From: Jason Gunthorpe <jgg@ziepe.ca>
To: Paul Moore <paul@paul-moore.com>
Cc: Leon Romanovsky <leon@kernel.org>,
Roberto Sassu <roberto.sassu@huaweicloud.com>,
KP Singh <kpsingh@kernel.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>,
Saeed Mahameed <saeedm@nvidia.com>,
Itay Avraham <itayavr@nvidia.com>,
Dave Jiang <dave.jiang@intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, linux-rdma@vger.kernel.org,
Chiara Meiohas <cmeiohas@nvidia.com>,
Maher Sanalla <msanalla@nvidia.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 0/4] Firmware LSM hook
Date: Fri, 24 Apr 2026 11:36:03 -0300 [thread overview]
Message-ID: <20260424143603.GB3611611@ziepe.ca> (raw)
In-Reply-To: <CAHC9VhQbpS9XpO6dWu7gOiX=ppjtAxnNBOFe6s5wjEZNpMRjgw@mail.gmail.com>
On Mon, Apr 20, 2026 at 08:58:09PM -0400, Paul Moore wrote:
> > > > > The access control point itself represents the requested
> > > > > operation. This is possible because the number of networking
> > > > > operations on a given packet is well defined and fairly limited; at a
> > > > > high level the packet is either being sent from the node, received by
> > > > > the node, or is passing through the node.
> > > >
> > > > I think we have the same split, fwctl send/recive analog is also very
> > > > limited.
> > >
> > > Sure, but I thought the goal was to enforce access controls on the
> > > firmware requests based on the opcodes/parameters contained within the
> > > firmware request blob/mailbox?
> >
> > Yes, that's the goal. It is the same as iptables being able to
> > identify that a send system call has a packet that is http or dns.
>
> I think we still have a disconnect here. A packet being a DNS or HTTP
> packet is different from an opcode. The opcode in the iptables isn't
> "DNS" or "HTTP" it is "INPUT", "OUTPUT", or "FORWARD".
I understand that
> Most LSMs will want to know who is initiating the firmware request
> (the subject), the requested operation/opcode (the action/verb), and
> the target of the request (the object, which in this case is likely
> the kernel or the device).
How is
system_u:object_r:httpd_packet_t:s0
A kernel or device? It is a label for packet contents. I also want a
label for packet contents.
> As I understand things, the action/verb is going to be the opcode
> within the firmware request. If you believe I'm wrong about this
> please help me understand why.
You could make that choice, I'm arguing we should not, and it should
be in the object side.
> > - op_X_t is the result of the classifier inspecting the RPC
> > packet. Admin tells the classifier to return op_X_t similar to
> > how --selctx does for iptables.
>
> I've tried to explain how this doesn't match with secmark, but I'm
> evidently doing a poor job.
Yeah, I don't get it at all, sorry. I fell you are making some very
nuanced distinction with HTTP being an object but the HTTP-equivilant
in fwctl is not an object, I can't follow it at all.
By that logic:
iptables -p 80 --string "GET"
Is an action, and it should get a unique action in the tuple.
> If you want to continue with the secmark comparisons it might be
> helpful to spend some time configuring secmark on a SELinux system,
> and writing policy for it, to see how it works.
I think I have a pretty good idea, you haven't said anything that
contradicts what I expect..
> certain action on an object. My concern with your example is that the
> object isn't what is actually being acted upon, it's the requested
> action.
Object is a label for the packet contents.
> The fwctl ioctl/API allows a user to act on a device, with the
> actual action being specified by the fwctl payload. From what I can
> see, the classifier's output is the action, not the object.
You can take that view, it is certainly one valid way to look at it.
But it is completely impractical.
I am arguing for the secmark like view where the content of the packet
decides the object label.
> > The same way secmark cannot pre-identify all the XXX_packet_t's.
>
> Once again, I think there is a disconnect or misunderstanding, on a
> SELinux system using secmark all of the packet types, e.g.
> "XXX_packet_t's", *are* pre-defined in the SELinux policy.
"Pre-defined" in a text files in user space controlled by the admin.
Admin can "pre-define" their fwctl ones too, what is the issue?
AFAICT the only debate here is you want to make fwctl's packet content
an action while allowing iptable's packet content to be an object.
Jason
next prev parent reply other threads:[~2026-04-24 14:36 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260331-fw-lsm-hook-v2-0-78504703df1f@nvidia.com>
[not found] ` <20260409121230.GA720371@unreal>
2026-04-09 12:27 ` [PATCH v2 0/4] Firmware LSM hook Roberto Sassu
2026-04-09 12:45 ` Leon Romanovsky
2026-04-09 21:04 ` Paul Moore
2026-04-12 9:00 ` Leon Romanovsky
2026-04-13 1:38 ` Paul Moore
2026-04-13 15:53 ` Leon Romanovsky
2026-04-13 16:42 ` Jason Gunthorpe
2026-04-13 17:36 ` Casey Schaufler
2026-04-13 19:09 ` Casey Schaufler
2026-04-13 22:36 ` Paul Moore
2026-04-13 23:19 ` Jason Gunthorpe
2026-04-14 17:05 ` Casey Schaufler
2026-04-14 19:09 ` Paul Moore
2026-04-14 20:09 ` Casey Schaufler
2026-04-14 20:44 ` Paul Moore
2026-04-14 22:42 ` Casey Schaufler
2026-04-15 21:03 ` Paul Moore
2026-04-15 21:21 ` Casey Schaufler
2026-04-14 20:27 ` Paul Moore
2026-04-15 13:47 ` Jason Gunthorpe
2026-04-15 21:40 ` Paul Moore
2026-04-17 19:17 ` Jason Gunthorpe
2026-04-21 0:58 ` Paul Moore
2026-04-24 14:36 ` Jason Gunthorpe [this message]
2026-04-24 20:59 ` Paul Moore
2026-04-24 22:13 ` Jason Gunthorpe
2026-04-23 14:09 ` Leon Romanovsky
2026-04-24 14:19 ` Jason Gunthorpe
2026-04-26 10:39 ` Leon Romanovsky
2026-04-23 13:05 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424143603.GB3611611@ziepe.ca \
--to=jgg@ziepe.ca \
--cc=Jonathan.Cameron@huawei.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cmeiohas@nvidia.com \
--cc=daniel@iogearbox.net \
--cc=dave.jiang@intel.com \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=itayavr@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=msanalla@nvidia.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox