lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <e5d594d0aee93da67a22a42d0e2b4e6e463ab894.camel@gmail.com>
Date: Sat, 13 Sep 2025 19:01:08 +0200
From: Filip Hejsek <filip.hejsek@...il.com>
To: linux-security-module@...r.kernel.org, Paul Moore <paul@...l-moore.com>,
  James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>
Cc: bpf@...r.kernel.org, linux-kernel@...r.kernel.org, 
	regressions@...ts.linux.dev
Subject: [bug report] [regression?] bpf lsm breaks /proc/*/attr/current with
 security= on commandline

Hello,

TLDR: because of bpf lsm, putting security=selinux on commandline
      results in /proc/*/attr/current returning errors.

When the legacy security= commandline option is used, the specified lsm
is added to the end of the lsm list. For example, security=apparmor
results in the following order of security modules:

   capability,landlock,lockdown,yama,bpf,apparmor

In particular, the bpf lsm will be ordered before the chosen major lsm.

This causes reads and writes of /proc/*/attr/current to fail, because
the bpf hook overrides the apparmor/selinux hook.

As you can see in the code below, only the first registered hook is
called (when reading attr/current, lsmid is 0):

int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
			 char **value)
{
	struct lsm_static_call *scall;

	lsm_for_each_hook(scall, getprocattr) {
		if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
			continue;
		return scall->hl->hook.getprocattr(p, name, value);
	}
	return LSM_RET_DEFAULT(getprocattr);
}

Even though the bpf lsm doesn't allow attaching bpf programs to this
hook, it still prevents the other hooks from being called.

This is maybe a regression, because with the same commandline, reading
from /proc/*/attr/current probably worked before the introduction of
bpf lsm.

Regards,
Filip Hejsek

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ