[PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks
Alexei Starovoitov
alexei.starovoitov at gmail.com
Tue Nov 5 19:31:32 UTC 2019
On Tue, Nov 05, 2019 at 09:55:42AM -0800, Casey Schaufler wrote:
> On 11/5/2019 9:18 AM, Alexei Starovoitov wrote:
> > On Mon, Nov 04, 2019 at 06:21:43PM +0100, Mickaël Salaün wrote:
> >> Add a first Landlock hook that can be used to enforce a security policy
> >> or to audit some process activities. For a sandboxing use-case, it is
> >> needed to inform the kernel if a task can legitimately debug another.
> >> ptrace(2) can also be used by an attacker to impersonate another task
> >> and remain undetected while performing malicious activities.
> >>
> >> Using ptrace(2) and related features on a target process can lead to a
> >> privilege escalation. A sandboxed task must then be able to tell the
> >> kernel if another task is more privileged, via ptrace_may_access().
> >>
> >> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> > ...
> >> +static int check_ptrace(struct landlock_domain *domain,
> >> + struct task_struct *tracer, struct task_struct *tracee)
> >> +{
> >> + struct landlock_hook_ctx_ptrace ctx_ptrace = {
> >> + .prog_ctx = {
> >> + .tracer = (uintptr_t)tracer,
> >> + .tracee = (uintptr_t)tracee,
> >> + },
> >> + };
> > So you're passing two kernel pointers obfuscated as u64 into bpf program
> > yet claiming that the end goal is to make landlock unprivileged?!
> > The most basic security hole in the tool that is aiming to provide security.
> >
> > I think the only way bpf-based LSM can land is both landlock and KRSI
> > developers work together on a design that solves all use cases. BPF is capable
> > to be a superset of all existing LSMs
>
> I can't agree with this. Nope. There are many security models
> for which BPF introduces excessive complexity. You don't need
> or want the generality of a general purpose programming language
> to implement Smack or TOMOYO. Or a simple Bell & LaPadula for
> that matter. SELinux? I can't imagine anyone trying to do that
> in eBPF, although I'm willing to be surprised. Being able to
> enforce a policy isn't the only criteria for an LSM.
what are the other criteria?
> It's got
> to perform well and integrate with the rest of the system.
what do you mean by that?
> I see many issues with a BPF <-> vfs interface.
There is no such interface today. What do you have in mind?
> the mechanisms needed for the concerns of the day. Ideally,
> we should be able to drop mechanisms when we decide that they
> no longer add value.
Exactly. bpf-based lsm must not add to kernel abi.
More information about the Linux-security-module-archive
mailing list