On 27-Mär 11:59, Kees Cook wrote: > On Fri, Mar 27, 2020 at 09:36:15AM -0700, Casey Schaufler wrote: > > On 3/27/2020 6:43 AM, Stephen Smalley wrote: > > > On 3/27/20 8:41 AM, KP Singh wrote: > > >> On 27-Mär 08:27, Stephen Smalley wrote: > > >>>>> + return -EPERM; [...] > > > > > > I would favor removing the CAP_MAC_ADMIN check here, and implementing it in a bpf_prog hook for Smack and AppArmor if they want that. SELinux would implement its own check in its existing bpf_prog hook. > > > > > The whole notion of one security module calling into another for permission > > to do something still gives me the heebee jeebees, but if more nimble minds > > than mine think this is a good idea I won't nack it. > > Well, it's a hook into BPF prog creation, not the BPF LSM specifically, > so that's why I think it's general enough control without it being > directly weird. :) > > As far as dropping CAP_MAC_ADMIN, yeah, that should be fine. Creating LSM > BPF programs already requires CAP_SYS_ADMIN, so for SELinux-less systems, > that's likely fine. If we need to change the BPF program creation access > control in the future we can revisit it then. Sounds good, I will send out v8 carrying James and Andri's Acks/Review tags, CAP_MAC_ADMIN check removed and some other minor fixes. - KP > > -- > Kees Cook
