Thread (14 messages) 14 messages, 5 authors, 4d ago

Re: [PATCH bpf-next v3 2/6] bpf: Verify signed loader metadata at load time

From: Alexei Starovoitov <hidden>
Date: 2026-07-02 22:33:08
Also in: bpf

On Thu Jul 2, 2026 at 3:05 PM PDT, Paul Moore wrote:
As I mentioned previously, the security_bpf_prog_load() hook should
not be moved.  Its placement was deliberate, and moving it as you've
done in this patch creates a security regression. 
not true.
Without this patch,
for processes where SELinux is preventing BPF programs from being
loaded, it is able to do so before the process allocates a potentially
very large chunk of kernel memory, up to one million BPF instructions.
only when signature verification is requested and the hash over insns
is what your hornet thingy did too.
So no regression whatsoever. Exact same behavior.
With this patch, even in cases where SELinux will prevent the BPF
program load operation, it is not able to do so before the process
triggers a potential sizable memory allocation, opening the door for a
local DoS attack.
Not true either. Worst case is 1M which is 8Mbyte.
Not even close to anything DoS worthy.
In an effort to work with you on this, I did bring up two alternative
solutions: a new LSM hook for the signature verification, or the use
of the existing security_bpf_prog() hook. 
Sorry we're not going to add new hook because Paul has
non-technical grudge against bpf.
While I don't like to do this, you haven't given me much of a choice;
the security regression can not be ignored:

 Nacked-by: Paul Moore (don't move bpf_prog_load LSM hook) [off-list ref]
of course. will keep it and let Linus decide during the merge window.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help