linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: KP Singh <kpsingh@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Roberto Sassu <roberto.sassu@huaweicloud.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Florent Revest <revest@chromium.org>,
	Brendan Jackman <jackmanb@chromium.org>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>, bpf <bpf@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PoC][PATCH] bpf: Call return value check function in the JITed code
Date: Wed, 16 Nov 2022 20:04:42 +0100	[thread overview]
Message-ID: <CACYkzJ6-zLNZhRmpaax+_ZywWLa5R2HwcxRke8hCHu_FgYceeA@mail.gmail.com> (raw)
In-Reply-To: <CAADnVQJu7isDCi4+f8s4LfiwcYJbN4kXkvgJ8+ZnsS+QGDVnMw@mail.gmail.com>

On Wed, Nov 16, 2022 at 6:55 PM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Wed, Nov 16, 2022 at 8:41 AM Roberto Sassu
> <roberto.sassu@huaweicloud.com> wrote:
> >
> > On Wed, 2022-11-16 at 08:16 -0800, Alexei Starovoitov wrote:
> > > On Wed, Nov 16, 2022 at 7:48 AM Roberto Sassu
> > > <roberto.sassu@huaweicloud.com> wrote:
> > > > +static bool is_ret_value_allowed(int ret, u32 ret_flags)
> > > > +{
> > > > +       if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) ||
> > > > +           (ret == 0 && !(ret_flags & LSM_RET_ZERO)) ||
> > > > +           (ret == 1 && !(ret_flags & LSM_RET_ONE)) ||
> > > > +           (ret > 1 && !(ret_flags & LSM_RET_GT_ONE)))
> > > > +               return false;
> > > > +
> > > > +       return true;
> > > > +}
> > > > +
> > > >  /* For every LSM hook that allows attachment of BPF programs, declare a nop
> > > >   * function where a BPF program can be attached.
> > > >   */
> > > > @@ -30,6 +41,15 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__)     \
> > > >  #include <linux/lsm_hook_defs.h>
> > > >  #undef LSM_HOOK
> > > >
> > > > +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...)   \
> > > > +noinline RET bpf_lsm_##NAME##_ret(int ret)     \
> > > > +{                                              \
> > > > +       return is_ret_value_allowed(ret, RET_FLAGS) ? ret : DEFAULT; \
> > > > +}
> > > > +
> > > > +#include <linux/lsm_hook_defs.h>
> > > > +#undef LSM_HOOK
> > > > +
> > >
> > > because lsm hooks is mess of undocumented return values your
> > > "solution" is to add hundreds of noninline functions
> > > and hack the call into them in JITs ?!
> >
> > I revisited the documentation and checked each LSM hook one by one.
> > Hopefully, I completed it correctly, but I would review again (others
> > are also welcome to do it).
> >
> > Not sure if there is a more efficient way. Do you have any idea?
> > Maybe we find a way to use only one check function (by reusing the
> > address of the attachment point?).
> >
> > Regarding the JIT approach, I didn't find a reliable solution for using
> > just the verifier. As I wrote to you, there could be the case where the
> > range can include positive values, despite the possible return values
> > are zero and -EACCES.
>
> Didn't you find that there are only 12 or so odd return cases.
> Maybe refactor some of them to something that the verifier can enforce
> and denylist the rest ?

+1

>
> Also denylist those that Casey mentioned like security_secid_to_secctx ?

Just replied to Casey's comment and I agree, these hooks should be denylisted.

  parent reply	other threads:[~2022-11-16 19:05 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15 17:56 [RFC][PATCH 0/4] security: Ensure LSMs return expected values Roberto Sassu
2022-11-15 17:56 ` [RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook Roberto Sassu
2022-11-16  2:11   ` Paul Moore
2022-11-16  8:06     ` Roberto Sassu
2022-11-16 19:17       ` KP Singh
2022-11-16 19:27         ` Paul Moore
2022-11-15 17:56 ` [RFC][PATCH 2/4] lsm: Add missing return values doc in lsm_hooks.h and fix formatting Roberto Sassu
2022-11-16  2:23   ` Paul Moore
2022-11-16  8:06     ` Roberto Sassu
2022-11-16 19:26       ` Paul Moore
2022-11-15 17:56 ` [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument Roberto Sassu
2022-11-16  2:27   ` Paul Moore
2022-11-16  8:11     ` Roberto Sassu
2022-11-16 22:04       ` Paul Moore
2022-11-17  5:49         ` Greg KH
2022-11-17 15:31           ` Paul Moore
2022-11-15 17:56 ` [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs Roberto Sassu
2022-11-16  2:35   ` Paul Moore
2022-11-16 14:36     ` Roberto Sassu
2022-11-16 15:47       ` [PoC][PATCH] bpf: Call return value check function in the JITed code Roberto Sassu
2022-11-16 16:16         ` Alexei Starovoitov
2022-11-16 16:41           ` Roberto Sassu
2022-11-16 17:55             ` Alexei Starovoitov
2022-11-16 18:29               ` Casey Schaufler
2022-11-16 19:04               ` KP Singh [this message]
2022-11-16 22:40                 ` Paul Moore
2022-11-30 13:52               ` Roberto Sassu
2022-11-16 17:12         ` Casey Schaufler
2022-11-16 19:02           ` KP Singh
2022-11-18  8:44           ` Roberto Sassu
2022-11-21 15:31             ` Roberto Sassu
2022-11-16 22:06       ` [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs Paul Moore
2022-11-15 18:41 ` [RFC][PATCH 0/4] security: Ensure LSMs return expected values Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CACYkzJ6-zLNZhRmpaax+_ZywWLa5R2HwcxRke8hCHu_FgYceeA@mail.gmail.com \
    --to=kpsingh@kernel.org \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=jackmanb@chromium.org \
    --cc=jmorris@namei.org \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=paul@paul-moore.com \
    --cc=revest@chromium.org \
    --cc=roberto.sassu@huawei.com \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=sdf@google.com \
    --cc=serge@hallyn.com \
    --cc=song@kernel.org \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).