All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org, Dominick Grift <dac.override@gmail.com>
Subject: Re: Question about BPF acccess checks
Date: Fri, 16 Aug 2019 12:35:09 -0400	[thread overview]
Message-ID: <79283dc7-fcce-259e-e16e-a78eef87256d@tycho.nsa.gov> (raw)
In-Reply-To: <20190816072744.GA520884@brutus.lan>

On 8/16/19 3:27 AM, Dominick Grift wrote:
> As of systemd v243rc1 I have been noticing bpf prog_load and prog_run access checks for systemd --user instances (only if secure boot is disabled)
> I suspect that this is for IPAddressAllow/Deny= functionality.
> So i tried it out and I was not allowed to use the above due to lack of root-access.
> 
> Then i read this:
> https://lore.kernel.org/linux-security-module/4F52274A-CD70-4261-A255-2C4A7E818141@fb.com/T/#t
> 
> My question is: Is it expected that BPF prog_load and prog_run is checked when an *unprivileged* process, i suppose, tries to load and run bpf progs?
> 
> Are prog_load and prog_run unprivileged operations?

They can be checked for processes that do not have CAP_SYS_ADMIN if that 
is what you are asking.  This can occur either during bpf(2) system call 
processing if unprivileged_bpf_disabled is 0 (for prog_load and/or 
prog_run), or upon receiving a bpf prog fd from another process (for 
prog_run). It is possible that the specific operation will nonetheless 
fail due to a later CAP_SYS_ADMIN check applied for specific kinds of 
bpf programs.  So it depends on the specifics.

Android policy appears to have changed over time, with netd originally 
allowed both prog_load and prog_run (but not sys_admin), and then later 
bpf program loading was migrated into a separate bpfloader process (with 
prog_load but not sys_admin) and netd was reduced to prog_run, and still 
later sys_admin was added to bpfloader to enable loading bpf programs 
with tracepoints. Similarly there has been an evolution in the handling 
of bpf maps.

  reply	other threads:[~2019-08-16 16:36 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-16  7:27 Question about BPF acccess checks Dominick Grift
2019-08-16 16:35 ` Stephen Smalley [this message]
2019-08-16 16:53   ` Dominick Grift
2019-08-16 17:28     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=79283dc7-fcce-259e-e16e-a78eef87256d@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=dac.override@gmail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.