From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 90E65C5B57A for ; Fri, 28 Jun 2019 10:28:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 66059208E3 for ; Fri, 28 Jun 2019 10:28:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=brauner.io header.i=@brauner.io header.b="WvtXk5cg" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726653AbfF1K2r (ORCPT ); Fri, 28 Jun 2019 06:28:47 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:33060 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726574AbfF1K2q (ORCPT ); Fri, 28 Jun 2019 06:28:46 -0400 Received: by mail-wr1-f67.google.com with SMTP id n9so5755933wru.0 for ; Fri, 28 Jun 2019 03:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=00lQgp4KF8mWHCT3vLiiTY3cz1BNXZmrWPRpQYCYepQ=; b=WvtXk5cgkogFhun+ZiE8ghcPR+1UCyc/a3gnHHaDJ2OoARpA7j7GPvZHcTvAvmoldN 7hZrC4XrFmRcPKeHZUeA/lmAI58KJnTJg5dxqgjmWnUH44QobZ38qiH1ciDZFGssNwR8 d2JbM5WtRmJIFjsWjE1y0ztGJf2D6lMaWXL5rmTrVO4N5b5BlsWCnkdR/Yeeie7MFKKR oEQJTJarOPlUcveHA29/+uI+yKuU1azZPdnQt3pJPNE+tbWR51D8JMJzOmBfVWL0CltH UTrCoRZrxz7b9gaY3Su9TFQ1pNF7Weh0YQPLrbh6Y+fJRKb5TFYWajaQPELLKQt66mxe IisA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=00lQgp4KF8mWHCT3vLiiTY3cz1BNXZmrWPRpQYCYepQ=; b=M2rMCuJIWsnKiUP1n6tVsuzbXlotd+s0h2nYhuCanh/+llzJzIKBGvBykwmeTVoa9c ArMrNXiF+RGqii7jJmPJTr5zJmdsWYdT+pCB7AfH4xYSVckExE5tnznfhpazbLC97laQ FFzt4V1bdF6K5mEbC9Fe4/Ro50DK3NqgtdYf3G93E94jqQIQoYLf3YakwSDiZJCC1tFj vGfJkZIEcaheRTGaoTF/4M2bZaXciQGrW9Yn7YAcwH5n7r1X7Xscj2zyBH65k4shqiG1 x5+K/swnInfdvunEKqZzjTTyes9ifi48xfHXQgvkM1+TdyTflG5Qp1rOVlDlugCRJqrm yPqA== X-Gm-Message-State: APjAAAXynwh/mzfL3hehQ0FyJWF1xkFD1uCUYDVS9PmPAWiKSDzemtSF hMvCbgSNj0QM0MAC+QATF2++6A== X-Google-Smtp-Source: APXvYqwceU7uOJWFzAL991B1wKGjN7mDumVTVPUijIsToU5QF3dnh/WIfSHQjHGLcY+56bqP2MuwWg== X-Received: by 2002:adf:fb84:: with SMTP id a4mr7863262wrr.41.1561717723814; Fri, 28 Jun 2019 03:28:43 -0700 (PDT) Received: from brauner.io ([212.91.227.56]) by smtp.gmail.com with ESMTPSA id x6sm2241373wru.0.2019.06.28.03.28.42 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 28 Jun 2019 03:28:43 -0700 (PDT) Date: Fri, 28 Jun 2019 12:28:42 +0200 From: Christian Brauner To: Andy Lutomirski Cc: Kees Cook , Linux API , Song Liu , Network Development , bpf@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , kernel-team , lmb@cloudflare.com, Jann Horn , Greg KH , casey@schaufler-ca.com, sds@tycho.nsa.gov, linux-security@vger.kernel.org Subject: Re: [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf Message-ID: <20190628102841.dye2ajyusukvwlwq@brauner.io> References: <20190627201923.2589391-1-songliubraving@fb.com> <20190627201923.2589391-2-songliubraving@fb.com> <21894f45-70d8-dfca-8c02-044f776c5e05@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Thu, Jun 27, 2019 at 04:42:18PM -0700, Andy Lutomirski wrote: > [sigh, I finally set up lore nntp, and I goofed some addresses. Hi > Kees and linux-api.] Love it or hate it but that should probably also Cc linux-security... > > On Thu, Jun 27, 2019 at 4:40 PM Andy Lutomirski wrote: > > > > On 6/27/19 1:19 PM, Song Liu wrote: > > > This patch introduce unprivileged BPF access. The access control is > > > achieved via device /dev/bpf. Users with write access to /dev/bpf are able > > > to call sys_bpf(). > > > > > > Two ioctl command are added to /dev/bpf: > > > > > > The two commands enable/disable permission to call sys_bpf() for current > > > task. This permission is noted by bpf_permitted in task_struct. This > > > permission is inherited during clone(CLONE_THREAD). > > > > > > Helper function bpf_capable() is added to check whether the task has got > > > permission via /dev/bpf. > > > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index 0e079b2298f8..79dc4d641cf3 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -9134,7 +9134,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, > > > env->insn_aux_data[i].orig_idx = i; > > > env->prog = *prog; > > > env->ops = bpf_verifier_ops[env->prog->type]; > > > - is_priv = capable(CAP_SYS_ADMIN); > > > + is_priv = bpf_capable(CAP_SYS_ADMIN); > > > > Huh? This isn't a hardening measure -- the "is_priv" verifier mode > > allows straight-up leaks of private kernel state to user mode. > > > > (For that matter, the pending lockdown stuff should possibly consider > > this a "confidentiality" issue.) > > > > > > I have a bigger issue with this patch, though: it's a really awkward way > > to pretend to have capabilities. For bpf, it seems like you could make > > this be a *real* capability without too much pain since there's only one > > syscall there. Just find a way to pass an fd to /dev/bpf into the > > syscall. If this means you need a new bpf_with_cap() syscall that takes > > an extra argument, so be it. The old bpf() syscall can just translate > > to bpf_with_cap(..., -1). > > > > For a while, I've considered a scheme I call "implicit rights". There > > would be a directory in /dev called /dev/implicit_rights. This would > > either be part of devtmpfs or a whole new filesystem -- it would *not* > > be any other filesystem. The contents would be files that can't be read > > or written and exist only in memory. You create them with a privileged > > syscall. Certain actions that are sensitive but not at the level of > > CAP_SYS_ADMIN (use of large-attack-surface bpf stuff, creation of user > > namespaces, profiling the kernel, etc) could require an "implicit > > right". When you do them, if you don't have CAP_SYS_ADMIN, the kernel > > would do a path walk for, say, /dev/implicit_rights/bpf and, if the > > object exists, can be opened, and actually refers to the "bpf" rights > > object, then the action is allowed. Otherwise it's denied. > > > > This is extensible, and it doesn't require the rather ugly per-task > > state of whether it's enabled. > > > > For things like creation of user namespaces, there's an existing API, > > and the default is that it works without privilege. Switching it to an > > implicit right has the benefit of not requiring code changes to programs > > that already work as non-root. > > > > But, for BPF in particular, this type of compatibility issue doesn't > > exist now. You already can't use most eBPF functionality without > > privilege. New bpf-using programs meant to run without privilege are > > *new*, so they can use a new improved API. So, rather than adding this > > obnoxious ioctl, just make the API explicit, please. > > > > Also, please cc: linux-abi next time.