All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexei Starovoitov <ast@plumgrid.com>
To: Kees Cook <keescook@chromium.org>,
	Daniel Borkmann <daniel@iogearbox.net>
Cc: "David S. Miller" <davem@davemloft.net>,
	Andy Lutomirski <luto@amacapital.net>,
	Ingo Molnar <mingo@kernel.org>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	Eric Dumazet <edumazet@google.com>,
	Linux API <linux-api@vger.kernel.org>,
	Network Development <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs
Date: Wed, 7 Oct 2015 16:49:38 -0700	[thread overview]
Message-ID: <5615AF92.50402@plumgrid.com> (raw)
In-Reply-To: <CAGXu5jLM5Wp_PjdcEcxUo-VoEmsSycF236MZaJd2wvLjbQx+eQ@mail.gmail.com>

On 10/7/15 3:22 PM, Kees Cook wrote:
>> Yes, I agree with you that there would be a CVE regardless. I still
>> >like the option of configurable access, not a big fan of the sysctl
>> >either. Thinking out loudly, what about a Kconfig option? We started
>> >out like this on bpf(2) itself (initially under expert settings, now
>> >afaik not anymore), and depending on usage scenarios, a requirement
>> >could be to have immutable cap_sys_admin-only, for other use-cases a
>> >requirement on the kernel might instead be to have unprivileged users
>> >as well.
> It'd be nice to have it just be a Kconfig, but this shoots
> distro-users in the foot if a distro decides to include unpriv bpf and
> the user doesn't want it. I think it's probably a good idea to keep
> the sysctl.

I don't like introducing Kconfig for no clear reason. It only adds
to the testing matrix and makes it harder to hack around.
Paranoid distros can disable bpf via single config already,
there is no reason to go more fine grained here.
Unpriv checks add minimal amount of code, so even for tinification
purpose there is no need to chop of few bytes. tiny kernels would
disable bpf all together.

As far as sysctl we can look at two with similar purpose:
sysctl_perf_event_paranoid and modules_disabled.
First one is indeed multi level, but not because of the fear of bugs,
but because of real security implications. Like raw events on
hyperthreaded cpu or uncore events can extract data from other
user processes. So it controls these extra privileges.
For bpf there are no hw implications to deal with.
If we make seccomp+bpf in the future it shouldn't need another knob
or extra bit. There are no extra privileges to grant, so not needed.

modules_disabled is off by default and can be toggled on once.
I think for paranoid distro users that "don't want bpf" that is
the better model.
So I'm thinking to do sysctl_unprivileged_bpf_disabled that will be
0=off by default (meaning that users can load unpriv socket filter
programs and seccomp in the future) and that can be switched
to 1=on once and stay that way until reboot.
I think that's the best balance that avoids adding checks to all
apps that want to use bpf and admins can still act on it.
 From app point of view it's no different than bpf syscall
was not compiled in. So single feature test for bpf syscall will
be enough.

  reply	other threads:[~2015-10-07 23:49 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-05 20:48 [PATCH net-next 0/2] bpf: unprivileged Alexei Starovoitov
2015-10-05 20:48 ` [PATCH net-next 1/2] bpf: enable non-root eBPF programs Alexei Starovoitov
2015-10-05 22:14   ` Daniel Borkmann
     [not found]     ` <5612F639.2050305-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2015-10-06  0:51       ` Alexei Starovoitov
2015-10-06  0:51         ` Alexei Starovoitov
     [not found]         ` <56131B1F.80002-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-06  7:13           ` Ingo Molnar
2015-10-06  7:13             ` Ingo Molnar
2015-10-06  8:05             ` Daniel Borkmann
2015-10-06  8:20               ` Ingo Molnar
     [not found]                 ` <20151006082048.GA18287-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-10-06  8:39                   ` Daniel Borkmann
2015-10-06  8:39                     ` Daniel Borkmann
     [not found]                     ` <561388D1.30406-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2015-10-06 17:50                       ` Alexei Starovoitov
2015-10-06 17:50                         ` Alexei Starovoitov
2015-10-06 17:56                         ` Eric Dumazet
     [not found]                           ` <1444154160.9555.5.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-10-06 18:05                             ` Andy Lutomirski
2015-10-06 18:05                               ` Andy Lutomirski
2015-10-07  6:05                               ` Ingo Molnar
2015-10-06 19:26                           ` Alexei Starovoitov
     [not found]                         ` <561409EC.5050005-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-06 18:03                           ` Daniel Borkmann
2015-10-06 18:03                             ` Daniel Borkmann
2015-10-06 12:45           ` Daniel Borkmann
2015-10-06 12:45             ` Daniel Borkmann
2015-10-07 21:20             ` Alexei Starovoitov
     [not found]               ` <56158CAF.9030209-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-07 22:07                 ` Daniel Borkmann
2015-10-07 22:07                   ` Daniel Borkmann
2015-10-07 22:22                   ` Kees Cook
2015-10-07 23:49                     ` Alexei Starovoitov [this message]
     [not found]                       ` <5615AF92.50402-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-08  6:21                         ` Ingo Molnar
2015-10-08  6:21                           ` Ingo Molnar
2015-10-08  6:30                           ` Alexei Starovoitov
2015-10-08 17:42                       ` Kees Cook
     [not found]   ` <1444078101-29060-2-git-send-email-ast-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-05 21:00     ` Kees Cook
2015-10-05 21:00       ` Kees Cook
2015-10-05 21:12       ` Alexei Starovoitov
     [not found]         ` <5612E7C4.1010306-uqk4Ao+rVK5Wk0Htik3J/w@public.gmane.org>
2015-10-05 21:16           ` Andy Lutomirski
2015-10-05 21:16             ` Andy Lutomirski
2015-10-05 21:32             ` Alexei Starovoitov
2015-10-05 22:02         ` Kees Cook
2015-10-06  0:28           ` Alexei Starovoitov
2015-10-08  2:29     ` Alexei Starovoitov
2015-10-08  2:29       ` Alexei Starovoitov
2015-10-05 20:48 ` [PATCH net-next 2/2] bpf: charge user for creation of BPF maps and programs Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5615AF92.50402@plumgrid.com \
    --to=ast@plumgrid.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=hannes@stressinduktion.org \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.