Re: [PATCH v6 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Olsa <olsajiri@gmail.com>
To: KP Singh <kpsingh@kernel.org>
Cc: Jiri Olsa <olsajiri@gmail.com>,
	linux-security-module@vger.kernel.org, bpf@vger.kernel.org,
	paul@paul-moore.com, keescook@chromium.org,
	casey@schaufler-ca.com, song@kernel.org, daniel@iogearbox.net,
	ast@kernel.org, renauld@google.com, pabeni@redhat.com
Subject: Re: [PATCH v6 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached
Date: Thu, 2 Nov 2023 09:58:11 +0100	[thread overview]
Message-ID: <ZUNko7AU7hDTk7LU@krava> (raw)
In-Reply-To: <CACYkzJ5PKECadW+B9ybJUidDb6SVb6L4A2xWqwh6ybkhfZ+eag@mail.gmail.com>

On Thu, Nov 02, 2023 at 01:46:14AM +0100, KP Singh wrote:
> On Mon, Oct 9, 2023 at 12:11 PM Jiri Olsa <olsajiri@gmail.com> wrote:
> >
> > On Fri, Oct 06, 2023 at 10:47:00PM +0200, KP Singh wrote:
> > > BPF LSM hooks have side-effects (even when a default value is returned),
> > > as some hooks end up behaving differently due to the very presence of
> > > the hook.
> > >
> > > The static keys guarding the BPF LSM hooks are disabled by default and
> > > enabled only when a BPF program is attached implementing the hook
> > > logic. This avoids the issue of the side-effects and also the minor
> > > overhead associated with the empty callback.
> > >
> > > security_file_ioctl:
> > >    0xffffffff818f0e30 <+0>:   endbr64
> > >    0xffffffff818f0e34 <+4>:   nopl   0x0(%rax,%rax,1)
> > >    0xffffffff818f0e39 <+9>:   push   %rbp
> > >    0xffffffff818f0e3a <+10>:  push   %r14
> > >    0xffffffff818f0e3c <+12>:  push   %rbx
> > >    0xffffffff818f0e3d <+13>:  mov    %rdx,%rbx
> > >    0xffffffff818f0e40 <+16>:  mov    %esi,%ebp
> > >    0xffffffff818f0e42 <+18>:  mov    %rdi,%r14
> > >    0xffffffff818f0e45 <+21>:  jmp    0xffffffff818f0e57 <security_file_ioctl+39>
> > >                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >
> > >    Static key enabled for SELinux
> > >
> > >    0xffffffff818f0e47 <+23>:  xchg   %ax,%ax
> > >                               ^^^^^^^^^^^^^^
> > >
> > >    Static key disabled for BPF. This gets patched when a BPF LSM program
> > >    is attached
> > >
> > >    0xffffffff818f0e49 <+25>:  xor    %eax,%eax
> > >    0xffffffff818f0e4b <+27>:  xchg   %ax,%ax
> > >    0xffffffff818f0e4d <+29>:  pop    %rbx
> > >    0xffffffff818f0e4e <+30>:  pop    %r14
> > >    0xffffffff818f0e50 <+32>:  pop    %rbp
> > >    0xffffffff818f0e51 <+33>:  cs jmp 0xffffffff82c00000 <__x86_return_thunk>
> > >    0xffffffff818f0e57 <+39>:  endbr64
> > >    0xffffffff818f0e5b <+43>:  mov    %r14,%rdi
> > >    0xffffffff818f0e5e <+46>:  mov    %ebp,%esi
> > >    0xffffffff818f0e60 <+48>:  mov    %rbx,%rdx
> > >    0xffffffff818f0e63 <+51>:  call   0xffffffff819033c0 <selinux_file_ioctl>
> > >    0xffffffff818f0e68 <+56>:  test   %eax,%eax
> > >    0xffffffff818f0e6a <+58>:  jne    0xffffffff818f0e4d <security_file_ioctl+29>
> > >    0xffffffff818f0e6c <+60>:  jmp    0xffffffff818f0e47 <security_file_ioctl+23>
> > >    0xffffffff818f0e6e <+62>:  endbr64
> > >    0xffffffff818f0e72 <+66>:  mov    %r14,%rdi
> > >    0xffffffff818f0e75 <+69>:  mov    %ebp,%esi
> > >    0xffffffff818f0e77 <+71>:  mov    %rbx,%rdx
> > >    0xffffffff818f0e7a <+74>:  call   0xffffffff8141e3b0 <bpf_lsm_file_ioctl>
> > >    0xffffffff818f0e7f <+79>:  test   %eax,%eax
> > >    0xffffffff818f0e81 <+81>:  jne    0xffffffff818f0e4d <security_file_ioctl+29>
> > >    0xffffffff818f0e83 <+83>:  jmp    0xffffffff818f0e49 <security_file_ioctl+25>
> > >    0xffffffff818f0e85 <+85>:  endbr64
> > >    0xffffffff818f0e89 <+89>:  mov    %r14,%rdi
> > >    0xffffffff818f0e8c <+92>:  mov    %ebp,%esi
> > >    0xffffffff818f0e8e <+94>:  mov    %rbx,%rdx
> > >    0xffffffff818f0e91 <+97>:  pop    %rbx
> > >    0xffffffff818f0e92 <+98>:  pop    %r14
> > >    0xffffffff818f0e94 <+100>: pop    %rbp
> > >    0xffffffff818f0e95 <+101>: ret
> > >
> > > Reviewed-by: Kees Cook <keescook@chromium.org>
> > > Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
> > > Acked-by: Song Liu <song@kernel.org>
> > > Signed-off-by: KP Singh <kpsingh@kernel.org>
> >
> > small nit, but looks good
> >
> > Acked-by: Jiri Olsa <jolsa@kernel.org>
> >
> > jirka
> >
> >
> > > ---
> > >  include/linux/bpf_lsm.h   |  5 +++++
> > >  include/linux/lsm_hooks.h | 13 ++++++++++++-
> > >  kernel/bpf/trampoline.c   | 24 ++++++++++++++++++++++++
> > >  security/bpf/hooks.c      | 25 ++++++++++++++++++++++++-
> > >  security/security.c       |  3 ++-
> > >  5 files changed, 67 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h
> > > index 1de7ece5d36d..5bbc31ac948c 100644
> > > --- a/include/linux/bpf_lsm.h
> > > +++ b/include/linux/bpf_lsm.h
> > > @@ -29,6 +29,7 @@ int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
> > >
> > >  bool bpf_lsm_is_sleepable_hook(u32 btf_id);
> > >  bool bpf_lsm_is_trusted(const struct bpf_prog *prog);
> > > +void bpf_lsm_toggle_hook(void *addr, bool value);
> >
> > nit, this could be static, unless there are future plans ;-)
> 
> Actually, this is called from trampoline.c and cannot be static.

ah you're right, I missed that

jirka

next prev parent reply	other threads:[~2023-11-02  8:58 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-06 20:46 [PATCH v6 0/5] Reduce overhead of LSMs with static calls KP Singh
2023-10-06 20:46 ` [PATCH v6 1/5] kernel: Add helper macros for loop unrolling KP Singh
2023-10-06 20:46 ` [PATCH v6 2/5] security: Count the LSMs enabled at compile time KP Singh
2023-10-06 22:19   ` Kees Cook
2023-10-06 20:46 ` [PATCH v6 3/5] security: Replace indirect LSM hook calls with static calls KP Singh
2023-10-11  9:27   ` kernel test robot
2023-10-06 20:47 ` [PATCH v6 4/5] bpf: Only enable BPF LSM hooks when an LSM program is attached KP Singh
2023-10-09 10:10   ` Jiri Olsa
2023-11-02  0:46     ` KP Singh
2023-11-02  8:58       ` Jiri Olsa [this message]
2023-10-06 20:47 ` [PATCH v6 5/5] security: Add CONFIG_SECURITY_HOOK_LIKELY KP Singh
2023-10-06 22:20   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZUNko7AU7hDTk7LU@krava \
    --to=olsajiri@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=daniel@iogearbox.net \
    --cc=keescook@chromium.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=renauld@google.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.