Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp925845pxb; Wed, 6 Apr 2022 04:29:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTkDoknlUjzgEKpKz88Xybgy5apGJp8HGJzJZRQn0hmkXbn5sxmH3jZ4zpDiiQwhEbTwII X-Received: by 2002:a17:90b:4c08:b0:1c7:61ce:b707 with SMTP id na8-20020a17090b4c0800b001c761ceb707mr9357403pjb.16.1649244555142; Wed, 06 Apr 2022 04:29:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649244555; cv=none; d=google.com; s=arc-20160816; b=ye9BWw2BdCSbT5dqedEHiZl0wSOdwdz+HtFtClngMsFkZLcWVEDzAt/J4CZYJjGBTi I0VvYsx2oQLG4hYiBE93FE2s0YM24inP+RDWpqnWhVWxHdqwdRP6GaxyK/32EJw2M6a3 MZs5XavuQN/+gh5k5Y7KIxDmtKj2/Pr6q64V6a/bP46BXByJY8Sj7lB3Rn1gc6Mh/6Dr llnfs5LqAkK9pk9/dDOrJuGMdE4/xwLSiyRgRk4MERAQwzUXgcUfZmkG1JTKN6ihcZvk wu7ikPaMtSwEUfjVdiBVyn5Rcf6KHQsI9TOVhQffw8QIBelcdlqjGuXSaNaPc33Dzg5T nErw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=cRjHR0BBxXyZsJPYUVrZx94fcPSGcEGiPE/xrQREKL8=; b=v2e5blKTbb0VJrh1PP/NCpBwsaJQkE7LaZwidfD5Y0ESukxW+peCYvNTt/tXI5gCXZ E7I7stYT9L2E23z+7uvYwNZ63r7iX4n+bBERVffPlTwfvOoxt244d1oau32osUMS/sUQ uyRULZZ6MgZ8gedAwBtd8jFajRcY4VKseekCbzxJJcm5DX6X0ydiLoqpgDxUnBKc+mDC q88BJ7AbWDD5VY9RuGwxRaw7rn+s/HKdX53+enEVy7cl65C5S2BKR7f561EApskdfePC Htwu0lCf8PLDdBoyYTfbf0Rvwa7/VPiLCoskFXevFEqaip5xw6PJsys2YZ1nHYW1RJEs N53w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fE6K3ZMO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id m6-20020a656a06000000b003825f9c93a9si18610443pgu.524.2022.04.06.04.29.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 04:29:15 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=fE6K3ZMO; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 40BF15FD03A; Wed, 6 Apr 2022 02:51:08 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344415AbiDEVCc (ORCPT + 99 others); Tue, 5 Apr 2022 17:02:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1457756AbiDEQkG (ORCPT ); Tue, 5 Apr 2022 12:40:06 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E64BD9EA2 for ; Tue, 5 Apr 2022 09:38:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id F18D2B81E8B for ; Tue, 5 Apr 2022 16:38:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C45D1C385A5 for ; Tue, 5 Apr 2022 16:38:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649176685; bh=Godeb1QF1XaLrnNDs3lSu+RGeizZyertdC0hYAIHClw=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=fE6K3ZMOrzLhOrGELR5HAtFVyi2NejfAzQAYn94hbuyiYrk1Wj/uHjQ/sUwrFLq7b A90RQAeTHiH/jnF2FsoDzzb6YF6K7Da9PcyEtfDSMTTtqoV+6881nB3QRuxgbRB1C0 L1BVh6We0d4/AWznFWw+bE9HrosTDxOoqixJRgriBIQeRWuil9/sq6gfrBnMMr+5wI zMbtCSoVvsck22ldzHRKFa04rO6n/CZ4G3xf1f7z+cHOmA7EOAPN7aPLK7G36cU3Ql jPOSWjIGfcde6VfzUdUUGxaUZdzwVjVyzkIbs+C0Mf1xPcXcBfPZUslz33qheWg8dg 7wC9nhqlRbeAg== Received: by mail-lf1-f49.google.com with SMTP id d5so24193237lfj.9 for ; Tue, 05 Apr 2022 09:38:05 -0700 (PDT) X-Gm-Message-State: AOAM530ltRtJDyN63FLLdLyyiHPgDFO6tY0icqvOcxOThfPHqVdR/jTe lCkazb6l2DfBB6tbeQBxmC7KzhsGbYnoOkORZFhXuQ== X-Received: by 2002:a17:907:6089:b0:6db:a3d7:3fa9 with SMTP id ht9-20020a170907608900b006dba3d73fa9mr4556278ejc.593.1649176672844; Tue, 05 Apr 2022 09:37:52 -0700 (PDT) MIME-Version: 1.0 References: <20220328175033.2437312-1-roberto.sassu@huawei.com> <20220331022727.ybj4rui4raxmsdpu@MBP-98dd607d3435.dhcp.thefacebook.com> <20220401235537.mwziwuo4n53m5cxp@MBP-98dd607d3435.dhcp.thefacebook.com> <385e4cf4-4cd1-8f41-5352-ea87a1f419ad@schaufler-ca.com> <0497bb46586c4f37b9bd01950ba9e6a5@huawei.com> In-Reply-To: From: KP Singh Date: Tue, 5 Apr 2022 18:37:42 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/18] bpf: Secure and authenticated preloading of eBPF programs To: Casey Schaufler Cc: Roberto Sassu , Djalal Harouni , Alexei Starovoitov , "corbet@lwn.net" , "viro@zeniv.linux.org.uk" , "ast@kernel.org" , "daniel@iogearbox.net" , "andrii@kernel.org" , "shuah@kernel.org" , "mcoquelin.stm32@gmail.com" , "alexandre.torgue@foss.st.com" , "zohar@linux.ibm.com" , "linux-doc@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kselftest@vger.kernel.org" , "linux-stm32@st-md-mailman.stormreply.com" , "linux-arm-kernel@lists.infradead.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 5, 2022 at 6:22 PM Casey Schaufler wrote: > > On 4/5/2022 8:29 AM, Roberto Sassu wrote: > >> From: Casey Schaufler [mailto:casey@schaufler-ca.com] > >> Sent: Tuesday, April 5, 2022 4:50 PM > >> On 4/4/2022 10:20 AM, Roberto Sassu wrote: > >>>> From: Djalal Harouni [mailto:tixxdz@gmail.com] > >>>> Sent: Monday, April 4, 2022 9:45 AM > >>>> On Sun, Apr 3, 2022 at 5:42 PM KP Singh wrote: > >>>>> On Sat, Apr 2, 2022 at 1:55 AM Alexei Starovoitov > >>>>> wrote: > >>>> ... > >>>>>>> Pinning > >>>>>>> them to unreachable inodes intuitively looked the > >>>>>>> way to go for achieving the stated goal. > >>>>>> We can consider inodes in bpffs that are not unlinkable by root > >>>>>> in the future, but certainly not for this use case. > >>>>> Can this not be already done by adding a BPF_LSM program to the > >>>>> inode_unlink LSM hook? > >>>>> > >>>> Also, beside of the inode_unlink... and out of curiosity: making > >> sysfs/bpffs/ > >>>> readonly after pinning, then using bpf LSM hooks > >>>> sb_mount|remount|unmount... > >>>> family combining bpf() LSM hook... isn't this enough to: > >>>> 1. Restrict who can pin to bpffs without using a full MAC > >>>> 2. Restrict who can delete or unmount bpf filesystem > >>>> > >>>> ? > >>> I'm thinking to implement something like this. > >>> > >>> First, I add a new program flag called > >>> BPF_F_STOP_ONCONFIRM, which causes the ref count > >>> of the link to increase twice at creation time. In this way, > >>> user space cannot make the link disappear, unless a > >>> confirmation is explicitly sent via the bpf() system call. > >>> > >>> Another advantage is that other LSMs can decide > >>> whether or not they allow a program with this flag > >>> (in the bpf security hook). > >>> > >>> This would work regardless of the method used to > >>> load the eBPF program (user space or kernel space). > >>> > >>> Second, I extend the bpf() system call with a new > >>> subcommand, BPF_LINK_CONFIRM_STOP, which > >>> decreasres the ref count for the link of the programs > >>> with the BPF_F_STOP_ONCONFIRM flag. I will also > >>> introduce a new security hook (something like > >>> security_link_confirm_stop), so that an LSM has the > >>> opportunity to deny the stop (the bpf security hook > >>> would not be sufficient to determine exactly for > >>> which link the confirmation is given, an LSM should > >>> be able to deny the stop for its own programs). > >> Would you please stop referring to a set of eBPF programs > >> loaded into the BPF LSM as an LSM? Call it a BPF security > >> module (BSM) if you must use an abbreviation. An LSM is a > >> provider of security_ hooks. In your case that is BPF. When > >> you call the set of eBPF programs an LSM it is like calling > >> an SELinux policy an LSM. > > An eBPF program could be a provider of security_ hooks > > too. > > No, it can't. If I look in /sys/kernel/security/lsm what > you see is "bpf". The LSM is BPF. What BPF does in its > hooks is up to it and its responsibility. > > > The bpf LSM is an aggregator, similarly to your > > infrastructure to manage built-in LSMs. Maybe, calling > > it second-level LSM or secondary LSM would better > > represent this new class. > > It isn't an LSM, and adding a qualifier doesn't make it > one and only adds to the confusion. > > > The only differences are the registration method, (SEC > > directive instead of DEFINE_LSM), and what the hook > > implementation can access. > > Those two things pretty well define what an LSM is. > > > The implementation of a security_ hook via eBPF can > > follow the same structure of built-in LSMs, i.e. it can be > > uniquely responsible for enforcing and be policy-agnostic, > > and can retrieve the decisions based on a policy from a > > component implemented somewhere else. > > The BPF LSM provides mechanism. The eBPF programs provide policy. Yeah, let's stick what we call an LSM in the kernel, Here, "bpf" is the LSM like selinux,apparmor and this is what you set in CONFIG_LSM or pass on cmdline as lsm= and can be seen in /sys/kernel/security/lsm Calling your BPF programs an LSM will just confuse people. > > > > > Hopefully, I understood the basic principles correctly. > > I let the eBPF maintainers comment on this. > > > > Thanks > > > > Roberto > > > > HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > > Managing Director: Li Peng, Zhong Ronghua > > > >>> What do you think? > >>> > >>> Thanks > >>> > >>> Roberto > >>> > >>> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 > >>> Managing Director: Li Peng, Zhong Ronghua