From: sashiko-bot@kernel.org
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v4 10/10] ipe: Add BPF program load policy enforcement via Hornet integration
Date: Thu, 16 Apr 2026 22:17:16 +0000 [thread overview]
Message-ID: <20260416221717.840A3C2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416173500.176716-11-bboscaccy@linux.microsoft.com>
Sashiko AI review found 3 potential issue(s):
- [Low] Build failure when CONFIG_IPE_PROP_BPF_SIGNATURE is disabled due to unconditional access to a conditionally compiled field.
- [Low] The commit message provides an incorrect property name in the example policy.
- [Low] The example policy in the commit message may be insecure depending on the integrity provider's keyring semantics.
--
commit 81e945a1fa4e8ba5734149eaa67ab6ab459e3ad6
Author: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
ipe: Add BPF program load policy enforcement via Hornet integration
This commit adds support for the bpf_prog_load_post_integrity LSM hook,
enabling IPE to make policy decisions about BPF program loading based on
integrity verdicts provided by the Hornet LSM.
> Example policy for bpf signature enforcement:
> DEFAULT op=BPF_PROG_LOAD action=DENY
> op=BPF_PROG_LOAD is_kernel=TRUE action=ALLOW
This isn't a bug in the code, but there appears to be a typo in the example
policy. Should is_kernel=TRUE be bpf_kernel=TRUE to match the property defined
in the property_tokens array?
> op=BPF_PROG_LOAD bpf_signature=OK action=ALLOW
Also in the example policy, is it safe to use bpf_signature=OK without a
keyring restriction like bpf_keyring=BUILTIN?
If the underlying LSM validates signatures against user-provided keyrings,
could an attacker bypass the policy by signing a malicious BPF program with
their own key?
> diff --git a/security/ipe/eval.c b/security/ipe/eval.c
> index 21439c5be3364..9a6d583fea125 100644
> --- a/security/ipe/eval.c
> +++ b/security/ipe/eval.c
[ ... ]
> @@ -297,6 +342,32 @@ static bool evaluate_property(const struct ipe_eval_ctx *const ctx,
[ ... ]
> + case IPE_PROP_BPF_KERNEL_FALSE:
> + return !ctx->bpf_kernel;
> + case IPE_PROP_BPF_KERNEL_TRUE:
> + return ctx->bpf_kernel;
> default:
If CONFIG_IPE_PROP_BPF_SIGNATURE is disabled, will this cause a build failure?
The bpf_kernel field in struct ipe_eval_ctx is only defined within an
ifdef CONFIG_IPE_PROP_BPF_SIGNATURE block.
Could this access be abstracted through a helper function with a fallback
stub like evaluate_bpf_sig()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260416173500.176716-1-bboscaccy@linux.microsoft.com?part=10
prev parent reply other threads:[~2026-04-16 22:17 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 17:33 [PATCH v4 00/10] Reintroduce Hornet LSM Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 01/10] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2026-04-16 19:26 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 02/10] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-04-16 19:56 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-04-16 20:17 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 04/10] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 05/10] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 06/10] security: Hornet LSM Blaise Boscaccy
2026-04-16 21:24 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 07/10] hornet: Introduce gen_sig Blaise Boscaccy
2026-04-16 21:33 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 08/10] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-04-16 21:44 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 09/10] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2026-04-16 21:55 ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 10/10] ipe: Add BPF program load policy enforcement via Hornet integration Blaise Boscaccy
2026-04-16 21:03 ` Fan Wu
2026-04-16 22:17 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260416221717.840A3C2BCAF@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.