On Tue, Aug 30, 2016 at 1:10 PM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > On 30/08/2016 20:56, Andy Lutomirski wrote: >> On Aug 25, 2016 12:34 PM, "Mickaël Salaün" <mic@xxxxxxxxxxx> wrote: >>> >>> Add LSM hooks which can be used by userland through Landlock (eBPF) >>> programs. This programs are limited to a whitelist of functions (cf. >>> next commit). The eBPF program context is depicted by the struct >>> landlock_data (cf. include/uapi/linux/bpf.h): >>> * hook: LSM hook ID (useful when using the same program for multiple LSM >>> hooks); >>> * cookie: the 16-bit value from the seccomp filter that triggered this >>> Landlock program; >>> * args[6]: array of LSM hook arguments. >>> >>> The LSM hook arguments can contain raw values as integers or >>> (unleakable) pointers. The only way to use the pointers are to pass them >>> to an eBPF function according to their types (e.g. the >>> bpf_landlock_cmp_fs_beneath_with_struct_file function can use a struct >>> file pointer). >>> >>> For now, there is three hooks for file system access control: >>> * file_open; >>> * file_permission; >>> * mmap_file. >>> >> >> What's the purpose of exposing struct cred * to userspace? It's >> primarily just an optimization to save a bit of RAM, and it's a >> dubious optimization at that. What are you using it for? Would it >> make more sense to use struct task_struct * or struct pid * instead? >> >> Also, exposing struct cred * has a really weird side-effect: it allows >> (maybe even encourages) checking for pointer equality between two >> struct cred * objects. Doing so will have erratic results. >> > > The pointers exposed in the ePBF context are not directly readable by an > unprivileged eBPF program thanks to the strong typing of the Landlock > context and the static eBPF verification. There is no way to leak a > kernel pointer to userspace from an unprivileged eBPF program: pointer > arithmetic and comparison are prohibited. Pointers can only be pass as > argument to dedicated eBPF functions. I'm not talking about leaking the value -- I'm talking about leaking the predicate (a == b) for two struct cred pointers. That predicate shouldn't be available because it has very odd effects. > > For now, struct cred * is simply not used by any eBPF function and then > not usable at all. It only exist here because I map the LSM hook > arguments in a generic/automatic way to the eBPF context. Maybe remove it from this patch set then? --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
