Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1435430rdb;
        Sat, 23 Dec 2023 06:41:47 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGRGc2T8K0apyMx5rit15X6Z3T7WO1V8GSCOex9LynRwFR1Gi6lRWozaEBE5L8G+x9ZOx5a
X-Received: by 2002:a05:6214:2627:b0:67a:9a52:3a10 with SMTP id gv7-20020a056214262700b0067a9a523a10mr4725194qvb.29.1703342507021;
        Sat, 23 Dec 2023 06:41:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703342507; cv=none;
        d=google.com; s=arc-20160816;
        b=dkcenVSWRyi5pgMQUIGhAkzKFgx/ynkSv3AQIHFSiOzBa6FQW9CwwaPL3lOqZ7AsNd
         VvMi9QUxUywrFCpfYXK5IOuMrKo3R1uBLy++fM0wjUc3HVwzBKSR2DYtNNU5zf0DytNR
         7de4kEUlvQRNHB+FuCxcfMAOBmjJp11I7nnkOPrnxNCxzgXI96lWmql8M4RBRNwduVaR
         qZJjs4JQOthAZrWTHNrAdcHklR7LpO78LduxDwAKcUm0HUEvqROqaAuxoI5zsX4RWWqX
         b7NLU2OkgATCn/5yawDuUaGrHaooTp3C2V+Sgv8CWKG4RDPQmXJTyAXm8gvysP39Qmqv
         UivQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=MpKQb+YXIaioW3NAZAjhWkr8EoKvrEAjy/w5vr2aPas=;
        fh=kChyfzXVZN7EUo/Jw2fpEXathXSZ5OznuKB3//ks/fo=;
        b=Qe+773oeGQWMhLn7WfOpZKWwOgqmXhm5Lr5JO4wY51kX/U222PIHfTK8ifeJdZzHyu
         Cokh1q+6EUTI0lhxehbt+ngAQroYoXaw7Kp8aT/CVykoznR3cYxLn2TW+CRvUxXPkHx6
         +2FWzLBJYBN8N3gPAo2N1BeCsAoBtnyDBgcnt/5Ocw4bkIPwBQwa2/e/ENUVxTyTIRHY
         ZBtQbDCMursLpGddJrKPNbSq9K6FV5naycKjZptoz+CJ+3y/mCpntfT0KrgxljeEwjSC
         HOiokwOEGBaC97E389jOvaiXVlWRlUdUoqN0RrUJfPeGt9WB7cCKT6AEnmUAFmG+btsV
         4hAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id x19-20020a0cda13000000b0067f610371dcsi7044086qvj.137.2023.12.23.06.41.46
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 23 Dec 2023 06:41:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10463-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id C3A121C211D1
	for <linux.lists.archive@gmail.com>; Sat, 23 Dec 2023 14:41:46 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8AC671095C;
	Sat, 23 Dec 2023 14:41:24 +0000 (UTC)
X-Original-To: linux-kernel@vger.kernel.org
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF605DF5C
	for <linux-kernel@vger.kernel.org>; Sat, 23 Dec 2023 14:41:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav311.sakura.ne.jp (fsav311.sakura.ne.jp [153.120.85.142])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3BNEfJRU010825;
	Sat, 23 Dec 2023 23:41:19 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav311.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp);
 Sat, 23 Dec 2023 23:41:19 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3BNEfIsK010821
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Sat, 23 Dec 2023 23:41:19 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <57ee28a2-e626-4319-b3a3-cdca01499b13@I-love.SAKURA.ne.jp>
Date: Sat, 23 Dec 2023 23:41:17 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] security: new security_file_ioctl_compat() hook
Content-Language: en-US
To: Alfred Piccioni <alpic@google.com>, Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Eric Paris <eparis@parisplace.org>, bpf <bpf@vger.kernel.org>
Cc: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        stable@vger.kernel.org, selinux@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20230906102557.3432236-1-alpic@google.com>
 <20231219090909.2827497-1-alpic@google.com>
 <CALcwBGC9LzzdJeq3SWy9F3g5A32s5uSvJZae4j+rwNQqqLHCKg@mail.gmail.com>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
In-Reply-To: <CALcwBGC9LzzdJeq3SWy9F3g5A32s5uSvJZae4j+rwNQqqLHCKg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Adding BPF.

On 2023/12/19 18:10, Alfred Piccioni wrote:
>> I didn't do an audit but does anything need to be updated for the BPF
>> LSM or does it auto-magically pick up new hooks?
> 
> I'm unsure. I looked through the BPF LSM and I can't see any way it's
> picking up the file_ioctl hook to begin with. It appears to me
> skimming through the code that it automagically picks it up, but I'm
> not willing to bet the kernel on it.

If BPF LSM silently picks up security_file_ioctl_compat() hook, I worry
that some existing BPF programs which check ioctl() using BPF LSM fail to
understand that such BPF programs need to be updated.

We basically don't care about out-of-tree kernel code. But does that rule
apply to BPF programs? Since BPF programs are out-of-tree, are BPF programs
which depend on BPF LSM considered as "we don't care about" rule?
Or is breakage of existing BPF programs considered as a regression?
(Note that this patch is CC:ed for stable kernels.)

Maybe BPF LSM should at least emit warning if the loaded BPF program defined
security_file_ioctl() hook and did not define security_file_ioctl_compat() hook?

We could use a struct where undefined hooks needs to be manually filled with
a dummy pointer, so that we can catch erroneously undefined hooks (detected by
being automatically filled with a NULL pointer) at load time?