Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value... | linux-security-module

[RFC][PATCH 0/4] security: Ensure LSMs return expected values · Roberto Sassu <hidden> · 2022-11-15
[RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook · Roberto Sassu <hidden> · 2022-11-15
Re: [RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook · Roberto Sassu <hidden> · 2022-11-16
Re: [RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook · KP Singh <kpsingh@kernel.org> · 2022-11-16
Re: [RFC][PATCH 1/4] lsm: Clarify documentation of vm_enough_memory hook · Paul Moore <paul@paul-moore.com> · 2022-11-16
[RFC][PATCH 2/4] lsm: Add missing return values doc in lsm_hooks.h and fix formatting · Roberto Sassu <hidden> · 2022-11-15
Re: [RFC][PATCH 2/4] lsm: Add missing return values doc in lsm_hooks.h and fix formatting · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 2/4] lsm: Add missing return values doc in lsm_hooks.h and fix formatting · Roberto Sassu <hidden> · 2022-11-16
Re: [RFC][PATCH 2/4] lsm: Add missing return values doc in lsm_hooks.h and fix formatting · Paul Moore <paul@paul-moore.com> · 2022-11-16
[RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Roberto Sassu <hidden> · 2022-11-15
Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Roberto Sassu <hidden> · 2022-11-16
Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Greg KH <gregkh@linuxfoundation.org> · 2022-11-17
Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument · Paul Moore <paul@paul-moore.com> · 2022-11-17
[RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs · Roberto Sassu <hidden> · 2022-11-15
Re: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs · Roberto Sassu <hidden> · 2022-11-16
[PoC][PATCH] bpf: Call return value check function in the JITed code · Roberto Sassu <hidden> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Alexei Starovoitov <hidden> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Roberto Sassu <hidden> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Alexei Starovoitov <hidden> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · KP Singh <kpsingh@kernel.org> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Roberto Sassu <hidden> · 2022-11-30
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · KP Singh <kpsingh@kernel.org> · 2022-11-16
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Roberto Sassu <hidden> · 2022-11-18
Re: [PoC][PATCH] bpf: Call return value check function in the JITed code · Roberto Sassu <hidden> · 2022-11-21
Re: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs · Paul Moore <paul@paul-moore.com> · 2022-11-16
Re: [RFC][PATCH 0/4] security: Ensure LSMs return expected values · Casey Schaufler <casey@schaufler-ca.com> · 2022-11-15

Re: [RFC][PATCH 3/4] lsm: Redefine LSM_HOOK() macro to add return value flags as argument

From: Paul Moore <paul@paul-moore.com>
Date: 2022-11-16 22:04:26
Also in: bpf, lkml, stable

On Wed, Nov 16, 2022 at 3:11 AM Roberto Sassu
[off-list ref] wrote:

On Tue, 2022-11-15 at 21:27 -0500, Paul Moore wrote:

quoted

On Tue, Nov 15, 2022 at 12:58 PM Roberto Sassu
[off-list ref] wrote:

quoted

From: Roberto Sassu <roberto.sassu@huawei.com>

Define four return value flags (LSM_RET_NEG, LSM_RET_ZERO, LSM_RET_ONE,
LSM_RET_GT_ONE), one for each interval of interest (< 0, = 0, = 1, > 1).

Redefine the LSM_HOOK() macro to add return value flags as argument, and
set the correct flags for each LSM hook.

Implementors of new LSM hooks should do the same as well.

Cc: stable@vger.kernel.org # 5.7.x
Fixes: 9d3fdea789c8 ("bpf: lsm: Provide attachment points for BPF LSM programs")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 include/linux/bpf_lsm.h       |   2 +-
 include/linux/lsm_hook_defs.h | 779 ++++++++++++++++++++--------------
 include/linux/lsm_hooks.h     |   9 +-
 kernel/bpf/bpf_lsm.c          |   5 +-
 security/bpf/hooks.c          |   2 +-
 security/security.c           |   4 +-
 6 files changed, 466 insertions(+), 335 deletions(-)

Just a quick note here that even if we wanted to do something like
this, it is absolutely not -stable kernel material.  No way.

I was unsure about that. We need a proper fix for this issue that needs
to be backported to some kernels. I saw this more like a dependency.
But I agree with you that it would be unlikely that this patch is
applied to stable kernels.

For stable kernels, what it would be the proper way? We still need to
maintain an allow list of functions that allow a positive return value,
at least. Should it be in the eBPF code only?

Ideally the fix for -stable is the same as what is done for Linus'
kernel (ignoring backport fuzzing), so I would wait and see how that
ends up first.  However, if the patchset for Linus' tree is
particularly large and touches a lot of code, you may need to work on
something a bit more targeted to the specific problem.  I tend to be
more conservative than most kernel devs when it comes to -stable
patches, but if you can't backport the main upstream patchset, smaller
(both in terms of impact and lines changed) is almost always better.

-- 
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help