[PATCH] bpf: make unprivileged BPF a compile time choice

* [PATCH] bpf: make unprivileged BPF a compile time choice
@ 2022-04-04 22:03 Matteo Croce
  2022-04-04 22:45 ` Alexei Starovoitov
  0 siblings, 1 reply; 2+ messages in thread
From: Matteo Croce @ 2022-04-04 22:03 UTC (permalink / raw)
  To: bpf; +Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, linux-kernel

From: Matteo Croce <mcroce@microsoft.com>

Add a compile time option to permanently disable unprivileged BPF and
the corresponding sysctl handler so that there's absolutely no
concern about unprivileged BPF being enabled from userspace during
runtime. Special purpose kernels can benefit from the build-time
assurance that unprivileged eBPF is disabled in all of their kernel
builds rather than having to rely on userspace to permanently disable
it at boot time.
The default behaviour is left unchanged, which is: unprivileged BPF
compiled in but disabled at boot.

Signed-off-by: Matteo Croce <mcroce@microsoft.com>
---
 kernel/bpf/Kconfig   | 10 +++++++++-
 kernel/bpf/syscall.c |  4 +++-
 kernel/sysctl.c      |  4 ++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index d56ee177d5f8..dfaef1ac1516 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -67,10 +67,18 @@ config BPF_JIT_DEFAULT_ON
 	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
 	depends on HAVE_EBPF_JIT && BPF_JIT
 
+config BPF_UNPRIV
+	bool "Unprivileged BPF"
+	default y
+	depends on BPF_SYSCALL
+	help
+	  Enables unprivileged BPF and the corresponding
+	  /proc/sys/kernel/unprivileged_bpf_disabled knob.
+
 config BPF_UNPRIV_DEFAULT_OFF
 	bool "Disable unprivileged BPF by default"
 	default y
-	depends on BPF_SYSCALL
+	depends on BPF_UNPRIV
 	help
 	  Disables unprivileged BPF by default by setting the corresponding
 	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index cdaa1152436a..b7e6aca87a18 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -53,7 +53,9 @@ static DEFINE_IDR(link_idr);
 static DEFINE_SPINLOCK(link_idr_lock);
 
 int sysctl_unprivileged_bpf_disabled __read_mostly =
-	IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+	IS_BUILTIN(CONFIG_BPF_UNPRIV) ?
+		(IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0)
+		: 1;
 
 static const struct bpf_map_ops * const bpf_map_types[] = {
 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 830aaf8ca08e..a5b6e960ca58 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -184,6 +184,7 @@ void __weak unpriv_ebpf_notify(int new_state)
 {
 }
 
+#ifdef CONFIG_BPF_UNPRIV
 static int bpf_unpriv_handler(struct ctl_table *table, int write,
 			      void *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -206,6 +207,7 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
 
 	return ret;
 }
+#endif /* CONFIG_BPF_UNPRIV */
 #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */
 
 /*
@@ -2300,6 +2302,7 @@ static struct ctl_table kern_table[] = {
 	},
 #endif
 #ifdef CONFIG_BPF_SYSCALL
+#ifdef CONFIG_BPF_UNPRIV
 	{
 		.procname	= "unprivileged_bpf_disabled",
 		.data		= &sysctl_unprivileged_bpf_disabled,
@@ -2309,6 +2312,7 @@ static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_TWO,
 	},
+#endif
 	{
 		.procname	= "bpf_stats_enabled",
 		.data		= &bpf_stats_enabled_key.key,
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread