On Tue, Mar 24, 2020 at 03:51:55PM +0100, KP Singh wrote: > On 24-Mär 10:51, Stephen Smalley wrote: > > On Tue, Mar 24, 2020 at 10:42 AM KP Singh <kpsingh@xxxxxxxxxxxx> wrote: > > > > > > On 24-Mär 10:37, Stephen Smalley wrote: > > > > On Mon, Mar 23, 2020 at 9:52 PM KP Singh <kpsingh@xxxxxxxxxxxx> wrote: > > > > > > > > > > On 23-Mär 18:13, Casey Schaufler wrote: > > > > > > Have you given up on the "BPF must be last" requirement? > > > > > > > > > > Yes, we dropped it for as the BPF programs require CAP_SYS_ADMIN > > > > > anwyays so the position ~shouldn't~ matter. (based on some of the > > > > > discussions we had on the BPF_MODIFY_RETURN patches). > > > > > > > > > > However, This can be added later (in a separate patch) if really > > > > > deemed necessary. > > > > > > > > It matters for SELinux, as I previously explained. A process that has > > > > CAP_SYS_ADMIN is not assumed to be able to circumvent MAC policy. > > > > And executing prior to SELinux allows the bpf program to access and > > > > potentially leak to userspace information that wouldn't be visible to > > > > the > > > > process itself. However, I thought you were handling the order issue > > > > by putting it last in the list of lsms? > > > > > > We can still do that if it does not work for SELinux. > > > > > > Would it be okay to add bpf as LSM_ORDER_LAST? > > > > > > LSMs like Landlock can then add LSM_ORDER_UNPRIVILEGED to even end up > > > after bpf? > > > > I guess the question is whether we need an explicit LSM_ORDER_LAST or > > can just handle it via the default > > values for the lsm= parameter, where you are already placing bpf last > > IIUC? If someone can mess with the kernel boot > > parameters, they already have options to mess with SELinux, so it is no worse... > > Yeah, we do add BPF as the last LSM in the default list. So, I will > avoid adding LSM_ORDER_LAST for now. FWIW, this is my preference as well. If there ends up being a stronger need, then we can implement LSM_ORDER_LAST at that time. -- Kees Cook