Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp242588rwi; Tue, 25 Oct 2022 23:44:21 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7JiM+Gx9TXseUu+aeTKHk5Nt+Sz9yjGVajrFoCkb7tM+ZU5DxB2LZeAO6VJWfnEDap35H1 X-Received: by 2002:a17:902:7290:b0:17f:d04b:bf57 with SMTP id d16-20020a170902729000b0017fd04bbf57mr42422417pll.147.1666766660940; Tue, 25 Oct 2022 23:44:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666766660; cv=none; d=google.com; s=arc-20160816; b=OgnHeBBi0GddEtlH3+jheuZTBedSrXpvZC1b/G6VgWfihPXgJi149uDQE7H/GxU3qv iU5WCouS7y12niT8n+icY+QX9y82xkgaQ3XrlkSUUwTuKQnzV5NjEvlKPBEnAmvXKkoA 3Wq6b51iw88PJ0fkSSe1FWpI3cK/41ZenLx4UJeBdUvbyyec6ixbOV0QHkSrMPZGhiZ3 HveqBQ3/4nwOiPdcP63GmifFkaxn2rdsp7FclG25CS+ccGblMqcNDtRz/H5bYBGhmHmd NVvaDuEHwLvrR/Umm4IxnblFWt4sq3BFoahp27JuX7BycMGsII2NQ+nPEkqx6Ld3Di/l fqfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Mx8fYuOqE4Fz7MoTG2qyzZeL72DVY10BTmV8q9Mc57w=; b=WUsWGHIt/zojBG7hJaxTxdea+6XlivYIXqX4JHo1I+2g9CD2E3M5vcAwAW9dk7Lh5J kOMBlHfMxZNwZjHoGds2lPjzP/BNA+w557K/z2ZDvutJhDm0VdxwsSjGzOKYAU51fwp1 lQV3FUrdc2Y0t1rbmBT3NHDBPT/uMMqkOQgj+kEo+Tw/0cOcw6rKr8SYowz+bPwQM1AZ qqZMfjDeZ0dcMfqM87HhgSow5IwK3MsE5o12rreAbvZA86Z9mSv71C20mUgwdTEPdOot tAe7LBkqle+3dZJgbfV2bNWIiYEv6ewXwZVry1aNOGEh+iZFSKXL3pd8zLRPcmkOtebb 33jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=qHrL7FKI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 207-20020a6301d8000000b0043c474c8942si5919040pgb.673.2022.10.25.23.44.08; Tue, 25 Oct 2022 23:44:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=qHrL7FKI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233210AbiJZGiG (ORCPT + 99 others); Wed, 26 Oct 2022 02:38:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229995AbiJZGiC (ORCPT ); Wed, 26 Oct 2022 02:38:02 -0400 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69B9778BE1; Tue, 25 Oct 2022 23:38:01 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id t25so13164108ejb.8; Tue, 25 Oct 2022 23:38:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Mx8fYuOqE4Fz7MoTG2qyzZeL72DVY10BTmV8q9Mc57w=; b=qHrL7FKIzMARVP4gCZGtCYP08mU2Xgs4Znav05N95RRQvkbRXbQF61MJZY96Q7WP/F PWoN3+fpTvoAPWT65Uyqim26UaP8B6LfsZtTfWdCU7iLytxgLzcnb4igksIT7QZ63oZJ Vlrlyxo1RC4LpvygdZyzmKnEkymjdjkwbcBMqF7MX8OOLslunSPukQWeBsGRHL+6QRaP Gl9hoVbkGXIolT8N8QoHjwTe7TKPha9HyqpFdaIaHQ9pqMxaoSxBf3OZxHGXjYO+QKBk 8QCxxjRWCmzjerQAe0aH8NBo19nPtyIFLm8/1uhQpLw2ng6P8F0nRHz8I2flGllpOQYf BcVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Mx8fYuOqE4Fz7MoTG2qyzZeL72DVY10BTmV8q9Mc57w=; b=hXlJ7XzjruRa94wvdR8J9cBkfmRbAKKs+jGTEqpAHPAYFlKKGKWoYjCb2stoUdf8I6 t0dRF80n9NVi6pnrXGWiJZgpgjWiFwoJh7eeRX9k24L24istYrmmgkiSsGbDlfSDDL8V 6fKDr5MSUtUhjVEeVuNo9XBVHh+YBImVoKK1Ntek+zvXQ8cUwmLvut+IuL0wvs4AH0GC get9FtZQEio2y5NUTWkgiFT5EphSAPARwHn/INTi93lJ5Ls5ElUepael6XDz6Pmbfz/F FhlIl78cvq6JcDVPQTJYVj8VuXSm2akvh3komNtK/Ob9EfZx2HuKcGUSfKSUq+rzT4bP sG1g== X-Gm-Message-State: ACrzQf2C3apmnbEgnKOLsRE3m5xLJ8A2BV9vSWvNUUK5/qs2e4XMkXRL 8W61TKzexHw+ftPhJt1MtR3F/RM5PiWrpJXbE9Q= X-Received: by 2002:a17:906:fe45:b0:788:15a5:7495 with SMTP id wz5-20020a170906fe4500b0078815a57495mr36566308ejb.633.1666766233858; Tue, 25 Oct 2022 23:37:13 -0700 (PDT) MIME-Version: 1.0 References: <20221021164626.3729012-1-roberto.sassu@huaweicloud.com> <98353f6c82d3dabdb0d434d7ecf0bfc5295015ad.camel@huaweicloud.com> In-Reply-To: From: Alexei Starovoitov Date: Tue, 25 Oct 2022 23:37:02 -0700 Message-ID: Subject: Re: [RFC][PATCH] bpf: Check xattr name/value pair from bpf_lsm_inode_init_security() To: Casey Schaufler Cc: Roberto Sassu , KP Singh , Florent Revest , Brendan Jackman , Paul Moore , James Morris , "Serge E . Hallyn" , bpf , LSM List , LKML , nicolas.bouchinet@clip-os.org, Mimi Zohar , linux-integrity Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 25, 2022 at 7:58 AM Casey Schaufler wrote: > > On 10/25/2022 12:43 AM, Roberto Sassu wrote: > > On Mon, 2022-10-24 at 19:13 -0700, Alexei Starovoitov wrote: > >> I'm looking at security_inode_init_security() and it is indeed messy. > >> Per file system initxattrs callback that processes kmalloc-ed > >> strings. > >> Yikes. > >> > >> In the short term we should denylist inode_init_security hook to > >> disallow attaching bpf-lsm there. set/getxattr should be done > >> through kfuncs instead of such kmalloc-a-string hack. > > Inode_init_security is an example. It could be that the other hooks are > > affected too. What happens if they get arbitrary positive values too? > > TL;DR - Things will go cattywampus. > > The LSM infrastructure is an interface that has "grown organically", > and isn't necessarily consistent in what it requires of the security > module implementations. There are cases where it assumes that the > security module hooks are well behaved, as you've discovered. I have > no small amount of fear that someone is going to provide an eBPF > program for security_secid_to_secctx(). There has been an assumption, > oft stated, that all security modules are going to be reviewed as > part of the upstream process. The review process ought to catch hooks > that return unacceptable values. Alas, we've lost that with BPF. > > It would take a(nother) major overhaul of the LSM infrastructure to > make it safe against hooks that are not well behaved. From what I have > seen so far it wouldn't be easy/convenient/performant to do it in the > BPF security module either. I personally think that BPF needs to > ensure that the eBPF implementations don't return inappropriate values, > but I understand why that is problematic. That's an accurate statement. Thank you. Going back to the original question... We fix bugs when we discover them. Regardless of the subsystem they belong to. No finger pointing.