|
Message-ID: <c5c6b433-7e6a-c8f8-f063-e704c3df4cc6@schaufler-ca.com> Date: Tue, 5 Nov 2019 09:55:42 -0800 From: Casey Schaufler <casey@...aufler-ca.com> To: Alexei Starovoitov <alexei.starovoitov@...il.com>, Mickaël Salaün <mic@...ikod.net> Cc: linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, Andy Lutomirski <luto@...capital.net>, Daniel Borkmann <daniel@...earbox.net>, David Drysdale <drysdale@...gle.com>, Florent Revest <revest@...omium.org>, James Morris <jmorris@...ei.org>, Jann Horn <jann@...jh.net>, John Johansen <john.johansen@...onical.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, KP Singh <kpsingh@...omium.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Paul Moore <paul@...l-moore.com>, Sargun Dhillon <sargun@...gun.me>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Stephen Smalley <sds@...ho.nsa.gov>, Tejun Heo <tj@...nel.org>, Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, Tycho Andersen <tycho@...ho.ws>, Will Drewry <wad@...omium.org>, bpf@...r.kernel.org, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, netdev@...r.kernel.org, casey@...aufler-ca.com Subject: Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks On 11/5/2019 9:18 AM, Alexei Starovoitov wrote: > On Mon, Nov 04, 2019 at 06:21:43PM +0100, Mickaël Salaün wrote: >> Add a first Landlock hook that can be used to enforce a security policy >> or to audit some process activities. For a sandboxing use-case, it is >> needed to inform the kernel if a task can legitimately debug another. >> ptrace(2) can also be used by an attacker to impersonate another task >> and remain undetected while performing malicious activities. >> >> Using ptrace(2) and related features on a target process can lead to a >> privilege escalation. A sandboxed task must then be able to tell the >> kernel if another task is more privileged, via ptrace_may_access(). >> >> Signed-off-by: Mickaël Salaün <mic@...ikod.net> > ... >> +static int check_ptrace(struct landlock_domain *domain, >> + struct task_struct *tracer, struct task_struct *tracee) >> +{ >> + struct landlock_hook_ctx_ptrace ctx_ptrace = { >> + .prog_ctx = { >> + .tracer = (uintptr_t)tracer, >> + .tracee = (uintptr_t)tracee, >> + }, >> + }; > So you're passing two kernel pointers obfuscated as u64 into bpf program > yet claiming that the end goal is to make landlock unprivileged?! > The most basic security hole in the tool that is aiming to provide security. > > I think the only way bpf-based LSM can land is both landlock and KRSI > developers work together on a design that solves all use cases. BPF is capable > to be a superset of all existing LSMs I can't agree with this. Nope. There are many security models for which BPF introduces excessive complexity. You don't need or want the generality of a general purpose programming language to implement Smack or TOMOYO. Or a simple Bell & LaPadula for that matter. SELinux? I can't imagine anyone trying to do that in eBPF, although I'm willing to be surprised. Being able to enforce a policy isn't the only criteria for an LSM. It's got to perform well and integrate with the rest of the system. I see many issues with a BPF <-> vfs interface. > whereas landlock and KRSI propsals today > are custom solutions to specific security concerns. Yes. As they should be. No one has every solved the entire security problem, and no one ever will. The only hope we have to address security issues is to have the flexibility to add the mechanisms needed for the concerns of the day. Ideally, we should be able to drop mechanisms when we decide that they no longer add value. > BPF subsystem was extended > with custom things in the past. In networking we have lwt, skb, tc, xdp, sk > program types with a lot of overlapping functionality. We couldn't figure out > how to generalize them into single 'networking' program. Now we can and we > should. Accepting two partially overlapping bpf-based LSMs would be repeating > the same mistake again. I don't get your analogy at all. You have a variety of programs because you have a variety of protocols and administrative interfaces. Of course you don't have a single 'networking" program. Security has a variety of issues and policies. A single 'security' program makes no sense whatever.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.