From: KP Singh <kpsingh@chromium.org>
To: Mikko Ylinen <mikko.ylinen@linux.intel.com>
Cc: KP Singh <kpsingh@chromium.org>,
open list <linux-kernel@vger.kernel.org>,
bpf <bpf@vger.kernel.org>,
Linux Security Module list
<linux-security-module@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>,
Kees Cook <keescook@chromium.org>, Paul Turner <pjt@google.com>,
Jann Horn <jannh@google.com>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH bpf-next v9 0/8] MAC and Audit policy using eBPF (KRSI)
Date: Wed, 29 Apr 2020 18:17:47 +0200 [thread overview]
Message-ID: <20200429161747.GA113900@google.com> (raw)
In-Reply-To: <b5652508-f727-b936-79b5-f8da658395f5@linux.intel.com>
So I was able to reproduce the issue and also fix it (will separately
send a patch).
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 9cd4455528e5..1bdd027766d4 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -55,7 +55,7 @@ LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm)
LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm)
LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc,
struct fs_context *src_sc)
-LSM_HOOK(int, 0, fs_context_parse_param, struct fs_context *fc,
+LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc,
struct fs_parameter *param)
LSM_HOOK(int, 0, sb_alloc_security, struct super_block *sb)
LSM_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb)
So what was happening was that:
bpf_lsm hook for fs_context_parse_param was returning 0 which led this
bit of logic to believe the parameter was parsed by the LSM.
int vfs_parse_fs_param(struct fs_context *fc, struct fs_parameter
*param)
{
[...]
ret = security_fs_context_parse_param(fc, param);
if (ret != -ENOPARAM)
/* Param belongs to the LSM or is disallowed by the
* LSM; so
* don't pass to the FS.
*/
return ret;
if (fc->ops->parse_param) {
ret = fc->ops->parse_param(fc, param);
if (ret != -ENOPARAM)
return ret;
}
[...]
This resulted in the fs_context->dev_name being NULL and the following
chain to throw an -EINVAL resulting in unsuccessful mount of the root
file-system:
- do_mount_root -> do_mount -> do_new_mount -> vfs_get_tree ->
-> fc->ops->get_tree -> legacy->get_tree -> fc->fs_type->mount ->
ext4_mount -> mount_bdev -> blkdev_get_by_path -> lookup_bdev
- KP
On 29-Apr 15:45, Mikko Ylinen wrote:
>
>
> On 29/04/2020 15:34, KP Singh wrote:
> > Thanks for reporting this! Can you share your Kconfig please?
>
> This is what I originally started with
> https://raw.githubusercontent.com/clearlinux-pkgs/linux-mainline/master/config
>
> but I also tried your _LSM_ settings found in this
> https://lore.kernel.org/bpf/20200402040357.GA217889@google.com/
>
> -- Regards, Mikko
prev parent reply other threads:[~2020-04-29 16:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-29 0:43 [PATCH bpf-next v9 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 1/8] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 2/8] security: Refactor declaration of LSM hooks KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 3/8] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 4/8] bpf: lsm: Implement attach, detach and execution KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 5/8] bpf: lsm: Initialize the BPF LSM hooks KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 6/8] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-03-29 0:43 ` [PATCH bpf-next v9 7/8] bpf: lsm: Add selftests " KP Singh
2020-04-02 0:09 ` Alexei Starovoitov
2020-04-02 4:03 ` KP Singh
2020-04-02 4:30 ` Alexei Starovoitov
2020-04-02 5:15 ` Jann Horn
2020-04-02 11:53 ` KP Singh
2020-04-02 14:38 ` Jann Horn
2020-04-02 14:40 ` KP Singh
2020-04-02 15:57 ` Alexei Starovoitov
2020-03-29 0:43 ` [PATCH bpf-next v9 8/8] bpf: lsm: Add Documentation KP Singh
2020-03-29 23:46 ` [PATCH bpf-next v9 0/8] MAC and Audit policy using eBPF (KRSI) Daniel Borkmann
2020-04-29 12:31 ` Mikko Ylinen
2020-04-29 12:34 ` KP Singh
2020-04-29 12:45 ` Mikko Ylinen
2020-04-29 16:17 ` KP Singh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200429161747.GA113900@google.com \
--to=kpsingh@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mikko.ylinen@linux.intel.com \
--cc=pjt@google.com \
--cc=revest@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.