQzC52EDDAbeNj8ntqpgLxoO/67cN3dzaWCPo9M9odGD5/Y mtM3FWq/3daT/oPiXTYDt9BP4yf3p5sOrcvxEXVLLBSkA8EAQBoT7v5x+AcaDIzugM3+ ung8o1DfaBUjV8XM5xnGUeMSUFWh7fDONb0PAhxPCytR2GdqqMg/vC2I/dtp4gO2JJl+ fpiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=fCe+jGmEAwmTn8B7zS0WgL0TEtprm2eMCt59nOvx6D0=; b=v0b2pPmcxbw9iQd0HNrADTZcWJmgjPKeCspJHNV0neYM9GzP+Fw66FJZRANIgotSJM bXJFbp/mQMIPU+qEh0gmyNRTewbRYOreG+/0/bAIhIoFZw2Eq5s8ZNgH1BoGgDx55a9z y5iD9/0fZhNxmmmzX3n91lq9d4gOdDQmD2IsetYHLkKYgrn4BcSk5HXl8QDuyh9cV+1M QhJuyjCMZFalFD+/pPuIFQIERJjtF2EoVRxmSujK4VnkQZN+yghjbgditdCnfPxQnPEO 7nMBSJfEs2AHYS1lnahuIE6C//e+lmxFePaN3vRWr4kriBt8zdNlwP4EciXp44Ii8H/j YvXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="1C/ZT6VO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d12si10426752ejj.130.2021.06.05.18.40.36; Sat, 05 Jun 2021 18:40:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="1C/ZT6VO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230116AbhFFBdO (ORCPT + 99 others); Sat, 5 Jun 2021 21:33:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230073AbhFFBdN (ORCPT ); Sat, 5 Jun 2021 21:33:13 -0400 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10ED1C061768 for ; Sat, 5 Jun 2021 18:31:10 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id og14so15242302ejc.5 for ; Sat, 05 Jun 2021 18:31:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fCe+jGmEAwmTn8B7zS0WgL0TEtprm2eMCt59nOvx6D0=; b=1C/ZT6VO9/kFcqfqv3/zGsJrGPbrhEkvKHwxEuzs8VA+HqFgEw+D7iKUER1uKs1Jo/ WFi9sbz3aeTG7eP+wDUwtqXJxTGLIeLKpe+Neul/K0LwdDBXA6m6MUnx7DVMfVCm0TNl 24B6T3B5amn7STxRsQYCiKJoj/OTiS9PdP6TF3DpFYm4CINKKT2/qhFX55q9g5XzM1gW IsLV/oz6uv37DVUDE/J4BvW1bzN2zZWz2qp9lhp57jie5gag3PPX2j+mA/S9azmajBOK UH4ORdfwCnJ6mSDzr3achqJ+PRt1OuF9IX6S/DKHAy992Bmd7Ocqyxg5RmNb5/eOhu3C p9Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fCe+jGmEAwmTn8B7zS0WgL0TEtprm2eMCt59nOvx6D0=; b=muW/ua2WxqTiFp5OtOSIaffynlljU/7Pkp8rgen7CBdSnKkBU8qi4ttYRgBBbSmP3U mqaiZEpb1ELbmTF2qQ3NJ5J2bmYtS3b8b1NQGayYh7bNag7iFllF58BhHiPFs7T4Ifx8 Topu0lgFuPo8zUzUgMFjda9+XAwFH8IPEs1ZvWT2Vo+WEFPJxHWNOnG8uvo0g856IArR bQXQswfBCOfdKSrFVz1IvmhfJlmT7E/dr7F4R4nvQfAPLqpl2RI7VXneiPB09cLXrOF+ ic5W5X8d2/Px5VmziGF5UiHVXqIkU91+26TV1TwBclkNqaVJilVyvb/sGXDtcUEJgThk sMZA== X-Gm-Message-State: AOAM533F1VQRQcTpn4HzBdFuCU3ZV/SzPa+lpRrwl04ePi3XUfCPSzF9 ih86XTkUFbuBSsIM36UXsusdsXT0SyrMRuzhhdWQ X-Received: by 2002:a17:906:4111:: with SMTP id j17mr11223553ejk.488.1622943068465; Sat, 05 Jun 2021 18:31:08 -0700 (PDT) MIME-Version: 1.0 References: <20210517092006.803332-1-omosnace@redhat.com> <01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net> <2e541bdc-ae21-9a07-7ac7-6c6a4dda09e8@iogearbox.net> <3ca181e3-df32-9ae0-12c6-efb899b7ce7a@iogearbox.net> In-Reply-To: From: Paul Moore Date: Sat, 5 Jun 2021 21:30:57 -0400 Message-ID: Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks To: Alexei Starovoitov Cc: Daniel Borkmann , Ondrej Mosnacek , LSM List , James Morris , Steven Rostedt , Ingo Molnar , Stephen Smalley , selinux@vger.kernel.org, ppc-dev , Linux-Fsdevel , bpf , Network Development , LKML , Casey Schaufler , Jiri Olsa , Alexei Starovoitov , Andrii Nakryiko , "David S. Miller" , Jakub Kicinski , Linus Torvalds Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 4, 2021 at 8:08 PM Alexei Starovoitov wrote: > On Fri, Jun 4, 2021 at 4:34 PM Paul Moore wrote: > > > > > Again, the problem is not limited to BPF at all. kprobes is doing register- > > > time hooks which are equivalent to the one of BPF. Anything in run-time > > > trying to prevent probe_read_kernel by kprobes or BPF is broken by design. > > > > Not being an expert on kprobes I can't really comment on that, but > > right now I'm focused on trying to make things work for the BPF > > helpers. I suspect that if we can get the SELinux lockdown > > implementation working properly for BPF the solution for kprobes won't > > be far off. > > Paul, Hi Alexei, > Both kprobe and bpf can call probe_read_kernel==copy_from_kernel_nofault > from all contexts. > Including NMI. Thanks, that is helpful. In hindsight it should have been obvious that kprobe/BPF would offer to insert code into the NMI handlers, but I don't recall it earlier in the discussion, it's possible I simply missed the mention. > Most of audit_log_* is not acceptable. > Just removing a wakeup is not solving anything. That's not really fair now is it? Removing the wakeups in audit_log_start() and audit_log_end() does solve some problems, although not all of them (i.e. the NMI problem being the 800lb gorilla). Because of the NMI case we're not going to solve the LSM/audit case anytime soon so it looks like we are going to have to fall back to the patch Daniel proposed. Acked-by: Paul Moore -- paul moore www.paul-moore.com