From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Jonathan Corbet" <corbet@lwn.net>,
"David Howells" <dhowells@redhat.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Masahiro Yamada" <masahiroy@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Nicolas Schier" <nicolas@fjasle.eu>,
"Shuah Khan" <shuah@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
"Bill Wendling" <morbo@google.com>,
"Justin Stitt" <justinstitt@google.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Jan Stancek" <jstancek@redhat.com>,
"Neal Gompa" <neal@gompa.dev>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
keyrings@vger.kernel.org,
"Linux Crypto Mailing List" <linux-crypto@vger.kernel.org>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Linux Kbuild mailing list" <linux-kbuild@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
clang-built-linux <llvm@lists.linux.dev>,
nkapron@google.com, "Matteo Croce" <teknoraver@meta.com>,
"Roberto Sassu" <roberto.sassu@huawei.com>,
"Cong Wang" <xiyou.wangcong@gmail.com>
Subject: Re: [PATCH v2 security-next 1/4] security: Hornet LSM
Date: Mon, 14 Apr 2025 17:32:06 -0700 [thread overview]
Message-ID: <87friajmd5.fsf@microsoft.com> (raw)
In-Reply-To: <CAADnVQ+JGfwRgsoe2=EHkXdTyQ8ycn0D9nh1k49am++4oXUPHg@mail.gmail.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Sat, Apr 12, 2025 at 6:58 AM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> TAlexei Starovoitov <alexei.starovoitov@gmail.com> writes:
>>
>> > On Fri, Apr 4, 2025 at 2:56 PM Blaise Boscaccy
>> > <bboscaccy@linux.microsoft.com> wrote:
>> >> +
>> >> +static int hornet_find_maps(struct bpf_prog *prog, struct hornet_maps *maps)
>> >> +{
>> >> + struct bpf_insn *insn = prog->insnsi;
>> >> + int insn_cnt = prog->len;
>> >> + int i;
>> >> + int err;
>> >> +
>> >> + for (i = 0; i < insn_cnt; i++, insn++) {
>> >> + if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
>> >> + switch (insn[0].src_reg) {
>> >> + case BPF_PSEUDO_MAP_IDX_VALUE:
>> >> + case BPF_PSEUDO_MAP_IDX:
>> >> + err = add_used_map(maps, insn[0].imm);
>> >> + if (err < 0)
>> >> + return err;
>> >> + break;
>> >> + default:
>> >> + break;
>> >> + }
>> >> + }
>> >> + }
>> >
>> > ...
>> >
>> >> + if (!map->frozen) {
>> >> + attr.map_fd = fd;
>> >> + err = kern_sys_bpf(BPF_MAP_FREEZE, &attr, sizeof(attr));
>> >
>> > Sorry for the delay. Still swamped after conferences and the merge window.
>> >
>>
>> No worries.
>>
>> > Above are serious layering violations.
>> > LSMs should not be looking that deep into bpf instructions.
>>
>> These aren't BPF internals; this is data passed in from
>> userspace. Inspecting userspace function inputs is definitely within the
>> purview of an LSM.
>>
>> Lskel signature verification doesn't actually need a full disassembly,
>> but it does need all the maps used by the lskel. Due to API design
>> choices, this unfortunately requires disassembling the program to see
>> which array indexes are being used.
>>
>> > Calling into sys_bpf from LSM is plain nack.
>> >
>>
>> kern_sys_bpf is an EXPORT_SYMBOL, which means that it should be callable
>> from a module.
>
> It's a leftover.
> kern_sys_bpf() is not something that arbitrary kernel
> modules should call.
> It was added to work for cases where kernel modules
> carry their own lskels.
> That use case is gone, so EXPORT_SYMBOL will be removed.
>
I'm not following that at all. You recommended using module-based lskels
to get around code signing requirements at lsfmmbpf and now you want to
nuke that entire feature? And further, skel_internal will no longer be
usable from within the kernel and bpf_preload is no longer going to be
supported?
>> Lskels without frozen maps are vulnerable to a TOCTOU
>> attack from a sufficiently privileged user. Lskels currently pass
>> unfrozen maps into the kernel, and there is nothing stopping someone
>> from modifying them between BPF_PROG_LOAD and BPF_PROG_RUN.
>>
>> > The verification of module signatures is a job of the module loading process.
>> > The same thing should be done by the bpf system.
>> > The signature needs to be passed into sys_bpf syscall
>> > as a part of BPF_PROG_LOAD command.
>> > It probably should be two new fields in union bpf_attr
>> > (signature and length),
>> > and the whole thing should be processed as part of the loading
>> > with human readable error reported back through the verifier log
>> > in case of signature mismatch, etc.
>> >
>>
>> I don't necessarily disagree, but my main concern with this is that
>> previous code signing patchsets seem to get gaslit or have the goalposts
>> moved until they die or are abandoned.
>
> Previous attempts to add signing failed because
> 1. It's a difficult problem to solve
> 2. people only cared about their own narrow use case and not
> considering the needs of bpf ecosystem as a whole.
>
>> Are you saying that at this point, you would be amenable to an in-tree
>> set of patches that enforce signature verification of lskels during
>> BPF_PROG_LOAD that live in syscall.c,
>
> that's the only way to do it.
>
So the notion of forcing people into writing bpf-based gatekeeper programs
is being abandoned? e.g.
https://lore.kernel.org/bpf/bqxgv2tqk3hp3q3lcdqsw27btmlwqfkhyg6kohsw7lwdgbeol7@nkbxnrhpn7qr/#t
https://lore.kernel.org/bpf/61aae2da8c7b0_68de0208dd@john.notmuch/
>> without adding extra non-code
>> signing requirements like attachment point verification, completely
>> eBPF-based solutions, or rich eBPF-based program run-time policy
>> enforcement?
>
> Those are secondary considerations that should also be discussed.
> Not necessarily a blocker.
Again, I'm confused here since you recently stated this whole thing
was "questionable" without attachment point verification.
next prev parent reply other threads:[~2025-04-15 0:32 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 21:54 [PATCH v2 security-next 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 1/4] security: " Blaise Boscaccy
2025-04-06 4:27 ` kernel test robot
2025-04-06 20:42 ` kernel test robot
2025-04-11 19:09 ` Tyler Hicks
2025-04-14 20:11 ` Blaise Boscaccy
2025-04-11 23:16 ` [PATCH v2 " Paul Moore
2025-04-14 20:46 ` Blaise Boscaccy
2025-04-15 1:37 ` Paul Moore
2025-04-12 0:09 ` [PATCH v2 security-next " Alexei Starovoitov
2025-04-12 0:29 ` Matteo Croce
2025-04-12 0:57 ` Alexei Starovoitov
2025-04-12 14:11 ` Blaise Boscaccy
2025-04-12 13:57 ` Blaise Boscaccy
2025-04-14 16:08 ` Paul Moore
2025-04-14 20:56 ` Alexei Starovoitov
2025-04-15 0:32 ` Blaise Boscaccy [this message]
2025-04-15 1:38 ` Alexei Starovoitov
2025-04-15 15:45 ` Blaise Boscaccy
2025-04-15 19:08 ` Blaise Boscaccy
2025-04-19 16:21 ` Paul Moore
2025-04-15 21:48 ` Alexei Starovoitov
2025-04-16 17:31 ` Blaise Boscaccy
2025-04-21 20:12 ` Alexei Starovoitov
2025-04-21 22:03 ` Paul Moore
2025-04-21 23:48 ` Alexei Starovoitov
2025-04-22 2:38 ` Paul Moore
2025-04-23 14:12 ` James Bottomley
2025-04-23 15:10 ` Paul Moore
2025-04-24 23:41 ` Alexei Starovoitov
2025-04-25 14:06 ` James Bottomley
2025-04-25 21:44 ` Blaise Boscaccy
2025-04-19 18:43 ` James Bottomley
2025-04-21 18:52 ` Paul Moore
2025-04-21 19:03 ` James Bottomley
2025-04-04 21:54 ` [PATCH v2 security-next 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-04-04 21:54 ` [PATCH v2 security-next 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87friajmd5.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=jstancek@redhat.com \
--cc=justinstitt@google.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neal@gompa.dev \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=nicolas@fjasle.eu \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).