[RFC 08/11] security: Hornet LSM
Alexei Starovoitov
alexei.starovoitov at gmail.com
Thu Dec 18 01:22:31 UTC 2025
On Wed, Dec 10, 2025 at 6:14 PM Blaise Boscaccy
<bboscaccy at linux.microsoft.com> wrote:
> +++ b/security/hornet/Kconfig
> @@ -0,0 +1,11 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +config SECURITY_HORNET
> + bool "Hornet support"
> + depends on SECURITY
> + default n
So you're disallowing this new LSM to be a module?
That doesn't smell good.
> +static int hornet_verify_hashes(struct hornet_maps *maps,
> + struct hornet_parse_context *ctx)
> +{
> + int map_fd;
> + u32 i;
> + struct bpf_map *map;
> + int err = 0;
> + unsigned char hash[SHA256_DIGEST_SIZE];
> +
> + for (i = 0; i < ctx->hash_count; i++) {
> + if (ctx->skips[i])
> + continue;
> +
> + err = copy_from_bpfptr_offset(&map_fd, maps->fd_array,
> + ctx->indexes[i] * sizeof(map_fd),
> + sizeof(map_fd));
As was pointed out several times earlier this is an obvious TOCTOU bug.
An attacker can change this map_fd between LSM checks and later verifier use.
All the "security" checks further are useless.
> + if (err < 0)
> + return LSM_INT_VERDICT_BADSIG;
> +
> + CLASS(fd, f)(map_fd);
> + if (fd_empty(f))
> + return LSM_INT_VERDICT_BADSIG;
> + if (unlikely(fd_file(f)->f_op != &bpf_map_fops))
Ohh. So this is why this LSM has to be built-in.
bpf_map_fops is bpf internal detail. It's not going to be exported.
You cannot open code __bpf_map_get() and get away with it.
> + return LSM_INT_VERDICT_BADSIG;
> +
> + if (!map->frozen)
> + return LSM_INT_VERDICT_BADSIG;
> +
> + map = fd_file(f)->private_data;
> + map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash);
This too. It's absolutely not ok for LSM to mess with bpf internal state.
The whole LSM is one awful hack.
The diff stat doesn't touch anything in the kernel/bpf/
yet you're messing with bpf internals.
Clearly, you guys want to merge this garbage through LSM tree.
Make sure to keep my Nack when you send it during the merge window.
More information about the Linux-security-module-archive
mailing list