Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

From: Kees Cook
Date: Tue Mar 24 2020 - 14:33:07 EST

Next message: Kees Cook: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Previous message: KP Singh: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
In reply to: Kees Cook: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Next in thread: KP Singh: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 24, 2020 at 02:21:30PM -0400, Stephen Smalley wrote:
> On Tue, Mar 24, 2020 at 2:06 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote:
> >
> > On 24-Mär 11:01, Kees Cook wrote:
> > > Doesn't the existing int (*bpf_prog)(struct bpf_prog *prog); cover
> > > SELinux's need here? I.e. it can already examine that a hook is being
> > > created for the LSM (since it has a distinct type, etc)?
> >
> > I was about to say the same, specifically for the BPF use-case, we do
> > have the "bpf_prog" i.e. :
> >
> > "Do a check when the kernel generate and return a file descriptor for
> > eBPF programs."
> >
> > SELinux can implement its policy logic for BPF_PROG_TYPE_LSM by
> > providing a callback for this hook.
>
> Ok. In that case do we really need the capable() check here at all?

IMO, this is for systems without SELinux, where they're using the
capabilities as the basic policy for MAC management.

--
Kees Cook

Next message: Kees Cook: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Previous message: KP Singh: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
In reply to: Kees Cook: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Next in thread: KP Singh: "Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]