Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJ-Heb0nnLygYo0xHaJKSrQM5RSVRNYN2NnYddwGHtWkA@mail.gmail.com>
Date: Mon, 3 Oct 2016 16:43:26 -0700
From: Kees Cook <keescook@...omium.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: LKML <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, 
	Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>, 
	Casey Schaufler <casey@...aufler-ca.com>, Daniel Borkmann <daniel@...earbox.net>, 
	Daniel Mack <daniel@...que.org>, David Drysdale <drysdale@...gle.com>, 
	"David S . Miller" <davem@...emloft.net>, Elena Reshetova <elena.reshetova@...el.com>, 
	"Eric W . Biederman" <ebiederm@...ssion.com>, James Morris <james.l.morris@...cle.com>, 
	Paul Moore <pmoore@...hat.com>, Sargun Dhillon <sargun@...gun.me>, 
	"Serge E . Hallyn" <serge@...lyn.com>, Tejun Heo <tj@...nel.org>, Will Drewry <wad@...omium.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, 
	linux-security-module <linux-security-module@...r.kernel.org>, 
	Network Development <netdev@...r.kernel.org>, Cgroups <cgroups@...r.kernel.org>
Subject: Re: [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup

On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün <mic@...ikod.net> wrote:
> This allows to add new eBPF programs to Landlock hooks dedicated to a
> cgroup thanks to the BPF_PROG_ATTACH command. Like for socket eBPF
> programs, the Landlock hooks attached to a cgroup are propagated to the
> nested cgroups. However, when a new Landlock program is attached to one
> of this nested cgroup, this cgroup hierarchy fork the Landlock hooks.
> This design is simple and match the current CONFIG_BPF_CGROUP
> inheritance. The difference lie in the fact that Landlock programs can
> only be stacked but not removed. This match the append-only seccomp
> behavior. Userland is free to handle Landlock hooks attached to a cgroup
> in more complicated ways (e.g. continuous inheritance), but care should
> be taken to properly handle error cases (e.g. memory allocation errors).
>
> Changes since v2:
> * new design based on BPF_PROG_ATTACH (suggested by Alexei Starovoitov)
>
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> Cc: Alexei Starovoitov <ast@...nel.org>
> Cc: Andy Lutomirski <luto@...capital.net>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> Cc: Daniel Mack <daniel@...que.org>
> Cc: David S. Miller <davem@...emloft.net>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Tejun Heo <tj@...nel.org>
> Link: https://lkml.kernel.org/r/20160826021432.GA8291@ast-mbp.thefacebook.com
> Link: https://lkml.kernel.org/r/20160827204307.GA43714@ast-mbp.thefacebook.com
> ---
>  include/linux/bpf-cgroup.h  |  7 +++++++
>  include/linux/cgroup-defs.h |  2 ++
>  include/linux/landlock.h    |  9 +++++++++
>  include/uapi/linux/bpf.h    |  1 +
>  kernel/bpf/cgroup.c         | 33 ++++++++++++++++++++++++++++++---
>  kernel/bpf/syscall.c        | 11 +++++++++++
>  security/landlock/lsm.c     | 40 +++++++++++++++++++++++++++++++++++++++-
>  security/landlock/manager.c | 32 ++++++++++++++++++++++++++++++++
>  8 files changed, 131 insertions(+), 4 deletions(-)
>
> [...]
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 7b75fa692617..1c18fe46958a 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -15,6 +15,7 @@
>  #include <linux/bpf.h>
>  #include <linux/bpf-cgroup.h>
>  #include <net/sock.h>
> +#include <linux/landlock.h>
>
>  DEFINE_STATIC_KEY_FALSE(cgroup_bpf_enabled_key);
>  EXPORT_SYMBOL(cgroup_bpf_enabled_key);
> @@ -31,7 +32,15 @@ void cgroup_bpf_put(struct cgroup *cgrp)
>                 union bpf_object pinned = cgrp->bpf.pinned[type];
>
>                 if (pinned.prog) {
> -                       bpf_prog_put(pinned.prog);
> +                       switch (type) {
> +                       case BPF_CGROUP_LANDLOCK:
> +#ifdef CONFIG_SECURITY_LANDLOCK
> +                               put_landlock_hooks(pinned.hooks);
> +                               break;
> +#endif /* CONFIG_SECURITY_LANDLOCK */
> +                       default:
> +                               bpf_prog_put(pinned.prog);
> +                       }
>                         static_branch_dec(&cgroup_bpf_enabled_key);
>                 }
>         }

I get creeped out by type-controlled unions of pointers. :P I don't
have a suggestion to improve this, but I don't like seeing a pointer
type managed separately from the pointer itself as it tends to bypass
a lot of both static and dynamic checking. A union is better than a
cast of void *, but it still worries me. :)

-Kees

-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.