[PATCH] Do not require attributes for security_inode_init_security.

Dr. Greg greg at enjellic.com
Sat Mar 30 20:14:25 UTC 2024 

On Thu, Mar 28, 2024 at 09:34:39AM -0700, Casey Schaufler wrote:

Good afternoon, I hope the weekend is going well for everyone.

> On 3/28/2024 8:38 AM, Dr. Greg wrote:
> > ...
> >> In Linux v6.8[1] only Smack and SELinux provide implementations for
> >> the security_inode_init_security() hook, and both also increment the
> >> associated lsm_blob_sizes::lbs_xattr_count field.  While the
> >> behavior of the hook may have changed, I see no indications of any
> >> harm with respect to the standard upstream Linux kernel.  We
> >> obviously want to ensure that we work to fix harmful behavior, but I
> >> simply don't see that here; convince me there is a problem, send me
> >> a patch as we've discussed, and I'll merge it.
> > BPF provides an implementation and would be affected.

> BPF has chosen to implement its LSM hooks their own way. As it is
> impossible for the infrastructure developers to predict what the
> behavior of those hooks may be, it is unreasonable to constrain them
> based on hypothetical or rumored use cases.

We were asked to identify a case where upstream could be possibly
broken by the change in behavior, we did that.

It is now perfectly clear that the LSM maintainers don't consider the
possibility of breaking upstream BPF to be an issue of concern, no
doubt an important clarification for everyone moving forward.

> The implementation of BPF precludes its use of LSM blobs that are
> infrastructure managed. That ought to be obvious. BPF could include
> a non-zero lbs_xattr_count just in case, and your problem would be
> solved, but at a cost.

FWIW, it would not seem unreasonable to assume that an LSM, BPF
included, may want to be notified of the the instantiation of the
security state of an inode, regardless of whether or not the LSM is
using extended attributes.

> > Bear poking trimmed ...
> >
> > [1] In Linux v6.9-rc1 this grows to include EVM, but EVM also provides
> > both a hook implementation and a lbs_xattr_count bump.
> > BPF initialization, as of 6.8 does not include an xattr request.

> Just so. If BPF wants to use the aforementioned interface, it needs to
> include an xattr request. Just like any other LSM.

Requirement so noted.

Have a good week.

As always,
Dr. Greg

   The Quixote Project - Flailing at the Travails of Cybersecurity
		  https://github.com/Quixote-Project

More information about the Linux-security-module-archive mailing list