From: Xu Kuohai <xukuohai@huaweicloud.com>
To: Paul Moore <paul@paul-moore.com>
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kselftest@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Brendan Jackman <jackmanb@chromium.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Khadija Kamran <kamrankhadijadj@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Kees Cook <keescook@chromium.org>,
John Johansen <john.johansen@canonical.com>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>
Subject: Re: [PATCH bpf-next v3 01/11] bpf, lsm: Annotate lsm hook return value range
Date: Sat, 8 Jun 2024 16:04:25 +0800 [thread overview]
Message-ID: <b4484882-0de5-4515-8c40-41891ac4b21e@huaweicloud.com> (raw)
In-Reply-To: <CAHC9VhRipBNd+G=RMPVeVOiYCx6FZwHSn0JNKv=+jYZtd5SdYg@mail.gmail.com>
On 6/7/2024 5:53 AM, Paul Moore wrote:
> On Thu, Apr 11, 2024 at 8:24 AM Xu Kuohai <xukuohai@huaweicloud.com> wrote:
>>
>> From: Xu Kuohai <xukuohai@huawei.com>
>>
>> Add macro LSM_RET_INT to annotate lsm hook return integer type and the
>> default return value, and the expected return range.
>>
>> The LSM_RET_INT is declared as:
>>
>> LSM_RET_INT(defval, min, max)
>>
>> where
>>
>> - defval is the default return value
>>
>> - min and max indicate the expected return range is [min, max]
>>
>> The return value range for each lsm hook is taken from the description
>> in security/security.c.
>>
>> The expanded result of LSM_RET_INT is not changed, and the compiled
>> product is not changed.
>>
>> Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
>> ---
>> include/linux/lsm_hook_defs.h | 591 +++++++++++++++++-----------------
>> include/linux/lsm_hooks.h | 6 -
>> kernel/bpf/bpf_lsm.c | 10 +
>> security/security.c | 1 +
>> 4 files changed, 313 insertions(+), 295 deletions(-)
>
> ...
>
>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
>> index 334e00efbde4..708f515ffbf3 100644
>> --- a/include/linux/lsm_hook_defs.h
>> +++ b/include/linux/lsm_hook_defs.h
>> @@ -18,435 +18,448 @@
>> * The macro LSM_HOOK is used to define the data structures required by
>> * the LSM framework using the pattern:
>> *
>> - * LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
>> + * LSM_HOOK(<return_type>, <return_description>, <hook_name>, args...)
>> *
>> * struct security_hook_heads {
>> - * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
>> + * #define LSM_HOOK(RET, RETVAL_DESC, NAME, ...) struct hlist_head NAME;
>> * #include <linux/lsm_hook_defs.h>
>> * #undef LSM_HOOK
>> * };
>> */
>> -LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
>> -LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
>> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_set_context_mgr, const struct cred *mgr)
>> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transaction, const struct cred *from,
>> const struct cred *to)
>> -LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
>> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_binder, const struct cred *from,
>> const struct cred *to)
>> -LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
>> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_file, const struct cred *from,
>> const struct cred *to, const struct file *file)
>
> I'm not overly excited about injecting these additional return value
> range annotations into the LSM hook definitions, especially since the
> vast majority of the hooks "returns 0 on success, negative values on
> error". I'd rather see some effort put into looking at the
> feasibility of converting some (all?) of the LSM hook return value
> exceptions into the more conventional 0/-ERRNO format. Unfortunately,
> I haven't had the time to look into that myself, but if you wanted to
> do that I think it would be a good thing.
>
I agree that keeping all hooks return a consistent range of 0/-ERRNO
is more elegant than adding return value range annotations. However, there
are two issues that might need to be addressed first:
1. Compatibility
For instance, security_vm_enough_memory_mm() determines whether to
set cap_sys_admin by checking if the hook vm_enough_memory returns
a positive number. If we were to change the hook vm_enough_memory
to return 0 to indicate the need for cap_sys_admin, then for the
LSM BPF program currently returning 0, the interpretation of its
return value would be reversed after the modification.
2. Expressing multiple non-error states using 0/-ERRNO
IIUC, although 0/-ERRNO can be used to express different errors,
only 0 can be used for non-error state. If there are multiple
non-error states, they cannot be distinguished. For example,
security_inode_need_killpriv() returns < 0 on error, 0 if
security_inode_killpriv() doesn't need to be called, and > 0
if security_inode_killpriv() does need to be called.
next prev parent reply other threads:[~2024-06-08 8:04 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-11 12:27 [PATCH bpf-next v3 00/11] Add check for bpf lsm return value Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 01/11] bpf, lsm: Annotate lsm hook return value range Xu Kuohai
2024-06-06 21:53 ` Paul Moore
2024-06-08 8:04 ` Xu Kuohai [this message]
2024-06-08 13:54 ` Alexei Starovoitov
2024-06-09 17:39 ` Casey Schaufler
2024-06-09 18:17 ` Paul Moore
2024-06-11 2:24 ` Xu Kuohai
2024-06-11 20:06 ` Paul Moore
2024-04-11 12:27 ` [PATCH bpf-next v3 02/11] bpf, lsm: Add helper to read " Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 03/11] bpf, lsm: Check bpf lsm hook return values in verifier Xu Kuohai
2024-04-13 11:44 ` Eduard Zingerman
2024-04-11 12:27 ` [PATCH bpf-next v3 04/11] bpf, lsm: Add bpf lsm disabled hook list Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 05/11] bpf: Avoid progs for different hooks calling each other with tail call Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 06/11] bpf: Fix compare error in function retval_range_within Xu Kuohai
2024-04-12 8:53 ` Shung-Hsi Yu
2024-04-25 23:41 ` Andrii Nakryiko
2024-04-26 8:08 ` Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 07/11] bpf: Fix a false rejection caused by AND operation Xu Kuohai
2024-04-19 23:00 ` Eduard Zingerman
2024-04-20 8:33 ` Xu Kuohai
2024-04-23 21:55 ` Yonghong Song
2024-04-24 2:25 ` Xu Kuohai
2024-04-24 22:06 ` Yonghong Song
2024-04-25 2:42 ` Xu Kuohai
2024-04-25 16:28 ` Yonghong Song
2024-04-26 7:43 ` Xu Kuohai
2024-04-26 20:36 ` Andrii Nakryiko
2024-04-28 15:15 ` Xu Kuohai
2024-04-29 20:58 ` Andrii Nakryiko
2024-04-29 22:18 ` Eduard Zingerman
2024-04-30 3:56 ` Xu Kuohai
2024-04-30 3:54 ` Xu Kuohai
2024-04-29 21:56 ` Eduard Zingerman
2024-04-11 12:27 ` [PATCH bpf-next v3 08/11] selftests/bpf: Avoid load failure for token_lsm.c Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 09/11] selftests/bpf: Add return value checks for failed tests Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 10/11] selftests/bpf: Add test for lsm tail call Xu Kuohai
2024-04-11 12:27 ` [PATCH bpf-next v3 11/11] selftests/bpf: Add verifier tests for bpf lsm Xu Kuohai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4484882-0de5-4515-8c40-41891ac4b21e@huaweicloud.com \
--to=xukuohai@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=jackmanb@chromium.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=john.johansen@canonical.com \
--cc=jolsa@kernel.org \
--cc=kamrankhadijadj@gmail.com \
--cc=keescook@chromium.org \
--cc=kpsingh@kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=sdf@google.com \
--cc=serge@hallyn.com \
--cc=shung-hsi.yu@suse.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).