On 7/23/2024 5:35 AM, Paul Moore wrote:
On Sat, Jul 20, 2024 at 5:31 AM Xu Kuohai wrote:
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook key_getsecurity to 0 or a negative error code.
Before
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook setprocattr to 0 or a negative error code.
Before:
- Hook setprocattr returns the number of bytes written on success
or a negative error code on
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook audit_rule_match to 0 or a negative error code.
Before:
- Hook audit_rule_match returns 1 if the rule matches, 0 if it not,
and negative error
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook key_getsecurity to 0 or a negative error code.
Before:
- Hook key_getsecurity returns length of value on success or a
negative error code on
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook getprocattr to 0 or a negative error code.
Before:
- Hook getprocattr returns length of value on success or a negative
error code on failure
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook getselfattr to 0 or a negative error code.
Before:
- Hook getselfattr returns number of attributes found on success
or a negative error code on
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook inode_copy_up_xattr to 0 or a negative error code.
Before:
- Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when
discarding xattr
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook inode_listsecurity to 0 or a negative error code.
Before:
- Hook inode_listsecurity returns number of bytes used/required on
success or a
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook inode_getsecurity to 0 or a negative error code.
Before:
- Hook inode_getsecurity returns size of buffer on success or a
negative error code on
On 7/19/2024 10:08 AM, Paul Moore wrote:
On Jul 11, 2024 Xu Kuohai wrote:
To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func security_inode_need_killpriv
return > 0
On 7/19/2024 10:13 AM, Paul Moore wrote:
On Fri, Jul 12, 2024 at 5:44 PM Paul Moore wrote:
On Thu, Jul 11, 2024 at 7:13 AM Xu Kuohai wrote:
From: Xu Kuohai
LSM BPF prog returning a positive number attached to the hook
file_alloc_security makes kernel panic.
Here is a panic log
On 7/13/2024 1:56 AM, Alexei Starovoitov wrote:
On Thu, Jul 11, 2024 at 07:18:59PM +0800, Xu Kuohai wrote:
From: Xu Kuohai
Add a disabled hooks list for BPF LSM. progs being attached to the
listed hooks will be rejected by the verifier.
Suggested-by: KP Singh
Signed-off-by: Xu Kuohai
Xu
On 7/12/2024 9:31 PM, Simon Horman wrote:
On Thu, Jul 11, 2024 at 07:18:51PM +0800, Xu Kuohai wrote:
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_getsecurity to 0 or a negative error code.
Before:
- Hook inode_getsecurity returns size of buffer
On 7/11/2024 10:15 PM, Serge Hallyn wrote:
Jul 11, 2024 06:14:09 Xu Kuohai :
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func
From: Xu Kuohai
Add verifier tests to check bpf lsm return values, output parameter
access and disabled hooks.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/verifier.c | 2 +
.../selftests/bpf/progs/verifier_lsm.c| 274 ++
2 files changed, 276
From: Xu Kuohai
Add test for lsm tail call to ensure tail call can only be used between
bpf lsm progs attached to the same hook.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/test_lsm.c | 46 ++-
.../selftests/bpf/progs/lsm_tailcall.c| 34
From: Xu Kuohai
The return ranges of some bpf lsm test progs can not be deduced by
the verifier accurately. To avoid erroneous rejections, add explicit
return value checks for these progs.
Signed-off-by: Xu Kuohai
---
tools/testing/selftests/bpf/progs/err.h| 10
From: Xu Kuohai
The compiler optimized the two bpf progs in token_lsm.c to make return
value from the bool variable in the "return -1" path, causing an
unexpected rejection:
0: R1=ctx() R10=fp0
; int BPF_PROG(bpf_token_capable, struct bpf_token *token, int cap) @
bpf_lsm.c:17
0: (
From: Xu Kuohai
With lsm return value check, the no-alu32 version test_libbpf_get_fd_by_id_opts
is rejected by the verifier, and the log says:
0: R1=ctx() R10=fp0
; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @
test_libbpf_get_fd_by_id_opts.c:27
0: (b7) r0 = 0
From: Xu Kuohai
A bpf prog returning a positive number attached to file_alloc_security
hook makes kernel panic.
This happens because file system can not filter out the positive number
returned by the LSM prog using IS_ERR, and misinterprets this positive
number as a file pointer.
Given that
From: Xu Kuohai
bpf progs can be attached to kernel functions, and the attached functions
can take different parameters or return different return values. If
prog attached to one kernel function tail calls prog attached to another
kernel function, the ctx access or return value verification
From: Xu Kuohai
After checking lsm hook return range in verifier, the test case
"test_progs -t test_lsm" failed, and the failure log says:
libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument
libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LO
From: Xu Kuohai
Output parameters are used to refactor the LSM hook return values.
To make these hooks usable by bpf prog, it is necessary for bpf prog
to read and write these output return value parameters.
All return value parameters are added as the last parameter and are
always pointers to
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook key_getsecurity to 0 or a negative error code.
Before:
- Hook key_getsecurity returns length of value on success or a
negative error code on failure.
After:
- Hook key_getsecurity returns 0 on success or a
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook audit_rule_match to 0 or a negative error code.
Before:
- Hook audit_rule_match returns 1 if the rule matches, 0 if it not,
and negative error code otherwise.
After:
- Hook audit_rule_match returns 0 on
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook getselfattr to 0 or a negative error code.
Before:
- Hook getselfattr returns number of attributes found on success
or a negative error code on failure.
After:
- Hook getselfattr returns 0 on success or a
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook setprocattr to 0 or a negative error code.
Before:
- Hook setprocattr returns the number of bytes written on success
or a negative error code on failure.
After:
- Hook setprocattr returns 0 on success or a
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook vm_enough_memory to 0 or a negative error code.
Before:
- Hook vm_enough_memory returns 1 if permission is granted, 0 if not.
- LSM_RET_DEFAULT(vm_enough_memory_mm) is 1.
After:
- Hook vm_enough_memory
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_getsecurity to 0 or a negative error code.
Before:
- Hook inode_getsecurity returns size of buffer on success or a
negative error code on failure.
After:
- Hook inode_getsecurity returns 0 on success
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_listsecurity to 0 or a negative error code.
Before:
- Hook inode_listsecurity returns number of bytes used/required on
success or a negative error code on failure.
After:
- Hook inode_listsecurity
From: Xu Kuohai
Add a disabled hooks list for BPF LSM. progs being attached to the
listed hooks will be rejected by the verifier.
Suggested-by: KP Singh
Signed-off-by: Xu Kuohai
---
kernel/bpf/bpf_lsm.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a
From: Xu Kuohai
LSM BPF prog returning a positive number attached to the hook
file_alloc_security makes kernel panic.
Here is a panic log:
[ 441.235774] BUG: kernel NULL pointer dereference, address: 09
[ 441.236748] #PF: supervisor write access in kernel mode
[ 441.237429] #PF
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook getprocattr to 0 or a negative error code.
Before:
- Hook getprocattr returns length of value on success or a negative
error code on failure.
After:
- Hook getprocattr returns 0 on success or a negative
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_copy_up_xattr to 0 or a negative error code.
Before:
- Hook inode_copy_up_xattr returns 0 when accepting xattr, 1 when
discarding xattr, -EOPNOTSUPP if it does not know xattr, or any
other negative
From: Xu Kuohai
To be consistent with most LSM hooks, convert the return value of
hook inode_need_killpriv to 0 or a negative error code.
Before:
- Both hook inode_need_killpriv and func security_inode_need_killpriv
return > 0 if security_inode_killpriv is required, 0 if not, and <
On 7/8/2024 5:00 PM, Puranjay Mohan wrote:
Xu Kuohai writes:
On 7/5/2024 8:53 PM, Puranjay Mohan wrote:
The arm64 bpf JIT currently supports attaching the trampoline to
functions with <= 8 arguments. This is because up to 8 arguments can be
passed in registers r0-r7. If there are more tha
On 7/5/2024 8:53 PM, Puranjay Mohan wrote:
The arm64 bpf JIT currently supports attaching the trampoline to
functions with <= 8 arguments. This is because up to 8 arguments can be
passed in registers r0-r7. If there are more than 8 arguments then the
9th and later arguments are passed on the stac
On 6/10/2024 2:17 AM, Paul Moore wrote:
On Sun, Jun 9, 2024 at 1:39 PM Casey Schaufler wrote:
On 6/8/2024 6:54 AM, Alexei Starovoitov wrote:
On Sat, Jun 8, 2024 at 1:04 AM Xu Kuohai wrote:
On 6/7/2024 5:53 AM, Paul Moore wrote:
On Thu, Apr 11, 2024 at 8:24 AM Xu Kuohai wrote:
From: Xu
On 6/7/2024 5:53 AM, Paul Moore wrote:
On Thu, Apr 11, 2024 at 8:24 AM Xu Kuohai wrote:
From: Xu Kuohai
Add macro LSM_RET_INT to annotate lsm hook return integer type and the
default return value, and the expected return range.
The LSM_RET_INT is declared as:
LSM_RET_INT(defval, min, max
On 4/30/2024 6:18 AM, Eduard Zingerman wrote:
On Mon, 2024-04-29 at 13:58 -0700, Andrii Nakryiko wrote:
[...]
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8f0f2e21699e..b69c89bc5cfc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -13478,6 +13478,28 @@ stat
On 4/30/2024 4:58 AM, Andrii Nakryiko wrote:
On Sun, Apr 28, 2024 at 8:15 AM Xu Kuohai wrote:
On 4/27/2024 4:36 AM, Andrii Nakryiko wrote:
On Tue, Apr 23, 2024 at 7:26 PM Xu Kuohai wrote:
On 4/24/2024 5:55 AM, Yonghong Song wrote:
On 4/20/24 1:33 AM, Xu Kuohai wrote:
On 4/20/2024 7:00
On 4/27/2024 4:36 AM, Andrii Nakryiko wrote:
On Tue, Apr 23, 2024 at 7:26 PM Xu Kuohai wrote:
On 4/24/2024 5:55 AM, Yonghong Song wrote:
On 4/20/24 1:33 AM, Xu Kuohai wrote:
On 4/20/2024 7:00 AM, Eduard Zingerman wrote:
On Thu, 2024-04-11 at 20:27 +0800, Xu Kuohai wrote:
From: Xu Kuohai
On 4/26/2024 7:41 AM, Andrii Nakryiko wrote:
On Thu, Apr 11, 2024 at 5:24 AM Xu Kuohai wrote:
From: Xu Kuohai
After checking lsm hook return range in verifier, the test case
"test_progs -t test_lsm" failed, and the failure log says:
libbpf: prog 'test_int_hook': BPF
On 4/26/2024 12:28 AM, Yonghong Song wrote:
On 4/24/24 7:42 PM, Xu Kuohai wrote:
On 4/25/2024 6:06 AM, Yonghong Song wrote:
On 4/23/24 7:25 PM, Xu Kuohai wrote:
On 4/24/2024 5:55 AM, Yonghong Song wrote:
On 4/20/24 1:33 AM, Xu Kuohai wrote:
On 4/20/2024 7:00 AM, Eduard Zingerman wrote
On 4/25/2024 6:06 AM, Yonghong Song wrote:
On 4/23/24 7:25 PM, Xu Kuohai wrote:
On 4/24/2024 5:55 AM, Yonghong Song wrote:
On 4/20/24 1:33 AM, Xu Kuohai wrote:
On 4/20/2024 7:00 AM, Eduard Zingerman wrote:
On Thu, 2024-04-11 at 20:27 +0800, Xu Kuohai wrote:
From: Xu Kuohai
With lsm
On 4/24/2024 5:55 AM, Yonghong Song wrote:
On 4/20/24 1:33 AM, Xu Kuohai wrote:
On 4/20/2024 7:00 AM, Eduard Zingerman wrote:
On Thu, 2024-04-11 at 20:27 +0800, Xu Kuohai wrote:
From: Xu Kuohai
With lsm return value check, the no-alu32 version test_libbpf_get_fd_by_id_opts
is rejected by
On 4/20/2024 7:00 AM, Eduard Zingerman wrote:
On Thu, 2024-04-11 at 20:27 +0800, Xu Kuohai wrote:
From: Xu Kuohai
With lsm return value check, the no-alu32 version test_libbpf_get_fd_by_id_opts
is rejected by the verifier, and the log says:
0: R1=ctx() R10=fp0
; int BPF_PROG
From: Xu Kuohai
Add verifier tests to check bpf lsm return values and disabled hooks.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/verifier.c | 3 +-
.../selftests/bpf/progs/verifier_lsm.c| 155 ++
2 files changed, 157 insertions(+), 1 deletion
From: Xu Kuohai
The compiler optimized the two bpf progs in token_lsm.c to make return
value from the bool variable in the "return -1" path, causing an
unexpected rejection:
0: R1=ctx() R10=fp0
; int BPF_PROG(bpf_token_capable, struct bpf_token *token, int cap) @
bpf_lsm.c:17
0: (
From: Xu Kuohai
Add macro LSM_RET_INT to annotate lsm hook return integer type and the
default return value, and the expected return range.
The LSM_RET_INT is declared as:
LSM_RET_INT(defval, min, max)
where
- defval is the default return value
- min and max indicate the expected return
From: Xu Kuohai
Add helper to read lsm hook return value range. The following patch
will use this information to verify lsm hook return values in bpf
verifier.
Signed-off-by: Xu Kuohai
---
include/linux/bpf_lsm.h | 8 ++
kernel/bpf/bpf_lsm.c| 54
From: Xu Kuohai
The return ranges of some bpf lsm test progs can not be deduced by
the verifier accurately. To avoid erroneous rejections, add explicit
return value checks for these progs.
Signed-off-by: Xu Kuohai
---
tools/testing/selftests/bpf/progs/err.h| 10
From: Xu Kuohai
Add test for lsm tail call to ensure tail call can only be used between
bpf lsm progs attached to the same hook.
Signed-off-by: Xu Kuohai
---
.../selftests/bpf/prog_tests/test_lsm.c | 46 ++-
.../selftests/bpf/progs/lsm_tailcall.c| 34
From: Xu Kuohai
A bpf prog returning positive number attached to file_alloc_security hook
will make kernel panic.
The reason is that the positive number returned by bpf prog is not a
valid errno, and could not be filtered out with IS_ERR which is used by
the file system to check errors. As a
From: Xu Kuohai
With lsm return value check, the no-alu32 version test_libbpf_get_fd_by_id_opts
is rejected by the verifier, and the log says:
0: R1=ctx() R10=fp0
; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @
test_libbpf_get_fd_by_id_opts.c:27
0: (b7) r0 = 0
From: Xu Kuohai
After checking lsm hook return range in verifier, the test case
"test_progs -t test_lsm" failed, and the failure log says:
libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument
libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LO
From: Xu Kuohai
A bpf prog returning positive number attached to file_alloc_security hook
will make kernel panic.
Here is a panic log:
[ 441.235774] BUG: kernel NULL pointer dereference, address: 09
[ 441.236748] #PF: supervisor write access in kernel mode
[ 441.237429] #PF
From: Xu Kuohai
LSM and tracing bpf programs are hooked to kernel functions which may
have different types. That is, the hook functions may have different
parameters, different return types, or different return ranges. progs
attached to different hook types may receive different context
From: Xu Kuohai
Add a disabled hooks list for bpf lsm. progs being attached to the
listed hooks will be rejected by the verifier.
Suggested-by: KP Singh
Signed-off-by: Xu Kuohai
---
kernel/bpf/bpf_lsm.c | 20 ++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a
59 matches
Mail list logo
