From: KP Singh <kpsingh@chromium.org>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org,
linux-security-module@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
James Morris <jmorris@namei.org>, Paul Turner <pjt@google.com>,
Jann Horn <jannh@google.com>,
Florent Revest <revest@chromium.org>,
Brendan Jackman <jackmanb@chromium.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH bpf-next v6 0/8] MAC and Audit policy using eBPF (KRSI)
Date: Wed, 25 Mar 2020 20:42:38 +0100 [thread overview]
Message-ID: <20200325194238.GB22898@chromium.org> (raw)
In-Reply-To: <202003251224.2C80636F0F@keescook>
On 25-Mär 12:24, Kees Cook wrote:
> On Wed, Mar 25, 2020 at 04:26:21PM +0100, KP Singh wrote:
> > From: KP Singh <kpsingh@google.com>
> >
> > # v5 -> v6
> >
> > https://lwn.net/Articles/815826/
>
> Random question: why the switch to lwn.net from lore URLs? The lore
> URLs have been suggested to be the canonical way to refer to kernel
> development discussion threads.
No real reason apart from the fact these were shoter:)
Duly noted for future patches and revisions. Thanks!
- KP
>
> -Kees
>
> >
> > * Updated LSM_HOOK macro to define a default value and cleaned up the
> > BPF LSM hook declarations.
> > * Added Yonghong's Acks and Kees' Reviewed-by tags.
> > * Simplification of the selftest code.
> > * Rebase and fixes suggested by Andrii and Yonghong and some other minor
> > fixes noticed in internal review.
> >
> > # v4 -> v5
> >
> > https://lwn.net/Articles/813057/
> >
> > * Removed static keys and special casing of BPF calls from the LSM
> > framework.
> > * Initialized the BPF callbacks (nops) as proper LSM hooks.
> > * Updated to using the newly introduced BPF_TRAMP_MODIFY_RETURN
> > trampolines in https://lkml.org/lkml/2020/3/4/877
> > * Addressed Andrii's feedback and rebased.
> >
> > # v3 -> v4
> >
> > * Moved away from allocating a separate security_hook_heads and adding a
> > new special case for arch_prepare_bpf_trampoline to using BPF fexit
> > trampolines called from the right place in the LSM hook and toggled by
> > static keys based on the discussion in:
> >
> > https://lore.kernel.org/bpf/CAG48ez25mW+_oCxgCtbiGMX07g_ph79UOJa07h=o_6B6+Q-u5g@mail.gmail.com/
> >
> > * Since the code does not deal with security_hook_heads anymore, it goes
> > from "being a BPF LSM" to "BPF program attachment to LSM hooks".
> > * Added a new test case which ensures that the BPF programs' return value
> > is reflected by the LSM hook.
> >
> > # v2 -> v3 does not change the overall design and has some minor fixes:
> >
> > * LSM_ORDER_LAST is introduced to represent the behaviour of the BPF LSM
> > * Fixed the inadvertent clobbering of the LSM Hook error codes
> > * Added GPL license requirement to the commit log
> > * The lsm_hook_idx is now the more conventional 0-based index
> > * Some changes were split into a separate patch ("Load btf_vmlinux only
> > once per object")
> >
> > https://lore.kernel.org/bpf/20200117212825.11755-1-kpsingh@chromium.org/
> >
> > * Addressed Andrii's feedback on the BTF implementation
> > * Documentation update for using generated vmlinux.h to simplify
> > programs
> > * Rebase
> >
> > # Changes since v1
> >
> > https://lore.kernel.org/bpf/20191220154208.15895-1-kpsingh@chromium.org
> >
> > * Eliminate the requirement to maintain LSM hooks separately in
> > security/bpf/hooks.h Use BPF trampolines to dynamically allocate
> > security hooks
> > * Drop the use of securityfs as bpftool provides the required
> > introspection capabilities. Update the tests to use the bpf_skeleton
> > and global variables
> > * Use O_CLOEXEC anonymous fds to represent BPF attachment in line with
> > the other BPF programs with the possibility to use bpf program pinning
> > in the future to provide "permanent attachment".
> > * Drop the logic based on prog names for handling re-attachment.
> > * Drop bpf_lsm_event_output from this series and send it as a separate
> > patch.
> >
> > # Motivation
> >
> > Google does analysis of rich runtime security data to detect and thwart
> > threats in real-time. Currently, this is done in custom kernel modules
> > but we would like to replace this with something that's upstream and
> > useful to others.
> >
> > The current kernel infrastructure for providing telemetry (Audit, Perf
> > etc.) is disjoint from access enforcement (i.e. LSMs). Augmenting the
> > information provided by audit requires kernel changes to audit, its
> > policy language and user-space components. Furthermore, building a MAC
> > policy based on the newly added telemetry data requires changes to
> > various LSMs and their respective policy languages.
> >
> > This patchset allows BPF programs to be attached to LSM hooks This
> > facilitates a unified and dynamic (not requiring re-compilation of the
> > kernel) audit and MAC policy.
> >
> > # Why an LSM?
> >
> > Linux Security Modules target security behaviours rather than the
> > kernel's API. For example, it's easy to miss out a newly added system
> > call for executing processes (eg. execve, execveat etc.) but the LSM
> > framework ensures that all process executions trigger the relevant hooks
> > irrespective of how the process was executed.
> >
> > Allowing users to implement LSM hooks at runtime also benefits the LSM
> > eco-system by enabling a quick feedback loop from the security community
> > about the kind of behaviours that the LSM Framework should be targeting.
> >
> > # How does it work?
> >
> > The patchset introduces a new eBPF (https://docs.cilium.io/en/v1.6/bpf/)
> > program type BPF_PROG_TYPE_LSM which can only be attached to LSM hooks.
> > Loading and attachment of BPF programs requires CAP_SYS_ADMIN.
> >
> > The new LSM registers nop functions (bpf_lsm_<hook_name>) as LSM hook
> > callbacks. Their purpose is to provide a definite point where BPF
> > programs can be attached as BPF_TRAMP_MODIFY_RETURN trampoline programs
> > for hooks that return an int, and BPF_TRAMP_FEXIT trampoline programs
> > for void LSM hooks.
> >
> > Audit logs can be written using a format chosen by the eBPF program to
> > the perf events buffer or to global eBPF variables or maps and can be
> > further processed in user-space.
> >
> > # BTF Based Design
> >
> > The current design uses BTF:
> >
> > * https://facebookmicrosites.github.io/bpf/blog/2018/11/14/btf-enhancement.html
> > * https://lwn.net/Articles/803258
> >
> > which allows verifiable read-only structure accesses by field names
> > rather than fixed offsets. This allows accessing the hook parameters
> > using a dynamically created context which provides a certain degree of
> > ABI stability:
> >
> >
> > // Only declare the structure and fields intended to be used
> > // in the program
> > struct vm_area_struct {
> > unsigned long vm_start;
> > } __attribute__((preserve_access_index));
> >
> > // Declare the eBPF program mprotect_audit which attaches to
> > // to the file_mprotect LSM hook and accepts three arguments.
> > SEC("lsm/file_mprotect")
> > int BPF_PROG(mprotect_audit, struct vm_area_struct *vma,
> > unsigned long reqprot, unsigned long prot, int ret)
> > {
> > unsigned long vm_start = vma->vm_start;
> >
> > return 0;
> > }
> >
> > By relocating field offsets, BTF makes a large portion of kernel data
> > structures readily accessible across kernel versions without requiring a
> > large corpus of BPF helper functions and requiring recompilation with
> > every kernel version. The BTF type information is also used by the BPF
> > verifier to validate memory accesses within the BPF program and also
> > prevents arbitrary writes to the kernel memory.
> >
> > The limitations of BTF compatibility are described in BPF Co-Re
> > (http://vger.kernel.org/bpfconf2019_talks/bpf-core.pdf, i.e. field
> > renames, #defines and changes to the signature of LSM hooks). This
> > design imposes that the MAC policy (eBPF programs) be updated when the
> > inspected kernel structures change outside of BTF compatibility
> > guarantees. In practice, this is only required when a structure field
> > used by a current policy is removed (or renamed) or when the used LSM
> > hooks change. We expect the maintenance cost of these changes to be
> > acceptable as compared to the design presented in the RFC.
> >
> > (https://lore.kernel.org/bpf/20190910115527.5235-1-kpsingh@chromium.org/).
> >
> > # Usage Examples
> >
> > A simple example and some documentation is included in the patchset.
> > In order to better illustrate the capabilities of the framework some
> > more advanced prototype (not-ready for review) code has also been
> > published separately:
> >
> > * Logging execution events (including environment variables and
> > arguments)
> > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.c
> >
> > * Detecting deletion of running executables:
> > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_detect_exec_unlink.c
> >
> > * Detection of writes to /proc/<pid>/mem:
> > https://github.com/sinkap/linux-krsi/blob/patch/v1/examples/samples/bpf/lsm_audit_env.c
> >
> > We have updated Google's internal telemetry infrastructure and have
> > started deploying this LSM on our Linux Workstations. This gives us more
> > confidence in the real-world applications of such a system.
> >
> >
> > KP Singh (8):
> > bpf: Introduce BPF_PROG_TYPE_LSM
> > security: Refactor declaration of LSM hooks
> > bpf: lsm: provide attachment points for BPF LSM programs
> > bpf: lsm: Implement attach, detach and execution
> > bpf: lsm: Initialize the BPF LSM hooks
> > tools/libbpf: Add support for BPF_PROG_TYPE_LSM
> > bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM
> > bpf: lsm: Add Documentation
> >
> > Documentation/bpf/bpf_lsm.rst | 150 +++++
> > Documentation/bpf/index.rst | 1 +
> > MAINTAINERS | 1 +
> > include/linux/bpf.h | 3 +
> > include/linux/bpf_lsm.h | 32 +
> > include/linux/bpf_types.h | 4 +
> > include/linux/lsm_hook_defs.h | 378 +++++++++++
> > include/linux/lsm_hooks.h | 627 +-----------------
> > include/uapi/linux/bpf.h | 2 +
> > init/Kconfig | 10 +
> > kernel/bpf/Makefile | 1 +
> > kernel/bpf/bpf_lsm.c | 60 ++
> > kernel/bpf/btf.c | 9 +-
> > kernel/bpf/syscall.c | 56 +-
> > kernel/bpf/trampoline.c | 17 +-
> > kernel/bpf/verifier.c | 19 +-
> > kernel/trace/bpf_trace.c | 12 +-
> > security/Kconfig | 10 +-
> > security/Makefile | 2 +
> > security/bpf/Makefile | 5 +
> > security/bpf/hooks.c | 26 +
> > security/security.c | 432 ++++++------
> > tools/include/uapi/linux/bpf.h | 2 +
> > tools/lib/bpf/bpf.c | 3 +-
> > tools/lib/bpf/libbpf.c | 39 +-
> > tools/lib/bpf/libbpf.h | 4 +
> > tools/lib/bpf/libbpf.map | 3 +
> > tools/lib/bpf/libbpf_probes.c | 1 +
> > tools/testing/selftests/bpf/config | 2 +
> > tools/testing/selftests/bpf/lsm_helpers.h | 19 +
> > .../selftests/bpf/prog_tests/lsm_test.c | 112 ++++
> > .../selftests/bpf/progs/lsm_int_hook.c | 54 ++
> > .../selftests/bpf/progs/lsm_void_hook.c | 41 ++
> > 33 files changed, 1277 insertions(+), 860 deletions(-)
> > create mode 100644 Documentation/bpf/bpf_lsm.rst
> > create mode 100644 include/linux/bpf_lsm.h
> > create mode 100644 include/linux/lsm_hook_defs.h
> > create mode 100644 kernel/bpf/bpf_lsm.c
> > create mode 100644 security/bpf/Makefile
> > create mode 100644 security/bpf/hooks.c
> > create mode 100644 tools/testing/selftests/bpf/lsm_helpers.h
> > create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_test.c
> > create mode 100644 tools/testing/selftests/bpf/progs/lsm_int_hook.c
> > create mode 100644 tools/testing/selftests/bpf/progs/lsm_void_hook.c
> >
> > --
> > 2.20.1
> >
>
> --
> Kees Cook
prev parent reply other threads:[~2020-03-25 19:42 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 15:26 [PATCH bpf-next v6 0/8] MAC and Audit policy using eBPF (KRSI) KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 1/8] bpf: Introduce BPF_PROG_TYPE_LSM KP Singh
2020-03-26 1:51 ` Andrii Nakryiko
2020-03-26 13:11 ` KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 2/8] security: Refactor declaration of LSM hooks KP Singh
2020-03-25 22:25 ` Casey Schaufler
2020-03-25 23:46 ` KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 3/8] bpf: lsm: provide attachment points for BPF LSM programs KP Singh
2020-03-25 19:28 ` Kees Cook
2020-03-25 19:39 ` KP Singh
2020-03-25 20:07 ` Kees Cook
2020-03-25 20:14 ` KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 4/8] bpf: lsm: Implement attach, detach and execution KP Singh
2020-03-26 1:49 ` Andrii Nakryiko
2020-03-26 13:35 ` KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 5/8] bpf: lsm: Initialize the BPF LSM hooks KP Singh
2020-03-25 19:30 ` Kees Cook
2020-03-25 15:26 ` [PATCH bpf-next v6 6/8] tools/libbpf: Add support for BPF_PROG_TYPE_LSM KP Singh
2020-03-26 1:56 ` Andrii Nakryiko
2020-03-25 15:26 ` [PATCH bpf-next v6 7/8] bpf: lsm: Add selftests " KP Singh
2020-03-26 2:01 ` Andrii Nakryiko
2020-03-26 13:36 ` KP Singh
2020-03-25 15:26 ` [PATCH bpf-next v6 8/8] bpf: lsm: Add Documentation KP Singh
2020-03-25 19:24 ` [PATCH bpf-next v6 0/8] MAC and Audit policy using eBPF (KRSI) Kees Cook
2020-03-25 19:42 ` KP Singh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200325194238.GB22898@chromium.org \
--to=kpsingh@chromium.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=jackmanb@chromium.org \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjt@google.com \
--cc=revest@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).