Thread (33 messages) 33 messages, 7 authors, 2020-03-27

Re: [PATCH bpf-next v7 4/8] bpf: lsm: Implement attach, detach and execution

From: KP Singh <hidden>
Date: 2020-03-27 14:29:55
Also in: bpf, lkml 

On 27-Mär 09:43, Stephen Smalley wrote:
On 3/27/20 8:41 AM, KP Singh wrote:
quoted
On 27-Mär 08:27, Stephen Smalley wrote:
quoted
On 3/26/20 8:24 PM, James Morris wrote:
quoted
On Thu, 26 Mar 2020, KP Singh wrote:
quoted
+int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
+			const struct bpf_prog *prog)
+{
+	/* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks
+	 */
+	if (!capable(CAP_MAC_ADMIN))
+		return -EPERM;
+
Stephen, can you confirm that your concerns around this are resolved
(IIRC, by SELinux implementing a bpf_prog callback) ?
I guess the only residual concern I have is that CAP_MAC_ADMIN means
something different to SELinux (ability to get/set file security contexts
unknown to the currently loaded policy), so leaving the CAP_MAC_ADMIN check
here (versus calling a new security hook here and checking CAP_MAC_ADMIN in
the implementation of that hook for the modules that want that) conflates
two very different things.  Prior to this patch, there are no users of
CAP_MAC_ADMIN outside of individual security modules; it is only checked in
module-specific logic within apparmor, safesetid, selinux, and smack, so the
meaning was module-specific.
As we had discussed, We do have a security hook as well:

https://lore.kernel.org/bpf/20200324180652.GA11855@chromium.org/ (local)

The bpf_prog hook which can check for BPF_PROG_TYPE_LSM and implement
module specific logic for LSM programs. I thougt that was okay?

Kees was in favor of keeping the CAP_MAC_ADMIN check here:

https://lore.kernel.org/bpf/202003241133.16C02BE5B@keescook (local)

If you feel strongly and Kees agrees, we can remove the CAP_MAC_ADMIN
check here, but given that we already have a security hook that meets
the requirements, we probably don't need another one.
I would favor removing the CAP_MAC_ADMIN check here, and implementing it in
Okay. For the scope of this series I will remove this check in the
next revision. If people feel strongly that we need it centrally
within the BPF infrastructure, we can do that as a separate patch and
discuss it there.

a bpf_prog hook for Smack and AppArmor if they want that.  SELinux would
implement its own check in its existing bpf_prog hook.
I think Smack and AppArmor can also use the same hook. Since we
already have a hook, I don't think anyone is blocked from
implementing policy logic for loading LSM BPF programs.

James/Kees does this sound okay?

- KP

  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help