From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Paul Moore <paul@paul-moore.com>
Cc: KP Singh <kpsingh@kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>
Subject: Re: [PATCH bpf-next 00/13] Signed BPF + IPE Policies
Date: Sat, 23 May 2026 08:43:09 -0700 [thread overview]
Message-ID: <8733ziyvw2.fsf@microsoft.com> (raw)
In-Reply-To: <19e54ddf1a0.2843.85c95baa4474aabc7814e68940a78392@paul-moore.com>
Paul Moore <paul@paul-moore.com> writes:
> On May 23, 2026 7:40:42 AM Paul Moore <paul@paul-moore.com> wrote:
>> On May 23, 2026 3:40:46 AM Alexei Starovoitov
>> <alexei.starovoitov@gmail.com> wrote:
>>>
>>> sashiko spotted it too.
>>> All other sashiko bugs were ignored as well.
>>
>> Link? I didn't see any feedback from sashiko feedback on list and to the
>> best of my knowledge it hasn't been enabled for LSM patches.
>
> https://sashiko.dev/#/patchset/20260507191416.2984054-1-bboscaccy%40linux.microsoft.com
>
> Blaise, I know you've got another patch coming soon - please take a look at
> the link above and see if there is anything else that needs to be addressed.
>
Yeah, it found a few things I corrected. It's hooked into the bpf list,
not the lsm list currently. With all melodrama and bravado aside, The
TOCTOU issue it found wasn't the actual attack vector and it completely
missed the real one that Eric found. It seems to be lacking the
multi-step reasoning that vuln researchers actually use.
Most of it looked like AI slop, and I'm not too keen on providing more
free training material for AI folks to run inference on, so I didn't
respond directly to the bot spam emails.
Sashiko seems to take major issue with the existing user keyring
verification too *shrug*.
I'll take a second look when I'm back home next week and see if there is
anything real leftover after this patchset.
-blaise
> --
> paul-moore.com
next prev parent reply other threads:[~2026-05-23 15:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 2:32 [PATCH bpf-next 00/13] Signed BPF + IPE Policies KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 01/13] bpf: expose signature verdict to LSMs via bpf_prog_aux KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 02/13] bpf: include prog BTF in the signed loader signature scope KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 03/13] bpf, libbpf: load prog BTF in the skel_internal loader KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 04/13] bpf: add bpf_loader_verify_metadata kfunc KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 05/13] bpf: compute prog->digest at BPF_PROG_LOAD entry KP Singh
2026-05-23 16:49 ` Alexei Starovoitov
2026-05-22 2:32 ` [PATCH bpf-next 06/13] bpf: resolve loader-style kfunc CALLs against prog BTF KP Singh
2026-05-23 17:01 ` Alexei Starovoitov
2026-05-22 2:32 ` [PATCH bpf-next 07/13] libbpf: generate prog BTF for loader programs KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 08/13] bpftool gen: embed loader prog BTF in the lskel header KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 09/13] lsm: add bpf_prog_load_post_integrity hook KP Singh
2026-05-24 0:55 ` Paul Moore
2026-05-22 2:32 ` [PATCH bpf-next 10/13] bpf: invoke security_bpf_prog_load_post_integrity from the metadata kfunc KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 11/13] ipe: add BPF program signature properties KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 12/13] ipe: gate post-integrity BPF program loads KP Singh
2026-05-22 2:32 ` [PATCH bpf-next 13/13] selftests/bpf: add IPE BPF policy integration tests KP Singh
2026-05-22 18:56 ` [PATCH bpf-next 00/13] Signed BPF + IPE Policies Paul Moore
2026-05-22 20:46 ` KP Singh
2026-05-23 4:07 ` Paul Moore
2026-05-23 8:40 ` Alexei Starovoitov
2026-05-23 12:40 ` Paul Moore
2026-05-23 12:44 ` Paul Moore
2026-05-23 15:43 ` Blaise Boscaccy [this message]
2026-05-23 14:34 ` Alexei Starovoitov
2026-05-23 16:34 ` Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8733ziyvw2.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox