Re: [PATCH v4 3/5] mm, security: Add lsm hook for memory policy adjustment

Re: [PATCH v4 3/5] mm, security: Add lsm hook for memory policy adjustment

[Casey Schaufler]

On 12/8/2023 1:06 AM, Yafang Shao wrote:
> In a containerized environment, independent memory binding by a user can
> lead to unexpected system issues or disrupt tasks being run by other users
> on the same server. If a user genuinely requires memory binding, we will
> allocate dedicated servers to them by leveraging kubelet deployment.
>
> At present, users have the capability to bind their memory to a specific
> node without explicit agreement or authorization from us. Consequently, a
> new LSM hook is introduced to mitigate this. This implementation allows us
> to exercise fine-grained control over memory policy adjustments within our
> container environment

I wonder if security_vm_enough_memory() ought to be reimplemented as
an option to security_set_mempolicy(). I'm not convinced either way,
but I can argue both. 

> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>  include/linux/lsm_hook_defs.h |  3 +++
>  include/linux/security.h      |  9 +++++++++
>  mm/mempolicy.c                |  8 ++++++++
>  security/security.c           | 13 +++++++++++++
>  4 files changed, 33 insertions(+)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index ff217a5..5580127 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -419,3 +419,6 @@
>  LSM_HOOK(int, 0, uring_sqpoll, void)
>  LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd)
>  #endif /* CONFIG_IO_URING */
> +
> +LSM_HOOK(int, 0, set_mempolicy, unsigned long mode, unsigned short mode_flags,
> +	 nodemask_t *nmask, unsigned int flags)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 1d1df326..cc4a19a 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -484,6 +484,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
>  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
>  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
>  int security_locked_down(enum lockdown_reason what);
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +			   nodemask_t *nmask, unsigned int flags);
>  #else /* CONFIG_SECURITY */
>  
>  static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1395,6 +1397,13 @@ static inline int security_locked_down(enum lockdown_reason what)
>  {
>  	return 0;
>  }
> +
> +static inline int
> +security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +		       nodemask_t *nmask, unsigned int flags)
> +{
> +	return 0;
> +}
>  #endif	/* CONFIG_SECURITY */
>  
>  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 10a590e..9535d9e 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1483,6 +1483,10 @@ static long kernel_mbind(unsigned long start, unsigned long len,
>  	if (err)
>  		return err;
>  
> +	err = security_set_mempolicy(lmode, mode_flags, &nodes, flags);
> +	if (err)
> +		return err;
> +
>  	return do_mbind(start, len, lmode, mode_flags, &nodes, flags);
>  }
>  
> @@ -1577,6 +1581,10 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
>  	if (err)
>  		return err;
>  
> +	err = security_set_mempolicy(lmode, mode_flags, &nodes, 0);
> +	if (err)
> +		return err;
> +
>  	return do_set_mempolicy(lmode, mode_flags, &nodes);
>  }
>  
> diff --git a/security/security.c b/security/security.c
> index dcb3e70..685ad79 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -5337,3 +5337,16 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd)
>  	return call_int_hook(uring_cmd, 0, ioucmd);
>  }
>  #endif /* CONFIG_IO_URING */
> +
> +/**
> + * security_set_mempolicy() - Check if memory policy can be adjusted
> + * @mode: The memory policy mode to be set
> + * @mode_flags: optional mode flags
> + * @nmask: modemask to which the mode applies
> + * @flags: mode flags for mbind(2) only
> + */
> +int security_set_mempolicy(unsigned long mode, unsigned short mode_flags,
> +			   nodemask_t *nmask, unsigned int flags)
> +{
> +	return call_int_hook(set_mempolicy, 0, mode, mode_flags, nmask, flags);
> +}

Re: [PATCH v4 3/5] mm, security: Add lsm hook for memory policy adjustment

[Yafang Shao]

On Sat, Dec 9, 2023 at 1:30 AM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> On 12/8/2023 1:06 AM, Yafang Shao wrote:
> > In a containerized environment, independent memory binding by a user can
> > lead to unexpected system issues or disrupt tasks being run by other users
> > on the same server. If a user genuinely requires memory binding, we will
> > allocate dedicated servers to them by leveraging kubelet deployment.
> >
> > At present, users have the capability to bind their memory to a specific
> > node without explicit agreement or authorization from us. Consequently, a
> > new LSM hook is introduced to mitigate this. This implementation allows us
> > to exercise fine-grained control over memory policy adjustments within our
> > container environment
>
> I wonder if security_vm_enough_memory() ought to be reimplemented as
> an option to security_set_mempolicy(). I'm not convinced either way,
> but I can argue both.

The function security_vm_enough_memory() serves to verify the
permissibility of a new memory map, while security_set_mempolicy()
comes into play post-memory map allocation. Expanding
security_vm_enough_memory() to include memory policy checks might
potentially lead to regressions. Therefore, I would prefer to
introduce a new function, security_set_mempolicy(), to handle these
checks separately.

-- 
Regards
Yafang

Re: [PATCH v4 5/5] selftests/bpf: Add selftests for set_mempolicy with a lsm prog

[KP Singh]

On Fri, Dec 8, 2023 at 10:06 AM Yafang Shao <laoar.shao@gmail.com> wrote:
>
> The result as follows,
>   #263/1   set_mempolicy/MPOL_BIND_without_lsm:OK
>   #263/2   set_mempolicy/MPOL_DEFAULT_without_lsm:OK
>   #263/3   set_mempolicy/MPOL_BIND_with_lsm:OK
>   #263/4   set_mempolicy/MPOL_DEFAULT_with_lsm:OK
>   #263     set_mempolicy:OK
>   Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED

Please write a commit description on what the test actually does. I
even think of something simple that mentions a BPF LSM program that
denies all mbind with the mode MPOL_BIND and checks whether the
corresponding syscall is denied when the program is loaded.


>
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>  .../selftests/bpf/prog_tests/set_mempolicy.c       | 81 ++++++++++++++++++++++
>  .../selftests/bpf/progs/test_set_mempolicy.c       | 28 ++++++++
>  2 files changed, 109 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/set_mempolicy.c
>  create mode 100644 tools/testing/selftests/bpf/progs/test_set_mempolicy.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/set_mempolicy.c b/tools/testing/selftests/bpf/prog_tests/set_mempolicy.c
> new file mode 100644
> index 0000000..736b5e3
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/set_mempolicy.c
> @@ -0,0 +1,81 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (C) 2023 Yafang Shao <laoar.shao@gmail.com> */
> +
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <sys/mman.h>
> +#include <linux/mempolicy.h>
> +#include <test_progs.h>
> +#include "test_set_mempolicy.skel.h"
> +
> +#define SIZE 4096
> +
> +static void mempolicy_bind(bool success)
> +{
> +       unsigned long mask = 1;
> +       char *addr;
> +       int err;
> +
> +       addr = mmap(NULL, SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
> +       if (!ASSERT_OK_PTR(addr, "mmap"))
> +               return;
> +
> +       /* -lnuma is required by mbind(2), so use __NR_mbind to avoid the dependency. */
> +       err = syscall(__NR_mbind, addr, SIZE, MPOL_BIND, &mask, sizeof(mask), 0);
> +       if (success)
> +               ASSERT_OK(err, "mbind_success");
> +       else
> +               ASSERT_ERR(err, "mbind_fail");
> +
> +       munmap(addr, SIZE);
> +}
> +
> +static void mempolicy_default(void)
> +{
> +       char *addr;
> +       int err;
> +
> +       addr = mmap(NULL, SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
> +       if (!ASSERT_OK_PTR(addr, "mmap"))
> +               return;
> +
> +       err = syscall(__NR_mbind, addr, SIZE, MPOL_DEFAULT, NULL, 0, 0);
> +       ASSERT_OK(err, "mbind_success");
> +
> +       munmap(addr, SIZE);
> +}
> +
> +void test_set_mempolicy(void)
> +{
> +       struct test_set_mempolicy *skel;
> +       int err;
> +
> +       skel = test_set_mempolicy__open();
> +       if (!ASSERT_OK_PTR(skel, "open"))
> +               return;
> +
> +       skel->bss->target_pid = getpid();
> +
> +       err = test_set_mempolicy__load(skel);
> +       if (!ASSERT_OK(err, "load"))
> +               goto destroy;
> +
> +       if (test__start_subtest("MPOL_BIND_without_lsm"))
> +               mempolicy_bind(true);
> +       if (test__start_subtest("MPOL_DEFAULT_without_lsm"))
> +               mempolicy_default();
> +
> +       /* Attach LSM prog first */
> +       err = test_set_mempolicy__attach(skel);
> +       if (!ASSERT_OK(err, "attach"))
> +               goto destroy;
> +
> +       /* syscall to adjust memory policy */
> +       if (test__start_subtest("MPOL_BIND_with_lsm"))
> +               mempolicy_bind(false);
> +       if (test__start_subtest("MPOL_DEFAULT_with_lsm"))
> +               mempolicy_default();
> +
> +destroy:
> +       test_set_mempolicy__destroy(skel);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/test_set_mempolicy.c b/tools/testing/selftests/bpf/progs/test_set_mempolicy.c
> new file mode 100644
> index 0000000..b5356d5
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/test_set_mempolicy.c
> @@ -0,0 +1,28 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (C) 2023 Yafang Shao <laoar.shao@gmail.com> */
> +
> +#include "vmlinux.h"
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +
> +int target_pid;
> +
> +static int mem_policy_adjustment(u64 mode)
> +{
> +       struct task_struct *task = bpf_get_current_task_btf();
> +
> +       if (task->pid != target_pid)
> +               return 0;
> +
> +       if (mode != MPOL_BIND)
> +               return 0;
> +       return -1;
> +}
> +
> +SEC("lsm/set_mempolicy")
> +int BPF_PROG(setmempolicy, u64 mode, u16 mode_flags, nodemask_t *nmask, u32 flags)
> +{
> +       return mem_policy_adjustment(mode);
> +}
> +
> +char _license[] SEC("license") = "GPL";
> --
> 1.8.3.1
>
>

Re: [PATCH v4 5/5] selftests/bpf: Add selftests for set_mempolicy with a lsm prog

[Yafang Shao]

On Wed, Dec 13, 2023 at 3:22 AM KP Singh <kpsingh@kernel.org> wrote:
>
> On Fri, Dec 8, 2023 at 10:06 AM Yafang Shao <laoar.shao@gmail.com> wrote:
> >
> > The result as follows,
> >   #263/1   set_mempolicy/MPOL_BIND_without_lsm:OK
> >   #263/2   set_mempolicy/MPOL_DEFAULT_without_lsm:OK
> >   #263/3   set_mempolicy/MPOL_BIND_with_lsm:OK
> >   #263/4   set_mempolicy/MPOL_DEFAULT_with_lsm:OK
> >   #263     set_mempolicy:OK
> >   Summary: 1/4 PASSED, 0 SKIPPED, 0 FAILED
>
> Please write a commit description on what the test actually does. I

will do it.

> even think of something simple that mentions a BPF LSM program that
> denies all mbind with the mode MPOL_BIND and checks whether the
> corresponding syscall is denied when the program is loaded.

It does. Additionally, it verifies whether the mbind syscall is denied
with different modes, such as MPOL_DEFAULT."

-- 
Regards
Yafang