Linux Security Modules development
 help / color / mirror / Atom feed
From: "Sebastian Bockholt" <sebastian.bockholt@bevuta.com>
To: "Casey Schaufler" <casey@schaufler-ca.com>,
	"Sebastian Bockholt" <sebastian.bockholt@bevuta.com>,
	<linux-security-module@vger.kernel.org>
Cc: <serge@hallyn.com>, <jmorris@namei.org>, <paul@paul-moore.com>
Subject: Re: [PATCH] LSM: check if lsmprop_to_secctx call is supported by LSM
Date: Wed, 24 Jun 2026 19:44:03 +0200	[thread overview]
Message-ID: <DJHGSEVHV1M1.2DMGCPPU1YK4Z@mail.networkname.de> (raw)
In-Reply-To: <a28fb6b5-cdf3-4523-813a-165c00f7aef6@schaufler-ca.com>

On Fri Jun 19, 2026 at 7:44 PM CEST, Casey Schaufler wrote:
> If you want to help with the multiple LSM support, there's still
> plenty of work to do. Let me know.

This is my first time trying to contribute to the kernel. If this is the wrong
mailing list or wrong format to discuss this, please tell me directly.
Otherwise, multiple LSM support seems to be a little bit to ambitious for my
first contributions.

> If the BPF LSM (the BPF LSM infrastructure, not the eBPF programs)
> is going to support security contexts you need to mark it
> LSM_FLAGS_EXCLUSIVE.

[...]

> Until then your choices are:
>
> 	- Make the BPF LSM exclusive
> 	- Do not use any of the security context or secid based hooks
>

I am not trying to load any BPF myself but I am debugging issues when using
auditd and apparmor in parallel. As soon as I try to load audit rules from
userspace our logs get spammed with "error in audit_log_subj_ctx" messages.
According to my analysis, the function call chain leading to the bug is:

1. audit_log_subj_ctx defined in kernel/audit.c
	 // the only LSM enabled is apparmor -> audit_subj_secctx_cnt == 1
	 // confirmed using bpftrace
	 if (audit_subj_secctx_cnt < 2) {
	 	error = security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF);
	 	if (error < 0) {
			if (error != -EINVAL)
				goto error_path; // produces err msgs in logs
			return 0;
		}
		audit_log_format(ab, " subj=%s", ctx.context);
		security_release_secctx(&ctx);
	}

2. security_lsmprop_to_secctx defined in security/security.c
	// lsm_for_each_hook iterates over all registered LSMs
	// lsm_id == LSM_ID_UNDEF -> the first lsmprop_to_secctx hook is used
	// tracing the following probes using bpftrace
	// 	kretprobe:apparmor_lsmprop_to_secctx
	// 	kretprobe:selinux_lsmprop_to_secctx
	// 	kretprobe:smack_lsmprop_to_secctx
	// 	kretprobe:bpf_lsm_lsmprop_to_secctx
	// 	kretprobe:security_lsmprop_to_scctx
	// bpf_lsm_lsmprop_to_secctx hook is executed and returns -EOPNOTSUPP
	lsm_for_each_hook(scall, lsmprop_to_secctx) {
		if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
			continue;
		return scall->hl->hook.lsmprop_to_secctx(prop, cp);
	}

3. bpf_lsm_lsmprop_to_secctx
	is defined through #include <linux/lsm_hook_defs.h> and returns
	-EOPNOTSUPP default. The return value is propagated up the call stack
	up to security_lsmprop_to_secctx and then to audit_log_subj_ctx.
	audit_log_subj_ctx checks for error return values and prints the
	audit_panic "error in audit_log_subj_ctx"

My patch could check for any errors or lsmprop_to_secctx but since some might
be useful to check by another function in the call stack, i decided to only
check if the hook is supported by the LSM.

  reply	other threads:[~2026-06-24 17:44 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-19 17:19 [PATCH] LSM: check if lsmprop_to_secctx call is supported by LSM Sebastian Bockholt
2026-06-19 17:44 ` Casey Schaufler
2026-06-24 17:44   ` Sebastian Bockholt [this message]
2026-06-24 19:36     ` Casey Schaufler
2026-06-25 15:24       ` Sebastian Bockholt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJHGSEVHV1M1.2DMGCPPU1YK4Z@mail.networkname.de \
    --to=sebastian.bockholt@bevuta.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox