Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp45808rwb; Tue, 15 Nov 2022 18:50:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf6xWg+ltqCKOL6i38s/ltZE1YUFyTSvXkdMW7AO4ElbIYGSUA0pweXHxj0te6yNNiJkzLFj X-Received: by 2002:a63:5554:0:b0:46f:7e1c:77be with SMTP id f20-20020a635554000000b0046f7e1c77bemr18997870pgm.32.1668567031339; Tue, 15 Nov 2022 18:50:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668567031; cv=none; d=google.com; s=arc-20160816; b=Q0rCg51plNPqG6JtWjdOCaTCLfY9Sk82BGhXs5/ClO/WcDaouaRoshJD4pjbmDkFZK Fyxx9Ylu+LZLgP4z/uGlZE1iu7SVN5VyJHZskKiQL4l4xVxilvyoLrDAQiZk7DkNFqSI ZcRDNs5xjjq27SkTndnbE32a+gv4In1dkRtVlaGwTuAIYXilCLnhG09et/0A1aEIIfn6 8JpdKbKH8b3yG5YQwZEhylx9YbIEdRzlB+UJp1YGECyRSfXE8h39J25lPwm9/Fdljc/v 02gpmOcHnBR0XKt1av5ksyieMOMp0oQr53SVeiuH7ROwkImGi54LxnNbbrOT6agFV4Og FVPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=LsUkQ9mUTtmbZUYtAJD3DaSoBhry/tgp9n6xBguz4lI=; b=CcoR+gvX1GMIW+aE6RUg6K1UokswqQWuNzKPdofZcLMVIaN1eM1O5eiTOmIJvY4Cg9 9PfiMNuYGhigFnILKDZHspkXjkrg4H03RLcniaEwmL44vHPSEeW8U3Yz//l0cm/2FCHg p34Fzd4H2LK7kyQhyuNGEU/vd6EAjvXtvsLEoITY8rryaGiPeWMZ0CAYDvlQOeSfaw1v ZhmEUpdMUnVbufGjVxrNYIjKyPi/UMXTnmGkDBXBTJR4Y1QzW3oI82ocS8I3bVxtSg6q TIgy269XGO0jnAkA5IzdGwzfcmtAJ7JH2tENXNK5pPNZga9qjKBNt1gHOSvuugRaMJGb bspA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=BCeqLLVG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o11-20020a170902d4cb00b001869ef16477si16090196plg.356.2022.11.15.18.50.13; Tue, 15 Nov 2022 18:50:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=BCeqLLVG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231327AbiKPCf6 (ORCPT + 91 others); Tue, 15 Nov 2022 21:35:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49306 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229826AbiKPCf5 (ORCPT ); Tue, 15 Nov 2022 21:35:57 -0500 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B75E24BE1 for ; Tue, 15 Nov 2022 18:35:56 -0800 (PST) Received: by mail-pg1-x532.google.com with SMTP id n17so7746815pgh.9 for ; Tue, 15 Nov 2022 18:35:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LsUkQ9mUTtmbZUYtAJD3DaSoBhry/tgp9n6xBguz4lI=; b=BCeqLLVGH2R8cvfyP4TzIQJp8FsuwwIaDb5fGlWXYWyEVoWZ4CecVwo/6hlZ0wvZMN 8lB+4IedPpag9pnDwUu3fp+CJiiyRKyRfgLgWZBq6lj5OYXr/GMQ/6PmrLoOHQfF5F2F 8JPKsCFZ2mp6UveVHoxNpH1BZrdNrYCH5iHsdmqHFkvPqarKWe3Q7LLEuojD5USAVfMj yyBjNbC6D65G4sTN7czLTqdLrM4Ikx6MbVH8WtwwBi+3ICbpjQWQG9mmMD2Ji468yFPK DL8QrJaSyUJEgplPEa2/dcuu4sVbqCCLEbNJDN0nLWJD+h+eIvwqsVlKbCuZAL7FP47K IxCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LsUkQ9mUTtmbZUYtAJD3DaSoBhry/tgp9n6xBguz4lI=; b=6yqa5EnMAiB9LF+5ttaAZw+5ILmkTqLqgT/J0/B3JCWX3Dr7meXQ/RPXtZi8+N+czs LxYE5EBLf4vCYwT9yJxZfntDNV+B+YTHjXI9nuWn+G3hbygbdYxmIruiAuLTSiWnmnZ6 O4msAcdQlABMDoi544L4GDRCD9Z6tRz3nxB0nNGO+v56QzWmxySEdbslTS0n0k8Ndsdb K6z4uOVGTJG5/CQQkvI4QbCkDxh7HGCcMV1tvgL37TSGZHZTn+fDPes7/VwuNQtIbbaT HlEIo94/1i9NGm2WykG5Tdd7Oo3QP3jt+h3VgyiKU9CVGne7xOYEPoqBvED4Zc7BVd9b aWrA== X-Gm-Message-State: ANoB5pl13Sn8yMpUTi5L25HlAHuLMdUP1rWhhpb9/bY7/ec3WGecW4ca 0+s3/Zui6TonXBzBpvNMO8xqUxjuwtKUYa+a32l7 X-Received: by 2002:a63:4087:0:b0:44e:46f9:7eeb with SMTP id n129-20020a634087000000b0044e46f97eebmr18693190pga.3.1668566155982; Tue, 15 Nov 2022 18:35:55 -0800 (PST) MIME-Version: 1.0 References: <20221115175652.3836811-1-roberto.sassu@huaweicloud.com> <20221115175652.3836811-5-roberto.sassu@huaweicloud.com> In-Reply-To: <20221115175652.3836811-5-roberto.sassu@huaweicloud.com> From: Paul Moore Date: Tue, 15 Nov 2022 21:35:44 -0500 Message-ID: Subject: Re: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs To: Roberto Sassu Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, revest@chromium.org, jackmanb@chromium.org, jmorris@namei.org, serge@hallyn.com, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 15, 2022 at 12:58 PM Roberto Sassu wrote: > > From: Roberto Sassu > > LSMs should not be able to return arbitrary return values, as the callers > of the LSM infrastructure might not be ready to handle unexpected values > (e.g. positive values that are first converted to a pointer with ERR_PTR, > and then evaluated with IS_ERR()). > > Modify call_int_hook() to call is_ret_value_allowed(), so that the return > value from each LSM for a given hook is checked. If for the interval the > return value falls into the corresponding flag is not set, change the > return value to the default value, just for the current LSM. > > A misbehaving LSM would not have impact on the decision of other LSMs, as > the loop terminates whenever the return value is not zero. > > Signed-off-by: Roberto Sassu > --- > security/security.c | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) Casey touched on some of this in his reply to patch 0/4, but basically I see this as a BPF LSM specific problem and not a generalized LSM issue that should be addressed at the LSM layer. Especially if the solution involves incurring additional processing for every LSM hook instantiation, regardless if a BPF LSM is present. Reading your overall patchset description I believe that you understand this too. If you want to somehow instrument the LSM hook definitions (what I believe to be the motivation behind patch 3/4) to indicate valid return values for use by the BPF verifier, I think we could entertain that, or at least discuss it further, but I'm not inclined to support any runtime overhead at the LSM layer for a specific LSM. -- paul-moore.com