From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A5CEC06511 for ; Wed, 3 Jul 2019 01:08:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D743D21874 for ; Wed, 3 Jul 2019 01:08:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562116086; bh=oo48P7da1GzWeluudUYctbEpvdM/m1EpFSK8+9E2e2E=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=2WG9r0kZShSYhCC0jni1KXdrj4KiDqlS2g4FteC/G9ASSdmcLSBFipU1DA+kkW2ue 1CM6JvR6GV2ZUZs9k4xEe23KSJ66jv6JX4Bgc/U6ybxLPjzD2CWvnYncPB99UDEl5q bKkOTEqLqZLh8vpov4ueL0J2yR/8eCb9p9K9mx1E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727436AbfGCBIG (ORCPT ); Tue, 2 Jul 2019 21:08:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:53802 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727321AbfGCBIF (ORCPT ); Tue, 2 Jul 2019 21:08:05 -0400 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2C7E8218D0 for ; Tue, 2 Jul 2019 21:32:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562103141; bh=oo48P7da1GzWeluudUYctbEpvdM/m1EpFSK8+9E2e2E=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=dHnq5JcwBwPzy+t1r9zUImCrtgzYH0YcYBctxd3dBGpNfM4KEyiIO86yL6PHkvKLX pUQ/hXlzOCTEXvzoVxMw7HXPCc88EoXafejfTaK1fE+i4se82IB35KgyATM/s8VIsI EvHefSsSjR0OEKsG86DrJrmyy9rsE21Oz+4VH3SE= Received: by mail-wm1-f42.google.com with SMTP id a15so73044wmj.5 for ; Tue, 02 Jul 2019 14:32:21 -0700 (PDT) X-Gm-Message-State: APjAAAXr1tHdY0a+K1Vdl0LxrVSxGLWRuGvMtUGsnAKQrWz3G3OETtkT 4whN4yDagIgVYcA3bDdNMdnnD2c7KB6ZhxoMiIpU3w== X-Google-Smtp-Source: APXvYqwEYykzJyo2X3/CbH/kvAgSmUZebU6W1B7E+n5sQRNxQub2D4+Me5+8DrjgrkPBi0sxkT1a36it03xxJT340H8= X-Received: by 2002:a1c:9a53:: with SMTP id c80mr4339807wme.173.1562103139731; Tue, 02 Jul 2019 14:32:19 -0700 (PDT) MIME-Version: 1.0 References: <20190627201923.2589391-1-songliubraving@fb.com> <20190627201923.2589391-2-songliubraving@fb.com> <21894f45-70d8-dfca-8c02-044f776c5e05@kernel.org> <3C595328-3ABE-4421-9772-8D41094A4F57@fb.com> <0DE7F23E-9CD2-4F03-82B5-835506B59056@fb.com> <201907021115.DCD56BBABB@keescook> In-Reply-To: <201907021115.DCD56BBABB@keescook> From: Andy Lutomirski Date: Tue, 2 Jul 2019 14:32:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf To: Kees Cook Cc: Andy Lutomirski , Song Liu , "linux-security@vger.kernel.org" , Networking , bpf , Alexei Starovoitov , Daniel Borkmann , Kernel Team , Lorenz Bauer , Jann Horn , Greg KH , Linux API Content-Type: text/plain; charset="UTF-8" Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Tue, Jul 2, 2019 at 2:04 PM Kees Cook wrote: > > On Mon, Jul 01, 2019 at 06:59:13PM -0700, Andy Lutomirski wrote: > > I think I'm understanding your motivation. You're not trying to make > > bpf() generically usable without privilege -- you're trying to create > > a way to allow certain users to access dangerous bpf functionality > > within some limits. > > > > That's a perfectly fine goal, but I think you're reinventing the > > wheel, and the wheel you're reinventing is quite complicated and > > already exists. I think you should teach bpftool to be secure when > > installed setuid root or with fscaps enabled and put your policy in > > bpftool. If you want to harden this a little bit, it would seem > > entirely reasonable to add a new CAP_BPF_ADMIN and change some, but > > not all, of the capable() checks to check CAP_BPF_ADMIN instead of the > > capabilities that they currently check. > > If finer grained controls are wanted, it does seem like the /dev/bpf > path makes the most sense. open, request abilities, use fd. The open can > be mediated by DAC and LSM. The request can be mediated by LSM. This > provides a way to add policy at the LSM level and at the tool level. > (i.e. For tool-level controls: leave LSM wide open, make /dev/bpf owned > by "bpfadmin" and bpftool becomes setuid "bpfadmin". For fine-grained > controls, leave /dev/bpf wide open and add policy to SELinux, etc.) > > With only a new CAP, you don't get the fine-grained controls. (The > "request abilities" part is the key there.) Sure you do: the effective set. It has somewhat bizarre defaults, but I don't think that's a real problem. Also, this wouldn't be like CAP_DAC_READ_SEARCH -- you can't accidentally use your BPF caps. I think that a /dev capability-like object isn't totally nuts, but I think we should do it well, and this patch doesn't really achieve that. But I don't think bpf wants fine-grained controls like this at all -- as I pointed upthread, a fine-grained solution really wants different treatment for the different capable() checks, and a bunch of them won't resemble capabilities or /dev/bpf at all.