From: Song Liu <songliubraving@fb.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
"linux-security@vger.kernel.org" <linux-security@vger.kernel.org>,
Networking <netdev@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kernel Team <Kernel-team@fb.com>,
Lorenz Bauer <lmb@cloudflare.com>, Jann Horn <jannh@google.com>,
Greg KH <gregkh@linuxfoundation.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf
Date: Tue, 23 Jul 2019 22:56:23 +0000 [thread overview]
Message-ID: <514D5453-0AEE-420F-AEB6-3F4F58C62E7E@fb.com> (raw)
In-Reply-To: <CALCETrX2bMnwC6_t4b_G-hzJSfMPrkK4YKs5ebcecv2LJ0rt3w@mail.gmail.com>
> On Jul 23, 2019, at 8:11 AM, Andy Lutomirski <luto@kernel.org> wrote:
>
> On Mon, Jul 22, 2019 at 1:54 PM Song Liu <songliubraving@fb.com> wrote:
>>
>> Hi Andy, Lorenz, and all,
>>
>>> On Jul 2, 2019, at 2:32 PM, Andy Lutomirski <luto@kernel.org> wrote:
>>>
>>> On Tue, Jul 2, 2019 at 2:04 PM Kees Cook <keescook@chromium.org> wrote:
>>>>
>>>> On Mon, Jul 01, 2019 at 06:59:13PM -0700, Andy Lutomirski wrote:
>>>>> I think I'm understanding your motivation. You're not trying to make
>>>>> bpf() generically usable without privilege -- you're trying to create
>>>>> a way to allow certain users to access dangerous bpf functionality
>>>>> within some limits.
>>>>>
>>>>> That's a perfectly fine goal, but I think you're reinventing the
>>>>> wheel, and the wheel you're reinventing is quite complicated and
>>>>> already exists. I think you should teach bpftool to be secure when
>>>>> installed setuid root or with fscaps enabled and put your policy in
>>>>> bpftool. If you want to harden this a little bit, it would seem
>>>>> entirely reasonable to add a new CAP_BPF_ADMIN and change some, but
>>>>> not all, of the capable() checks to check CAP_BPF_ADMIN instead of the
>>>>> capabilities that they currently check.
>>>>
>>>> If finer grained controls are wanted, it does seem like the /dev/bpf
>>>> path makes the most sense. open, request abilities, use fd. The open can
>>>> be mediated by DAC and LSM. The request can be mediated by LSM. This
>>>> provides a way to add policy at the LSM level and at the tool level.
>>>> (i.e. For tool-level controls: leave LSM wide open, make /dev/bpf owned
>>>> by "bpfadmin" and bpftool becomes setuid "bpfadmin". For fine-grained
>>>> controls, leave /dev/bpf wide open and add policy to SELinux, etc.)
>>>>
>>>> With only a new CAP, you don't get the fine-grained controls. (The
>>>> "request abilities" part is the key there.)
>>>
>>> Sure you do: the effective set. It has somewhat bizarre defaults, but
>>> I don't think that's a real problem. Also, this wouldn't be like
>>> CAP_DAC_READ_SEARCH -- you can't accidentally use your BPF caps.
>>>
>>> I think that a /dev capability-like object isn't totally nuts, but I
>>> think we should do it well, and this patch doesn't really achieve
>>> that. But I don't think bpf wants fine-grained controls like this at
>>> all -- as I pointed upthread, a fine-grained solution really wants
>>> different treatment for the different capable() checks, and a bunch of
>>> them won't resemble capabilities or /dev/bpf at all.
>>
>> With 5.3-rc1 out, I am back on this. :)
>>
>> How about we modify the set as:
>> 1. Introduce sys_bpf_with_cap() that takes fd of /dev/bpf.
>
> I'm fine with this in principle, but:
>
>> 2. Better handling of capable() calls through bpf code. I guess the
>> biggest problem here is is_priv in verifier.c:bpf_check().
>
> I think it would be good to understand exactly what /dev/bpf will
> enable one to do. Without some care, it would just become the next
> CAP_SYS_ADMIN: if you can open it, sure, you're not root, but you can
> intercept network traffic, modify cgroup behavior, and do plenty of
> other things, any of which can probably be used to completely take
> over the system.
Well, yes. sys_bpf() is pretty powerful.
The goal of /dev/bpf is to enable special users to call sys_bpf(). In
the meanwhile, such users should not take down the whole system easily
by accident, e.g., with rm -rf /.
It is similar to CAP_BPF_ADMIN, without really adding the CAP_.
I think adding new CAP_ requires much more effort.
>
> It would also be nice to understand why you can't do what you need to
> do entirely in user code using setuid or fscaps.
It is not very easy to achieve the same control: only certain users can
run certain tools (bpftool, etc.).
The closest approach I can find is:
1. use libcap (pam_cap) to give CAP_SETUID to certain users;
2. add setuid(0) to bpftool.
The difference between this approach and /dev/bpf is that certain users
would be able to run other tools that call setuid(). Though I am not
sure how many tools call setuid(), and how risky they are.
>
> Finally, at risk of rehashing some old arguments, I'll point out that
> the bpf() syscall is an unusual design to begin with. As an example,
> consider bpf_prog_attach(). Outside of bpf(), if I want to change the
> behavior of a cgroup, I would write to a file in
> /sys/kernel/cgroup/unified/whatever/, and normal DAC and MAC rules
> apply. With bpf(), however, I just call bpf() to attach a program to
> the cgroup. bpf() says "oh, you are capable(CAP_NET_ADMIN) -- go for
> it!". Unless I missed something major, and I just re-read the code,
> there is no check that the caller has write or LSM permission to
> anything at all in cgroupfs, and the existing API would make it very
> awkward to impose any kind of DAC rules here.
>
> So I think it might actually be time to repay some techincal debt and
> come up with a real fix. As a less intrusive approach, you could see
> about requiring ownership of the cgroup directory instead of
> CAP_NET_ADMIN. As a more intrusive but perhaps better approach, you
> could invert the logic to to make it work like everything outside of
> cgroup: add pseudo-files like bpf.inet_ingress to the cgroup
> directories, and require a writable fd to *that* to a new improved
> attach API. If a user could do:
>
> int fd = open("/sys/fs/cgroup/.../bpf.inet_attach", O_RDWR); /* usual
> DAC and MAC policy applies */
> int bpf_fd = setup the bpf stuff; /* no privilege required, unless
> the program is huge or needs is_priv */
> bpf(BPF_IMPROVED_ATTACH, target = fd, program = bpf_fd);
>
> there would be no capabilities or global privilege at all required for
> this. It would just work with cgroup delegation, containers, etc.
>
> I think you could even pull off this type of API change with only
> libbpf changes. In particular, there's this code:
>
> int bpf_prog_attach(int prog_fd, int target_fd, enum bpf_attach_type type,
> unsigned int flags)
> {
> union bpf_attr attr;
>
> memset(&attr, 0, sizeof(attr));
> attr.target_fd = target_fd;
> attr.attach_bpf_fd = prog_fd;
> attr.attach_type = type;
> attr.attach_flags = flags;
>
> return sys_bpf(BPF_PROG_ATTACH, &attr, sizeof(attr));
> }
>
> This would instead do something like:
>
> int specific_target_fd = openat(target_fd, bpf_type_to_target[type], O_RDWR);
> attr.target_fd = specific_target_fd;
> ...
>
> return sys_bpf(BPF_PROG_IMPROVED_ATTACH, &attr, sizeof(attr));
>
> Would this solve your problem without needing /dev/bpf at all?
This gives fine grain access control. I think it solves the problem.
But it also requires a lot of rework to sys_bpf(). And it may also
break backward/forward compatibility?
Personally, I think it is an overkill for the original motivation:
call sys_bpf() with special user instead of root.
Alexei, Daniel: what do you think about this?
Thanks,
Song
next prev parent reply other threads:[~2019-07-23 22:56 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-27 20:19 [PATCH v2 bpf-next 0/4] sys_bpf() access control via /dev/bpf Song Liu
2019-06-27 20:19 ` [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access " Song Liu
2019-06-27 23:40 ` Andy Lutomirski
2019-06-27 23:42 ` Andy Lutomirski
2019-06-28 10:28 ` Christian Brauner
2019-06-28 9:05 ` Lorenz Bauer
2019-06-28 19:04 ` Song Liu
2019-06-30 0:12 ` Andy Lutomirski
2019-07-01 9:03 ` Song Liu
2019-07-02 1:59 ` Andy Lutomirski
2019-07-02 18:24 ` Kees Cook
2019-07-02 21:32 ` Andy Lutomirski
2019-07-02 23:48 ` Song Liu
2019-07-22 20:53 ` Song Liu
2019-07-23 10:45 ` Lorenz Bauer
2019-07-23 15:11 ` Andy Lutomirski
2019-07-23 22:56 ` Song Liu [this message]
2019-07-24 1:40 ` Andy Lutomirski
2019-07-24 6:30 ` Song Liu
2019-07-27 18:20 ` Song Liu
2019-07-30 5:07 ` Song Liu
2019-07-30 20:24 ` Andy Lutomirski
2019-07-31 8:10 ` Song Liu
2019-07-31 19:09 ` Andy Lutomirski
2019-08-02 7:21 ` Song Liu
2019-08-04 22:16 ` Andy Lutomirski
2019-08-05 0:08 ` Andy Lutomirski
2019-08-05 5:47 ` Andy Lutomirski
2019-08-05 7:36 ` Song Liu
2019-08-05 17:23 ` Andy Lutomirski
2019-08-05 19:21 ` Alexei Starovoitov
2019-08-05 21:25 ` Andy Lutomirski
2019-08-05 22:21 ` Andy Lutomirski
2019-08-06 1:11 ` Alexei Starovoitov
2019-08-07 5:24 ` Andy Lutomirski
2019-08-07 9:03 ` Lorenz Bauer
2019-08-07 13:52 ` Andy Lutomirski
2019-08-13 21:58 ` Alexei Starovoitov
2019-08-13 22:26 ` Daniel Colascione
2019-08-13 23:24 ` Andy Lutomirski
2019-08-13 23:06 ` Andy Lutomirski
2019-08-14 0:57 ` Alexei Starovoitov
2019-08-14 17:51 ` Andy Lutomirski
2019-08-14 22:05 ` Alexei Starovoitov
2019-08-14 22:30 ` Andy Lutomirski
2019-08-14 23:33 ` Alexei Starovoitov
2019-08-14 23:59 ` Andy Lutomirski
2019-08-15 0:36 ` Alexei Starovoitov
2019-08-15 11:24 ` Jordan Glover
2019-08-15 17:28 ` Alexei Starovoitov
2019-08-15 18:36 ` Andy Lutomirski
2019-08-15 23:08 ` Alexei Starovoitov
2019-08-16 9:34 ` Jordan Glover
2019-08-16 9:59 ` Thomas Gleixner
2019-08-16 11:33 ` Jordan Glover
2019-08-16 19:52 ` Alexei Starovoitov
2019-08-16 20:28 ` Thomas Gleixner
2019-08-17 15:02 ` Alexei Starovoitov
2019-08-17 15:44 ` Andy Lutomirski
2019-08-19 9:15 ` Thomas Gleixner
2019-08-19 17:27 ` Alexei Starovoitov
2019-08-19 17:38 ` Andy Lutomirski
2019-08-15 18:43 ` Jordan Glover
2019-08-15 19:46 ` Kees Cook
2019-08-15 23:46 ` Alexei Starovoitov
2019-08-16 0:54 ` Andy Lutomirski
2019-08-16 5:56 ` Song Liu
2019-08-16 21:45 ` Alexei Starovoitov
2019-08-16 22:22 ` Christian Brauner
2019-08-17 15:08 ` Alexei Starovoitov
2019-08-17 15:16 ` Christian Brauner
2019-08-17 15:36 ` Alexei Starovoitov
2019-08-17 15:42 ` Christian Brauner
2019-08-22 14:17 ` Daniel Borkmann
2019-08-22 15:16 ` Andy Lutomirski
2019-08-22 15:17 ` RFC: very rough draft of a bpf permission model Andy Lutomirski
2019-08-22 23:26 ` Alexei Starovoitov
2019-08-23 23:09 ` Andy Lutomirski
2019-08-26 22:36 ` Alexei Starovoitov
2019-08-27 0:05 ` Andy Lutomirski
2019-08-27 0:34 ` Alexei Starovoitov
2019-08-22 22:48 ` [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf Alexei Starovoitov
2019-07-30 20:20 ` Andy Lutomirski
2019-07-31 7:44 ` Song Liu
2019-06-28 9:01 ` Lorenz Bauer
2019-06-28 19:10 ` Song Liu
2019-07-01 9:34 ` Lorenz Bauer
2019-07-02 19:22 ` Andrii Nakryiko
2019-07-03 7:28 ` Greg KH
2019-06-27 20:19 ` [PATCH v2 bpf-next 2/4] bpf: sync tools/include/uapi/linux/bpf.h Song Liu
2019-06-27 20:19 ` [PATCH v2 bpf-next 3/4] libbpf: add libbpf_[enable|disable]_sys_bpf() Song Liu
2019-06-27 20:19 ` [PATCH v2 bpf-next 4/4] bpftool: use libbpf_[enable|disable]_sys_bpf() Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=514D5453-0AEE-420F-AEB6-3F4F58C62E7E@fb.com \
--to=songliubraving@fb.com \
--cc=Kernel-team@fb.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-security@vger.kernel.org \
--cc=lmb@cloudflare.com \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).