Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1113045rwb; Wed, 16 Nov 2022 12:15:24 -0800 (PST) X-Google-Smtp-Source: AA0mqf6M/GVGDOl9crl6WNNefGIl1LSt7gtDPrPQpBFT5tqktFrV3SV7cmyqvPZKetaYnsnk811t X-Received: by 2002:a63:5859:0:b0:470:537c:1092 with SMTP id i25-20020a635859000000b00470537c1092mr22033740pgm.287.1668629724478; Wed, 16 Nov 2022 12:15:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668629724; cv=none; d=google.com; s=arc-20160816; b=PYdKOiDr0pHdJVSL5uEPLmBVFnehfILLY5yPGtv+ifa8xbh4QTkfAACPqz9TnklBkN EBRpuR9FD+hu49DgDxMGa4KI4rQLji7PN4ocrzgN4Il2XR2kF2NdgAWvB5Md/c4dGl72 4haOEikgUHFqkjLfiilNVaIL2pnaNlSrYKigUnVvggQIxUOswFf46nAj3ddHvOQ7ZNOm z1WOTnPFNGodWdmWoKlvZ+ZI9INqNa2rJ/YmbiyIc7H7sSPqngGZj4zsHmYCQRgkGEP+ v+ZXF+B5XrOyccawya0JpapCX4FccfulifQOThLuu/CLjn7M2bzEA5Hyh5gHqGP7lFdM H5/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IiF88G034uL2RcMDn+KXU2RsCod6fHSFozWZ3jNqki4=; b=B+yeZi5ti27dmQvnhS59/h/dgapfNgr+8DfkHgXJbI1vCE7pN5PVIQxUfjit+J6xy6 xR86SRLNrNJSDwJud4AZIb42mVVOA2tqs7u9c8SS8pIyt/H1jIy6rD9qppFUkc61BUVD SRPcKySkf4imzeSvH7uEqtHQ2eZ/yN01K8XKSYJi2mMoZK3F+ehG80GNk+tW+JOCANWh S79G8sO5xOfm8xnwL4Dbbgv25VDuv8EPaZfzQysGDu/E9uKNej5uap+7o87haB2DTdmz ERkTIn1qRAlIjXdAqe8wOj2JgdlXqu/44x9AVhWp0xYmRA/sWXFRpkkFd858n/CEZ62H Ftig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=S9vbF+Y8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oc13-20020a17090b1c0d00b00217b50ee7b6si3055209pjb.1.2022.11.16.12.15.13; Wed, 16 Nov 2022 12:15:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=S9vbF+Y8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234215AbiKPTFB (ORCPT + 90 others); Wed, 16 Nov 2022 14:05:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231681AbiKPTE5 (ORCPT ); Wed, 16 Nov 2022 14:04:57 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 838A42E9C3 for ; Wed, 16 Nov 2022 11:04:56 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1D31261F5B for ; Wed, 16 Nov 2022 19:04:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76C41C433C1 for ; Wed, 16 Nov 2022 19:04:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1668625495; bh=ggjBHz/iXOJuB+7T8rB0pJMs8tHXxqRRao0/V4leHlk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=S9vbF+Y88A6uSIVAnsUXVA/q92/UiHzeT8YhSxacbWIgzcMYKZ32Lr3yNmhQFJYMl 5C78L5HU4/aiHlZjzy1OdQHtXQnsC/Zk+QeyM8I5EXx4lbd1sDSRwtikRpHz3WpuMX yNihl/OID7CECeenLwpj+B8RDYfV5uyWnBDVyyTwsNp+I3dYM9mTL1iFy1mD32WHEI JpUgF1ONqEwYZcPTZtKe0i4ySsFkmtpXiF8YQ2k5CAmVfO+en2QGGLZ7wg0ibsFwYx C6z8IOInQjWAWrJFJlq5Iv3n0BVlRWulZyVM2H0ZC0wQIILR3BRrIrAj44dwlBZBcw muwf62K0jxDXQ== Received: by mail-lf1-f50.google.com with SMTP id l12so31050556lfp.6 for ; Wed, 16 Nov 2022 11:04:55 -0800 (PST) X-Gm-Message-State: ANoB5pkDTi8e8tKjIvo8Bej6duWU2I5EYmMXRLs3G+FCaVtOguM5pEQ1 6VxFZSse4y6NasFTpOEbvreDeL022+N8IY2rlzYToA== X-Received: by 2002:a19:6748:0:b0:498:f589:c1b3 with SMTP id e8-20020a196748000000b00498f589c1b3mr7217976lfj.406.1668625493510; Wed, 16 Nov 2022 11:04:53 -0800 (PST) MIME-Version: 1.0 References: <700dffccdfeeb3d19c5385550e4c84f08c705e19.camel@huaweicloud.com> <20221116154712.4115929-1-roberto.sassu@huaweicloud.com> <05bf553f795ac93ea3032cfc1b56ca35fd6a920a.camel@huaweicloud.com> In-Reply-To: From: KP Singh Date: Wed, 16 Nov 2022 20:04:42 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PoC][PATCH] bpf: Call return value check function in the JITed code To: Alexei Starovoitov Cc: Roberto Sassu , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , Stanislav Fomichev , Hao Luo , Jiri Olsa , Florent Revest , Brendan Jackman , Paul Moore , James Morris , "Serge E . Hallyn" , bpf , LSM List , LKML , Roberto Sassu Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 16, 2022 at 6:55 PM Alexei Starovoitov wrote: > > On Wed, Nov 16, 2022 at 8:41 AM Roberto Sassu > wrote: > > > > On Wed, 2022-11-16 at 08:16 -0800, Alexei Starovoitov wrote: > > > On Wed, Nov 16, 2022 at 7:48 AM Roberto Sassu > > > wrote: > > > > +static bool is_ret_value_allowed(int ret, u32 ret_flags) > > > > +{ > > > > + if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) || > > > > + (ret == 0 && !(ret_flags & LSM_RET_ZERO)) || > > > > + (ret == 1 && !(ret_flags & LSM_RET_ONE)) || > > > > + (ret > 1 && !(ret_flags & LSM_RET_GT_ONE))) > > > > + return false; > > > > + > > > > + return true; > > > > +} > > > > + > > > > /* For every LSM hook that allows attachment of BPF programs, declare a nop > > > > * function where a BPF program can be attached. > > > > */ > > > > @@ -30,6 +41,15 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ > > > > #include > > > > #undef LSM_HOOK > > > > > > > > +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...) \ > > > > +noinline RET bpf_lsm_##NAME##_ret(int ret) \ > > > > +{ \ > > > > + return is_ret_value_allowed(ret, RET_FLAGS) ? ret : DEFAULT; \ > > > > +} > > > > + > > > > +#include > > > > +#undef LSM_HOOK > > > > + > > > > > > because lsm hooks is mess of undocumented return values your > > > "solution" is to add hundreds of noninline functions > > > and hack the call into them in JITs ?! > > > > I revisited the documentation and checked each LSM hook one by one. > > Hopefully, I completed it correctly, but I would review again (others > > are also welcome to do it). > > > > Not sure if there is a more efficient way. Do you have any idea? > > Maybe we find a way to use only one check function (by reusing the > > address of the attachment point?). > > > > Regarding the JIT approach, I didn't find a reliable solution for using > > just the verifier. As I wrote to you, there could be the case where the > > range can include positive values, despite the possible return values > > are zero and -EACCES. > > Didn't you find that there are only 12 or so odd return cases. > Maybe refactor some of them to something that the verifier can enforce > and denylist the rest ? +1 > > Also denylist those that Casey mentioned like security_secid_to_secctx ? Just replied to Casey's comment and I agree, these hooks should be denylisted.