From: Kees Cook <keescook@chromium.org>
To: Paul Moore <paul@paul-moore.com>
Cc: KP Singh <kpsingh@kernel.org>,
linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
ast@kernel.org, daniel@iogearbox.net, jackmanb@google.com,
renauld@google.com, casey@schaufler-ca.com, song@kernel.org,
revest@chromium.org
Subject: Re: [PATCH bpf-next v10 5/5] bpf: Only enable BPF LSM hooks when an LSM program is attached
Date: Tue, 7 May 2024 19:35:49 -0700 [thread overview]
Message-ID: <202405071930.A3022BFDC7@keescook> (raw)
In-Reply-To: <CAHC9VhTWB+zL-cqNGFOfW_LsPHp3=ddoHkjUTq+NoSj7BdRvmw@mail.gmail.com>
On Tue, May 07, 2024 at 09:45:09PM -0400, Paul Moore wrote:
> I don't want individual LSMs manipulating the LSM hook state directly;
> they go through the LSM layer to register their hooks, they should go
> through the LSM layer to unregister or enable/disable their hooks.
> I'm going to be pretty inflexible on this point.
No other LSMs unregister or disable hooks. :) Let's drop patch 5; 1-4
stand alone.
> Honestly, I see this more as a problem in the BPF LSM design (although
> one might argue it's an implementation issue?), just as I saw the
> SELinux runtime disable as a problem. If you're upset with the
> runtime hook disable, and you should be, fix the BPF LSM, don't force
> more bad architecture on the LSM layer.
We'll have to come back to this later. It's a separate (but closely
related) issue.
--
Kees Cook
next prev parent reply other threads:[~2024-05-08 2:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-07 22:10 [PATCH bpf-next v10 0/5] Reduce overhead of LSMs with static calls KP Singh
2024-05-07 22:10 ` [PATCH bpf-next v10 1/5] kernel: Add helper macros for loop unrolling KP Singh
2024-05-07 22:10 ` [PATCH bpf-next v10 2/5] security: Count the LSMs enabled at compile time KP Singh
2024-05-07 22:10 ` [PATCH bpf-next v10 3/5] security: Replace indirect LSM hook calls with static calls KP Singh
2024-05-07 22:10 ` [PATCH bpf-next v10 4/5] security: Update non standard hooks to use " KP Singh
2024-05-07 22:10 ` [PATCH bpf-next v10 5/5] bpf: Only enable BPF LSM hooks when an LSM program is attached KP Singh
2024-05-08 0:01 ` Kees Cook
2024-05-08 1:45 ` Paul Moore
2024-05-08 2:35 ` Kees Cook [this message]
2024-05-09 20:08 ` Paul Moore
2024-05-08 7:00 ` KP Singh
2024-05-08 7:48 ` Kees Cook
2024-05-09 20:24 ` Paul Moore
2024-05-10 13:23 ` KP Singh
2024-05-15 16:08 ` KP Singh
2024-05-15 16:44 ` KP Singh
2024-05-15 16:57 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202405071930.A3022BFDC7@keescook \
--to=keescook@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=jackmanb@google.com \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=renauld@google.com \
--cc=revest@chromium.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.