lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Feb 2020 19:44:05 +0100 From: Jann Horn <jannh@...gle.com> To: Alexei Starovoitov <alexei.starovoitov@...il.com>, KP Singh <kpsingh@...omium.org> Cc: kernel list <linux-kernel@...r.kernel.org>, bpf@...r.kernel.org, linux-security-module <linux-security-module@...r.kernel.org>, Brendan Jackman <jackmanb@...gle.com>, Florent Revest <revest@...gle.com>, Thomas Garnier <thgarnie@...gle.com>, Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, James Morris <jmorris@...ei.org>, Kees Cook <keescook@...omium.org>, Thomas Garnier <thgarnie@...omium.org>, Michael Halcrow <mhalcrow@...gle.com>, Paul Turner <pjt@...gle.com>, Brendan Gregg <brendan.d.gregg@...il.com>, Matthew Garrett <mjg59@...gle.com>, Christian Brauner <christian@...uner.io>, Mickaël Salaün <mic@...ikod.net>, Florent Revest <revest@...omium.org>, Brendan Jackman <jackmanb@...omium.org>, "Serge E. Hallyn" <serge@...lyn.com>, Mauro Carvalho Chehab <mchehab+samsung@...nel.org>, "David S. Miller" <davem@...emloft.net>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kernel Team <kernel-team@...com> Subject: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] On Tue, Feb 11, 2020 at 6:58 PM Alexei Starovoitov <alexei.starovoitov@...il.com> wrote: > On Tue, Feb 11, 2020 at 01:43:34PM +0100, KP Singh wrote: [...] > > * When using the semantic provided by fexit, the BPF LSM program will > > always be executed and will be able to override / clobber the > > decision of LSMs which appear before it in the ordered list. This > > semantic is very different from what we currently have (i.e. the BPF > > LSM hook is only called if all the other LSMs allow the action) and > > seems to be bypassing the LSM framework. > > It that's a concern it's trivial to add 'if (RC == 0)' check to fexit > trampoline generator specific to lsm progs. [...] > Using fexit mechanism and bpf_sk_storage generalization is > all that is needed. None of it should touch security/*. If I understand your suggestion correctly, that seems like a terrible idea to me from the perspective of inspectability and debuggability. If at runtime, a function can branch off elsewhere to modify its decision, I want to see that in the source code. If someone e.g. changes the parameters or the locking rules around a security hook, how are they supposed to understand the implications if that happens through some magic fexit trampoline that is injected at runtime?
Powered by blists - more mailing lists