[PATCH bpf-next v7 4/8] bpf: lsm: Implement attach, detach and execution
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 27 12:27:25 UTC 2020
On 3/26/20 8:24 PM, James Morris wrote:
> On Thu, 26 Mar 2020, KP Singh wrote:
>
>> +int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,
>> + const struct bpf_prog *prog)
>> +{
>> + /* Only CAP_MAC_ADMIN users are allowed to make changes to LSM hooks
>> + */
>> + if (!capable(CAP_MAC_ADMIN))
>> + return -EPERM;
>> +
>
> Stephen, can you confirm that your concerns around this are resolved
> (IIRC, by SELinux implementing a bpf_prog callback) ?
I guess the only residual concern I have is that CAP_MAC_ADMIN means
something different to SELinux (ability to get/set file security
contexts unknown to the currently loaded policy), so leaving the
CAP_MAC_ADMIN check here (versus calling a new security hook here and
checking CAP_MAC_ADMIN in the implementation of that hook for the
modules that want that) conflates two very different things. Prior to
this patch, there are no users of CAP_MAC_ADMIN outside of individual
security modules; it is only checked in module-specific logic within
apparmor, safesetid, selinux, and smack, so the meaning was module-specific.
More information about the Linux-security-module-archive
mailing list