On Tue, Feb 11, 2020 at 6:58 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Tue, Feb 11, 2020 at 01:43:34PM +0100, KP Singh wrote: [...] > > * When using the semantic provided by fexit, the BPF LSM program will > > always be executed and will be able to override / clobber the > > decision of LSMs which appear before it in the ordered list. This > > semantic is very different from what we currently have (i.e. the BPF > > LSM hook is only called if all the other LSMs allow the action) and > > seems to be bypassing the LSM framework. > > It that's a concern it's trivial to add 'if (RC == 0)' check to fexit > trampoline generator specific to lsm progs. [...] > Using fexit mechanism and bpf_sk_storage generalization is > all that is needed. None of it should touch security/*. If I understand your suggestion correctly, that seems like a terrible idea to me from the perspective of inspectability and debuggability. If at runtime, a function can branch off elsewhere to modify its decision, I want to see that in the source code. If someone e.g. changes the parameters or the locking rules around a security hook, how are they supposed to understand the implications if that happens through some magic fexit trampoline that is injected at runtime?
