From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Jonathan Corbet" <corbet@lwn.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Dr. David Alan Gilbert" <linux@treblig.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"James Bottomley" <James.Bottomley@hansenpartnership.com>,
"David Howells" <dhowells@redhat.com>,
"LSM List" <linux-security-module@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, bpf <bpf@vger.kernel.org>
Subject: Re: [RFC 08/11] security: Hornet LSM
Date: Thu, 18 Dec 2025 13:26:23 -0800 [thread overview]
Message-ID: <87qzsrh474.fsf@microsoft.com> (raw)
In-Reply-To: <CAADnVQJ1CRvTXBU771KaYzrx-vRaWF+k164DcFOqOsCxmuL+ig@mail.gmail.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Wed, Dec 10, 2025 at 6:14 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>> +++ b/security/hornet/Kconfig
>> @@ -0,0 +1,11 @@
>> +# SPDX-License-Identifier: GPL-2.0-only
>> +config SECURITY_HORNET
>> + bool "Hornet support"
>> + depends on SECURITY
>> + default n
>
> So you're disallowing this new LSM to be a module?
> That doesn't smell good.
>
>> +static int hornet_verify_hashes(struct hornet_maps *maps,
>> + struct hornet_parse_context *ctx)
>> +{
>> + int map_fd;
>> + u32 i;
>> + struct bpf_map *map;
>> + int err = 0;
>> + unsigned char hash[SHA256_DIGEST_SIZE];
>> +
>> + for (i = 0; i < ctx->hash_count; i++) {
>> + if (ctx->skips[i])
>> + continue;
>> +
>> + err = copy_from_bpfptr_offset(&map_fd, maps->fd_array,
>> + ctx->indexes[i] * sizeof(map_fd),
>> + sizeof(map_fd));
>
> As was pointed out several times earlier this is an obvious TOCTOU bug.
> An attacker can change this map_fd between LSM checks and later verifier use.
> All the "security" checks further are useless.
Thank you, Alexei, for pointing that out. I’ll ensure it’s addressed in
the next iteration.
>
>> + if (err < 0)
>> + return LSM_INT_VERDICT_BADSIG;
>> +
>> + CLASS(fd, f)(map_fd);
>> + if (fd_empty(f))
>> + return LSM_INT_VERDICT_BADSIG;
>> + if (unlikely(fd_file(f)->f_op != &bpf_map_fops))
>
> Ohh. So this is why this LSM has to be built-in.
> bpf_map_fops is bpf internal detail. It's not going to be exported.
> You cannot open code __bpf_map_get() and get away with it.
>
>> + return LSM_INT_VERDICT_BADSIG;
>> +
>> + if (!map->frozen)
>> + return LSM_INT_VERDICT_BADSIG;
>> +
>> + map = fd_file(f)->private_data;
>> + map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash);
>
> This too. It's absolutely not ok for LSM to mess with bpf internal state.
>
> The whole LSM is one awful hack.
> The diff stat doesn't touch anything in the kernel/bpf/
> yet you're messing with bpf internals.
>
> Clearly, you guys want to merge this garbage through LSM tree.
> Make sure to keep my Nack when you send it during the merge window.
Sure thing. I'll include your Nacked-by: in future versions.
-blaise
next prev parent reply other threads:[~2025-12-18 21:26 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 2:11 [RFC 00/11] Reintroduce Hornet LSM Blaise Boscaccy
2025-12-11 2:11 ` [RFC 01/11] lsm: framework for BPF integrity verification Blaise Boscaccy
2025-12-11 2:11 ` [RFC 02/11] oid_registry: allow arbitrary size OIDs Blaise Boscaccy
2025-12-11 2:11 ` [RFC 03/11] certs: break out pkcs7 check into its own function Blaise Boscaccy
2025-12-11 2:11 ` [RFC 04/11] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2025-12-12 9:45 ` David Howells
2025-12-13 5:50 ` James Bottomley
2025-12-11 2:12 ` [RFC 05/11] crypto: pkcs7: allow pkcs7_digest() to be called from pkcs7_trust Blaise Boscaccy
2025-12-11 2:12 ` [RFC 06/11] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2025-12-11 16:44 ` Randy Dunlap
2025-12-11 2:12 ` [RFC 07/11] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2025-12-11 2:12 ` [RFC 08/11] security: Hornet LSM Blaise Boscaccy
2025-12-11 20:07 ` Randy Dunlap
2025-12-16 21:02 ` Blaise Boscaccy
2025-12-12 21:00 ` Fan Wu
2025-12-16 21:01 ` Blaise Boscaccy
2025-12-16 21:00 ` [PATCH RFC 8/11] " Paul Moore
2025-12-18 1:22 ` [RFC 08/11] " Alexei Starovoitov
2025-12-18 21:26 ` Blaise Boscaccy [this message]
2025-12-11 2:12 ` [RFC 09/11] hornet: Introduce gen_sig Blaise Boscaccy
2025-12-11 2:12 ` [RFC 10/11] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2025-12-11 2:12 ` [RFC 11/11] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-12-15 17:45 ` [RFC 00/11] Reintroduce " Ryan Foster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87qzsrh474.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).