Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

[PATCH bpf-next v5 0/8] MAC and Audit policy using eBPF (KRSI) · KP Singh <hidden> · 2020-03-23
[PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
[PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · KP Singh <hidden> · 2020-03-24
[PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-24
[PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · Andrii Nakryiko <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-25
[PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-25
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-24
[PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
[PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Andrii Nakryiko <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24

From: Kees Cook <hidden>
Date: 2020-03-24 18:33:07
Also in: bpf, lkml

On Tue, Mar 24, 2020 at 02:21:30PM -0400, Stephen Smalley wrote:

On Tue, Mar 24, 2020 at 2:06 PM KP Singh [off-list ref] wrote:

quoted

On 24-Mär 11:01, Kees Cook wrote:

quoted

Doesn't the existing int (*bpf_prog)(struct bpf_prog *prog); cover
SELinux's need here? I.e. it can already examine that a hook is being
created for the LSM (since it has a distinct type, etc)?

I was about to say the same, specifically for the BPF use-case, we do
have the "bpf_prog" i.e. :

"Do a check when the kernel generate and return a file descriptor for
eBPF programs."

SELinux can implement its policy logic for BPF_PROG_TYPE_LSM by
providing a callback for this hook.

Ok.  In that case do we really need the capable() check here at all?

IMO, this is for systems without SELinux, where they're using the
capabilities as the basic policy for MAC management.

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help