From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19E80C3A5A2 for ; Tue, 10 Sep 2019 11:57:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E3C3E2084D for ; Tue, 10 Sep 2019 11:57:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="fQDaaJcN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731373AbfIJL52 (ORCPT ); Tue, 10 Sep 2019 07:57:28 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36060 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733015AbfIJL4g (ORCPT ); Tue, 10 Sep 2019 07:56:36 -0400 Received: by mail-wr1-f67.google.com with SMTP id y19so19628975wrd.3 for ; Tue, 10 Sep 2019 04:56:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=EIsUn9Jau6/KXdzHwU5tqQRGOjQOzaD5sGChfY5yPIY=; b=fQDaaJcNPj2sPf2H7BhtU7Ap8m14kBNq8GYHsDC+Xbu3N6CadWR/9hgZxLMs8sRAHD Y3bXRzzMz60k+pQNzLSY52Lvc99Xddnp0bnDDfUeUQBTtGIkKdmbEhX7q0qJfLCgNWS5 /q9JXIzNV6eDgkWQbomqYunLWFF1pqhJsb8gA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EIsUn9Jau6/KXdzHwU5tqQRGOjQOzaD5sGChfY5yPIY=; b=C6cIsCTYc+kw3Y/EuUzD+hvmeNQmMduhy7RD6MaQ9hewpMr32ta2PoEitZaWzTly0t /KX1QCnOigGVfoNdnF1NbrP3W1DioPjWGBesgqdDyMKXd1WWKvbz/tAPL+H8hxb0VVHR yW1la+h6fbPZ1WZtAHuMJSj6FXBf48UNFtBHizG6iOsvxC+0o4zh1EWU8kwrN2AyWsN0 xBdFJgMyBFDqLJYwMt9eJzkdcprh9tpgMfHdqMMBHfOz3PodMB0uhhXxycCXX1LS4G9A FYrt0YnCtQwRV0hJDJ0pmQw0bGPOhsVN/4dHnkl6LBjP6GMXlCP2QKvHnrg67qh1/lTq aH5g== X-Gm-Message-State: APjAAAXDmtCJ+O2lPUvXhdAmR5/iCbD4bX738sGTBtVBwpjctpmeYzRp wjnoP4ClB4anJ5rRdnShOLJObg== X-Google-Smtp-Source: APXvYqxcquIR5poZ++yC0HYIAXEUfYXCiM1tVNnZaQn9El9Vx1mdrWz5lnAfc9Zwi+MRB67X7M7DgA== X-Received: by 2002:adf:fd41:: with SMTP id h1mr6946449wrs.315.1568116594481; Tue, 10 Sep 2019 04:56:34 -0700 (PDT) Received: from kpsingh-kernel.c.hoisthospitality.com (110.8.30.213.rev.vodafone.pt. [213.30.8.110]) by smtp.gmail.com with ESMTPSA id q19sm23732935wra.89.2019.09.10.04.56.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Sep 2019 04:56:34 -0700 (PDT) From: KP Singh To: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Thomas Garnier , Michael Halcrow , Paul Turner , Brendan Gregg , Jann Horn , Matthew Garrett , Christian Brauner , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Florent Revest , Martin KaFai Lau , Song Liu , Yonghong Song , "Serge E. Hallyn" , Mauro Carvalho Chehab , "David S. Miller" , Greg Kroah-Hartman , Nicolas Ferre , Stanislav Fomichev , Quentin Monnet , Andrey Ignatov , Joe Stringer Subject: [RFC v1 07/14] krsi: Check for premissions on eBPF attachment Date: Tue, 10 Sep 2019 13:55:20 +0200 Message-Id: <20190910115527.5235-8-kpsingh@chromium.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190910115527.5235-1-kpsingh@chromium.org> References: <20190910115527.5235-1-kpsingh@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: KP Singh Add validation checks for the attachment of eBPF programs. The following permissions are required: - CAP_SYS_ADMIN to load eBPF programs - CAP_MAC_ADMIN (to update the policy of an LSM) - The securityfs file being a KRSI hook and writable (O_RDWR) Signed-off-by: KP Singh --- security/krsi/ops.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/security/krsi/ops.c b/security/krsi/ops.c index cf4d06189aa1..a61508b7018f 100644 --- a/security/krsi/ops.c +++ b/security/krsi/ops.c @@ -23,11 +23,31 @@ static struct krsi_hook *get_hook_from_fd(int fd) goto error; } + /* + * Only CAP_MAC_ADMIN users are allowed to make + * changes to LSM hooks + */ + if (!capable(CAP_MAC_ADMIN)) { + ret = -EPERM; + goto error; + } + if (!is_krsi_hook_file(f.file)) { ret = -EINVAL; goto error; } + /* + * It's wrong to attach the program to the hook + * if the file is not opened for a write. Note that, + * this is an EBADF and not an EPERM because the file + * has been opened with an incorrect mode. + */ + if (!(f.file->f_mode & FMODE_WRITE)) { + ret = -EBADF; + goto error; + } + /* * The securityfs dentry never disappears, so we don't need to take a * reference to it. -- 2.20.1