[LSF/MM/BPF TOPIC] What's more in BPF+LSM (KRSI)?

From: KP Singh <kpsingh@chromium.org>
To: lsf-pc@lists.linux-foundation.org,
	"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Cc: Brendan Jackman <jackmanb@chromium.org>,
	Florent Revest <revest@chromium.org>,
	Thomas Garnier <thgarnie@google.com>,
	Kees Cook <keescook@chromium.org>,
	Michael Halcrow <mhalcrow@google.com>,
	Brendan Gregg <brendan.d.gregg@gmail.com>
Subject: [LSF/MM/BPF TOPIC] What's more in BPF+LSM (KRSI)?
Date: Mon, 27 Jan 2020 09:15:16 -0800	[thread overview]
Message-ID: <20200127171516.GA2710@chromium.org> (raw)

What's more in BPF+LSM (KRSI)?
============================

The basics for the KRSI patches are being reviewed currently on the
mailing list:

   https://lore.kernel.org/bpf/20200123152440.28956-1-kpsingh@chromium.org/T/#t

Here are some proposed discussions topics:

RCU/Preemption + BPF_PROG_TYPE_LSM
----------------------------------

With the new Trampoline based implementation it's ~trivial~ to enable
preemption and remove the RCU read side critical section when
executing the JIT'ed program. This is required, atleast, for the
following 2 use-cases:

1. Non-Atomic Helpers

Getting remote user pages (get_user_pages_remote) for argv and
environment variable based policies needs to run in non-atomic context
(because it might trigger a page fault).

2. BTF __rcu pointer access

Since BPF_PROG_TYPE_LSM uses BTF, it can access valid struct members.
However, if such a member is "__rcu" pointer, there are no
checks/helpers to "properly" access it.

Ideas:

 Here are a couple of options we can discuss:

* Update the JIT logic to guard helper calls with RCU critical
  sections or wrap pointer access with rcu_deference automatically
  when a BPF program calls it. This might still be restrictive if a
  user wants to use rcu_deference_raw etc for pointer values.
  It's also going to be tricky to determine the scope of the
  critical section beyond adding RCU calls before and after a helper
  call or a pointer dereference.

* Just track and verify whether the BPF program calls the right
  helpers (say bpf_rcu_*) This is likely to be more feasible and
  similar to the spin lock tracking already done by the verifier.

If sleepable BPF becomes a thing, one can dump argument pages in 4K
chunks to the perf events buffer there by saving a large amount of
memory which is currently required to "pin" these pages in a preamble
so that they are accessible in an atomic context in the program.

Security Blobs using BPF programs
---------------------------------

Security blobs must be set at init to provide any real guarantees to
any API that uses security blobs. KRSI currently plans to have static
hooks for blobs but one can think of loading a restricted set of
BPF programs purely to enable security blobs at boot time.
This would make the overall code more flexible.

Userspace eco-system
--------------------

As we bring KRSI closer to mainline, it's worth thinking of the
userspace ecosystem. e.g. can we add BPF capabilities to the likes of
auditctl and use bpftrace for KRSI programs?

- KP