Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM

[PATCH bpf-next v3 00/10] MAC and Audit policy using eBPF (KRSI) · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 01/10] bpf: btf: Add btf_type_by_name_kind · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 01/10] bpf: btf: Add btf_type_by_name_kind · Andrii Nakryiko <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 01/10] bpf: btf: Add btf_type_by_name_kind · KP Singh <hidden> · 2020-01-24
[PATCH bpf-next v3 03/10] bpf: lsm: Introduce types for eBPF based LSM · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 03/10] bpf: lsm: Introduce types for eBPF based LSM · Alexei Starovoitov <hidden> · 2020-02-10
Re: [PATCH bpf-next v3 03/10] bpf: lsm: Introduce types for eBPF based LSM · KP Singh <hidden> · 2020-02-11
[PATCH bpf-next v3 05/10] bpf: lsm: BTF API for LSM hooks · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 10/10] bpf: lsm: Add Documentation · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 09/10] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 07/10] bpf: lsm: Make the allocated callback RO+X · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 08/10] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 08/10] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · Andrii Nakryiko <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 08/10] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-01-24
[PATCH bpf-next v3 06/10] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-01-23
[PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · Casey Schaufler <casey@schaufler-ca.com> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · Casey Schaufler <casey@schaufler-ca.com> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · Casey Schaufler <casey@schaufler-ca.com> · 2020-01-23
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · KP Singh <hidden> · 2020-01-24
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · James Morris <jmorris@namei.org> · 2020-01-24
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · Alexei Starovoitov <hidden> · 2020-02-11
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · KP Singh <hidden> · 2020-02-11
Re: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM · Alexei Starovoitov <hidden> · 2020-02-11
BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Jann Horn <jannh@google.com> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Alexei Starovoitov <hidden> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Jann Horn <jannh@google.com> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Alexei Starovoitov <hidden> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Jann Horn <jannh@google.com> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Jann Horn <jannh@google.com> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Alexei Starovoitov <hidden> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Alexei Starovoitov <hidden> · 2020-02-11
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Daniel Borkmann <daniel@iogearbox.net> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Alexei Starovoitov <hidden> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Daniel Borkmann <daniel@iogearbox.net> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · KP Singh <hidden> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Casey Schaufler <casey@schaufler-ca.com> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · KP Singh <hidden> · 2020-02-12
Re: BPF LSM and fexit [was: [PATCH bpf-next v3 04/10] bpf: lsm: Add mutable hooks list for the BPF LSM] · Casey Schaufler <casey@schaufler-ca.com> · 2020-02-12
[PATCH bpf-next v3 02/10] bpf: lsm: Add a skeleton and config options · KP Singh <hidden> · 2020-01-23
Re: [PATCH bpf-next v3 02/10] bpf: lsm: Add a skeleton and config options · Alexei Starovoitov <hidden> · 2020-02-10
Re: [PATCH bpf-next v3 02/10] bpf: lsm: Add a skeleton and config options · KP Singh <hidden> · 2020-02-11

From: James Morris <jmorris@namei.org>
Date: 2020-01-24 21:55:36
Also in: bpf, lkml

On Thu, 23 Jan 2020, KP Singh wrote:

quoted

If you want to put mutable hook handling in the infrastructure
you need to make it general mutable hook handling as opposed to
BPF hook handling. I don't know if that would be acceptable for
all the reasons called out about dynamic module loading.

We can have generic mutable hook handling and if an LSM doesn't

--> provide a mutable security_hook_heads, it would not allow dynamic

hooks / dynamic module loading.

So, in practice it will just be the BPF LSM that allows mutable hooks
and the other existing LSMs won't. I guess it will be cleaner than
calling the BPF hooks directly from the LSM code (i.e in security.c)

I'm inclined to only have mutable hooks for KRSI, not for all LSMs. This 
is a special case and we don't need to provide this for anyone else.

Btw, folks, PLEASE trim replies.


-- 
James Morris
[off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help