SELinux Archive on lore.kernel.org
 help / color / Atom feed
* Question about BPF acccess checks
@ 2019-08-16  7:27 Dominick Grift
  2019-08-16 16:35 ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2019-08-16  7:27 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

As of systemd v243rc1 I have been noticing bpf prog_load and prog_run access checks for systemd --user instances (only if secure boot is disabled)
I suspect that this is for IPAddressAllow/Deny= functionality.
So i tried it out and I was not allowed to use the above due to lack of root-access.

Then i read this:
https://lore.kernel.org/linux-security-module/4F52274A-CD70-4261-A255-2C4A7E818141@fb.com/T/#t

My question is: Is it expected that BPF prog_load and prog_run is checked when an *unprivileged* process, i suppose, tries to load and run bpf progs?

Are prog_load and prog_run unprivileged operations?

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Question about BPF acccess checks
  2019-08-16  7:27 Question about BPF acccess checks Dominick Grift
@ 2019-08-16 16:35 ` Stephen Smalley
  2019-08-16 16:53   ` Dominick Grift
  0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2019-08-16 16:35 UTC (permalink / raw)
  To: selinux, Dominick Grift

On 8/16/19 3:27 AM, Dominick Grift wrote:
> As of systemd v243rc1 I have been noticing bpf prog_load and prog_run access checks for systemd --user instances (only if secure boot is disabled)
> I suspect that this is for IPAddressAllow/Deny= functionality.
> So i tried it out and I was not allowed to use the above due to lack of root-access.
> 
> Then i read this:
> https://lore.kernel.org/linux-security-module/4F52274A-CD70-4261-A255-2C4A7E818141@fb.com/T/#t
> 
> My question is: Is it expected that BPF prog_load and prog_run is checked when an *unprivileged* process, i suppose, tries to load and run bpf progs?
> 
> Are prog_load and prog_run unprivileged operations?

They can be checked for processes that do not have CAP_SYS_ADMIN if that 
is what you are asking.  This can occur either during bpf(2) system call 
processing if unprivileged_bpf_disabled is 0 (for prog_load and/or 
prog_run), or upon receiving a bpf prog fd from another process (for 
prog_run). It is possible that the specific operation will nonetheless 
fail due to a later CAP_SYS_ADMIN check applied for specific kinds of 
bpf programs.  So it depends on the specifics.

Android policy appears to have changed over time, with netd originally 
allowed both prog_load and prog_run (but not sys_admin), and then later 
bpf program loading was migrated into a separate bpfloader process (with 
prog_load but not sys_admin) and netd was reduced to prog_run, and still 
later sys_admin was added to bpfloader to enable loading bpf programs 
with tracepoints. Similarly there has been an evolution in the handling 
of bpf maps.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Question about BPF acccess checks
  2019-08-16 16:35 ` Stephen Smalley
@ 2019-08-16 16:53   ` Dominick Grift
  2019-08-16 17:28     ` Stephen Smalley
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2019-08-16 16:53 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]

On Fri, Aug 16, 2019 at 12:35:09PM -0400, Stephen Smalley wrote:
> On 8/16/19 3:27 AM, Dominick Grift wrote:
> > As of systemd v243rc1 I have been noticing bpf prog_load and prog_run access checks for systemd --user instances (only if secure boot is disabled)
> > I suspect that this is for IPAddressAllow/Deny= functionality.
> > So i tried it out and I was not allowed to use the above due to lack of root-access.
> > 
> > Then i read this:
> > https://lore.kernel.org/linux-security-module/4F52274A-CD70-4261-A255-2C4A7E818141@fb.com/T/#t
> > 
> > My question is: Is it expected that BPF prog_load and prog_run is checked when an *unprivileged* process, i suppose, tries to load and run bpf progs?
> > 
> > Are prog_load and prog_run unprivileged operations?
> 
> They can be checked for processes that do not have CAP_SYS_ADMIN if that is
> what you are asking.  This can occur either during bpf(2) system call

Yes I suppose that was what I was asking. According to an LWN article today unprivileged bpf is not going to happen.
Thus i dontaudited these two since it does not work presently, and it is not going to work in the future.

https://defensec.nl/gitweb/?p=dssp2.git;a=commitdiff;h=1ef329b09a3bee549cd08640663ba5e8ed9d3f56

Thanks

> processing if unprivileged_bpf_disabled is 0 (for prog_load and/or
> prog_run), or upon receiving a bpf prog fd from another process (for
> prog_run). It is possible that the specific operation will nonetheless fail
> due to a later CAP_SYS_ADMIN check applied for specific kinds of bpf
> programs.  So it depends on the specifics.
> 
> Android policy appears to have changed over time, with netd originally
> allowed both prog_load and prog_run (but not sys_admin), and then later bpf
> program loading was migrated into a separate bpfloader process (with
> prog_load but not sys_admin) and netd was reduced to prog_run, and still
> later sys_admin was added to bpfloader to enable loading bpf programs with
> tracepoints. Similarly there has been an evolution in the handling of bpf
> maps.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Question about BPF acccess checks
  2019-08-16 16:53   ` Dominick Grift
@ 2019-08-16 17:28     ` Stephen Smalley
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2019-08-16 17:28 UTC (permalink / raw)
  To: selinux, Dominick Grift

On 8/16/19 12:53 PM, Dominick Grift wrote:
> On Fri, Aug 16, 2019 at 12:35:09PM -0400, Stephen Smalley wrote:
>> On 8/16/19 3:27 AM, Dominick Grift wrote:
>>> As of systemd v243rc1 I have been noticing bpf prog_load and prog_run access checks for systemd --user instances (only if secure boot is disabled)
>>> I suspect that this is for IPAddressAllow/Deny= functionality.
>>> So i tried it out and I was not allowed to use the above due to lack of root-access.
>>>
>>> Then i read this:
>>> https://lore.kernel.org/linux-security-module/4F52274A-CD70-4261-A255-2C4A7E818141@fb.com/T/#t
>>>
>>> My question is: Is it expected that BPF prog_load and prog_run is checked when an *unprivileged* process, i suppose, tries to load and run bpf progs?
>>>
>>> Are prog_load and prog_run unprivileged operations?
>>
>> They can be checked for processes that do not have CAP_SYS_ADMIN if that is
>> what you are asking.  This can occur either during bpf(2) system call
> 
> Yes I suppose that was what I was asking. According to an LWN article today unprivileged bpf is not going to happen.

There was sufficient disagreement in that thread by other kernel 
developers that you shouldn't assume it.

> Thus i dontaudited these two since it does not work presently, and it is not going to work in the future.
> 
> https://defensec.nl/gitweb/?p=dssp2.git;a=commitdiff;h=1ef329b09a3bee549cd08640663ba5e8ed9d3f56

That's fine as an interim workaround to avoid noise in your logs but it 
may in fact be supported some day.

> 
> Thanks
> 
>> processing if unprivileged_bpf_disabled is 0 (for prog_load and/or
>> prog_run), or upon receiving a bpf prog fd from another process (for
>> prog_run). It is possible that the specific operation will nonetheless fail
>> due to a later CAP_SYS_ADMIN check applied for specific kinds of bpf
>> programs.  So it depends on the specifics.
>>
>> Android policy appears to have changed over time, with netd originally
>> allowed both prog_load and prog_run (but not sys_admin), and then later bpf
>> program loading was migrated into a separate bpfloader process (with
>> prog_load but not sys_admin) and netd was reduced to prog_run, and still
>> later sys_admin was added to bpfloader to enable loading bpf programs with
>> tracepoints. Similarly there has been an evolution in the handling of bpf
>> maps.
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-16  7:27 Question about BPF acccess checks Dominick Grift
2019-08-16 16:35 ` Stephen Smalley
2019-08-16 16:53   ` Dominick Grift
2019-08-16 17:28     ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox