lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 28 Mar 2020 20:56:36 +0100
From:   KP Singh <kpsingh@...omium.org>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     KP Singh <kpsingh@...omium.org>, linux-kernel@...r.kernel.org,
        bpf@...r.kernel.org, linux-security-module@...r.kernel.org,
        Alexei Starovoitov <ast@...nel.org>,
        James Morris <jmorris@...ei.org>,
        Kees Cook <keescook@...omium.org>,
        Paul Turner <pjt@...gle.com>, Jann Horn <jannh@...gle.com>,
        Florent Revest <revest@...omium.org>,
        Brendan Jackman <jackmanb@...omium.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH bpf-next v8 0/8] MAC and Audit policy using eBPF (KRSI)

On 28-Mar 18:18, Daniel Borkmann wrote:
> Hey KP,
> 
> On 3/27/20 8:28 PM, KP Singh wrote:
> > From: KP Singh <kpsingh@...gle.com>
> > 
> > # v7 -> v8
> > 
> >    https://lore.kernel.org/bpf/20200326142823.26277-1-kpsingh@chromium.org/
> > 
> > * Removed CAP_MAC_ADMIN check from bpf_lsm_verify_prog. LSMs can add it
> >    in their own bpf_prog hook. This can be revisited as a separate patch.
> > * Added Andrii and James' Ack/Review tags.
> > * Fixed an indentation issue and missing newlines in selftest error
> >    a cases.
> > * Updated a comment as suggested by Alexei.
> > * Updated the documentation to use the newer libbpf API and some other
> >    fixes.
> > * Rebase
> > 
> > # v6 -> v7
> > 
> >    https://lore.kernel.org/bpf/20200325152629.6904-1-kpsingh@chromium.org/
> > 
> [...]
> > KP Singh (8):
> >    bpf: Introduce BPF_PROG_TYPE_LSM
> >    security: Refactor declaration of LSM hooks
> >    bpf: lsm: provide attachment points for BPF LSM programs
> >    bpf: lsm: Implement attach, detach and execution
> >    bpf: lsm: Initialize the BPF LSM hooks
> >    tools/libbpf: Add support for BPF_PROG_TYPE_LSM
> >    bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM
> >    bpf: lsm: Add Documentation
> 
> I was about to apply, but then I'm getting the following selftest issue on
> the added LSM one, ptal:
> 
> # ./test_progs
> [...]
> #65/1 test_global_func1.o:OK
> #65/2 test_global_func2.o:OK
> #65/3 test_global_func3.o:OK
> #65/4 test_global_func4.o:OK
> #65/5 test_global_func5.o:OK
> #65/6 test_global_func6.o:OK
> #65/7 test_global_func7.o:OK
> #65 test_global_funcs:OK
> test_test_lsm:PASS:skel_load 0 nsec
> test_test_lsm:PASS:attach 0 nsec
> test_test_lsm:PASS:exec_cmd 0 nsec
> test_test_lsm:FAIL:bprm_count bprm_count = 0
> test_test_lsm:FAIL:heap_mprotect want errno=EPERM, got 22

The test seems to pass for me [classic, "works on my machine" ;)]

  ./test_progs -t test_lsm
  #66 test_lsm:OK
  Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

and also in the complete run of test_progs.

Since the attachment succeeds and the hook does not get called, it
seems like "bpf" LSM is not being initialized and the hook, although
present, does not get called.

This indicates that "bpf" is not in CONFIG_LSM. It should, however, be
there by default as we added it to default value of CONFIG_LSM and
also for other DEFAULT_SECURITY_* options.

Let me know if that's the case and it fixes it.

- KP

> #66 test_lsm:FAIL
> test_test_overhead:PASS:obj_open_file 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> test_test_overhead:PASS:find_probe 0 nsec
> Caught signal #11!
> Stack trace:
> ./test_progs(crash_handler+0x31)[0x56100f25eb51]
> /lib/x86_64-linux-gnu/libpthread.so.0(+0x12890)[0x7f9d8d225890]
> /lib/x86_64-linux-gnu/libc.so.6(+0x18ef2d)[0x7f9d8cfb0f2d]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_calloc+0x372)[0x7f9d8cebc3a2]
> /usr/local/lib/libelf.so.1(+0x33ce)[0x7f9d8d85a3ce]
> /usr/local/lib/libelf.so.1(+0x3fb2)[0x7f9d8d85afb2]
> ./test_progs(btf__parse_elf+0x15d)[0x56100f27a141]
> ./test_progs(libbpf_find_kernel_btf+0x169)[0x56100f27ee83]
> ./test_progs(+0x43906)[0x56100f266906]
> ./test_progs(bpf_object__load_xattr+0xe5)[0x56100f26e93c]
> ./test_progs(bpf_object__load+0x47)[0x56100f26eafd]
> ./test_progs(test_test_overhead+0x252)[0x56100f24a922]
> ./test_progs(main+0x212)[0x56100f22f772]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7f9d8ce43b97]
> ./test_progs(_start+0x2a)[0x56100f22f8fa]
> Segmentation fault (core dumped)
> #
> 
> (Before the series, it runs through fine on my side.)
> 
> Thanks,
> Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ