lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <24F57160-0FCB-4505-A2D8-1AB0E07B46A9@fb.com>
Date: Wed, 11 Dec 2024 16:48:10 +0000
From: Song Liu <songliubraving@...a.com>
To: Theodore Ts'o <tytso@....edu>
CC: Song Liu <song@...nel.org>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-security-module@...r.kernel.org"
	<linux-security-module@...r.kernel.org>,
        Kernel Team <kernel-team@...a.com>,
        "andrii@...nel.org" <andrii@...nel.org>,
        "eddyz87@...il.com"
	<eddyz87@...il.com>,
        "ast@...nel.org" <ast@...nel.org>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "martin.lau@...ux.dev"
	<martin.lau@...ux.dev>,
        "viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
        "brauner@...nel.org" <brauner@...nel.org>,
        "jack@...e.cz" <jack@...e.cz>,
        "kpsingh@...nel.org" <kpsingh@...nel.org>,
        "mattbobrowski@...gle.com"
	<mattbobrowski@...gle.com>,
        Liam Wisehart <liamwisehart@...a.com>,
        Shankaran
 Gnanashanmugam <shankaran@...a.com>
Subject: Re: [PATCH v3 bpf-next 0/6] Enable writing xattr from BPF programs

Hi Ted, 

> On Dec 11, 2024, at 5:18 AM, Theodore Ts'o <tytso@....edu> wrote:
> 
> On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote:
>> Add support to set and remove xattr from BPF program. Also add
>> security.bpf. xattr name prefix.
> 
> If the system allows for the execution of unprivileged BPF programs
> (e.g., ones where a random user can load their own BPF programs), will
> they have hte ability to set and remove security.bpf.* xattrs?  If the
> answer is yes, should this be disallowed?
> 
> I note that one of the use cases seems to be BPF-based LSM's, so we
> may want to have something even more restrictive since otherwise any
> BPF program could potentially have the same power as the LSM?

These kfuncs are only allowed in BPF LSM programs. Therefore, other
program types (tracing, XDP, etc.) cannot use these kfuncs. 

Thanks,
Song

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ