From: Jonathan Calmels <jcalmels@3xx0.net>
To: brauner@kernel.org, ebiederm@xmission.com,
Jonathan Corbet <corbet@lwn.net>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
KP Singh <kpsingh@kernel.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@google.com>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>, Kees Cook <kees@kernel.org>,
Joel Granados <j.granados@samsung.com>,
John Johansen <john.johansen@canonical.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>
Cc: containers@lists.linux.dev, Jonathan Calmels <jcalmels@3xx0.net>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-security-module@vger.kernel.org,
bpf@vger.kernel.org, apparmor@lists.ubuntu.com,
keyrings@vger.kernel.org, selinux@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks
Date: Sun, 9 Jun 2024 03:43:37 -0700 [thread overview]
Message-ID: <20240609104355.442002-5-jcalmels@3xx0.net> (raw)
In-Reply-To: <20240609104355.442002-1-jcalmels@3xx0.net>
This patch allows modifying the various capabilities of the struct cred
in BPF-LSM hooks. More specifically, the userns_create hook called
prior to creating a new user namespace.
With the introduction of userns capabilities, this effectively provides
a simple way for LSMs to control the capabilities granted to a user
namespace and all its descendants.
Update the selftests accordingly by dropping CAP_SYS_ADMIN in
namespaces and checking the resulting task's bounding set.
Signed-off-by: Jonathan Calmels <jcalmels@3xx0.net>
---
include/linux/lsm_hook_defs.h | 2 +-
include/linux/security.h | 4 +-
kernel/bpf/bpf_lsm.c | 55 +++++++++++++++++++
security/apparmor/lsm.c | 2 +-
security/security.c | 6 +-
security/selinux/hooks.c | 2 +-
.../selftests/bpf/prog_tests/deny_namespace.c | 12 ++--
.../selftests/bpf/progs/test_deny_namespace.c | 7 ++-
8 files changed, 76 insertions(+), 14 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index f804b76cde44..58d6d8f2511f 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -250,7 +250,7 @@ LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4, unsigned long arg5)
LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
struct inode *inode)
-LSM_HOOK(int, 0, userns_create, const struct cred *cred)
+LSM_HOOK(int, 0, userns_create, struct cred *cred)
LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
u32 *secid)
diff --git a/include/linux/security.h b/include/linux/security.h
index 21cf70346b33..ffb1b0dd2aef 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -465,7 +465,7 @@ int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5);
void security_task_to_inode(struct task_struct *p, struct inode *inode);
-int security_create_user_ns(const struct cred *cred);
+int security_create_user_ns(struct cred *cred);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
int security_msg_msg_alloc(struct msg_msg *msg);
@@ -1294,7 +1294,7 @@ static inline int security_task_prctl(int option, unsigned long arg2,
static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
{ }
-static inline int security_create_user_ns(const struct cred *cred)
+static inline int security_create_user_ns(struct cred *cred)
{
return 0;
}
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 68240c3c6e7d..6edba93ff883 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -382,10 +382,65 @@ bool bpf_lsm_is_trusted(const struct bpf_prog *prog)
return !btf_id_set_contains(&untrusted_lsm_hooks, prog->aux->attach_btf_id);
}
+static int bpf_lsm_btf_struct_access(struct bpf_verifier_log *log,
+ const struct bpf_reg_state *reg,
+ int off, int size)
+{
+ const struct btf_type *cred;
+ const struct btf_type *t;
+ s32 type_id;
+ size_t end;
+
+ type_id = btf_find_by_name_kind(reg->btf, "cred", BTF_KIND_STRUCT);
+ if (type_id < 0)
+ return -EINVAL;
+
+ t = btf_type_by_id(reg->btf, reg->btf_id);
+ cred = btf_type_by_id(reg->btf, type_id);
+ if (t != cred) {
+ bpf_log(log, "only read is supported\n");
+ return -EACCES;
+ }
+
+ switch (off) {
+ case offsetof(struct cred, cap_inheritable):
+ end = offsetofend(struct cred, cap_inheritable);
+ break;
+ case offsetof(struct cred, cap_permitted):
+ end = offsetofend(struct cred, cap_permitted);
+ break;
+ case offsetof(struct cred, cap_effective):
+ end = offsetofend(struct cred, cap_effective);
+ break;
+ case offsetof(struct cred, cap_bset):
+ end = offsetofend(struct cred, cap_bset);
+ break;
+ case offsetof(struct cred, cap_ambient):
+ end = offsetofend(struct cred, cap_ambient);
+ break;
+ case offsetof(struct cred, cap_userns):
+ end = offsetofend(struct cred, cap_userns);
+ break;
+ default:
+ bpf_log(log, "no write support to cred at off %d\n", off);
+ return -EACCES;
+ }
+
+ if (off + size > end) {
+ bpf_log(log,
+ "write access at off %d with size %d beyond the member of cred ended at %zu\n",
+ off, size, end);
+ return -EACCES;
+ }
+
+ return 0;
+}
+
const struct bpf_prog_ops lsm_prog_ops = {
};
const struct bpf_verifier_ops lsm_verifier_ops = {
.get_func_proto = bpf_lsm_func_proto,
.is_valid_access = btf_ctx_access,
+ .btf_struct_access = bpf_lsm_btf_struct_access,
};
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 6239777090c4..310c9fa3d4b4 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1036,7 +1036,7 @@ static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo
return error;
}
-static int apparmor_userns_create(const struct cred *cred)
+static int apparmor_userns_create(struct cred *cred)
{
struct aa_label *label;
struct aa_profile *profile;
diff --git a/security/security.c b/security/security.c
index e5da848c50b9..83cf2025c58e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3558,14 +3558,14 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode)
}
/**
- * security_create_user_ns() - Check if creating a new userns is allowed
+ * security_create_user_ns() - Review permissions prior to userns creation
* @cred: prepared creds
*
- * Check permission prior to creating a new user namespace.
+ * Check and/or modify permissions prior to creating a new user namespace.
*
* Return: Returns 0 if successful, otherwise < 0 error code.
*/
-int security_create_user_ns(const struct cred *cred)
+int security_create_user_ns(struct cred *cred)
{
return call_int_hook(userns_create, cred);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7eed331e90f0..28deb9510d8e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4263,7 +4263,7 @@ static void selinux_task_to_inode(struct task_struct *p,
spin_unlock(&isec->lock);
}
-static int selinux_userns_create(const struct cred *cred)
+static int selinux_userns_create(struct cred *cred)
{
u32 sid = current_sid();
diff --git a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c b/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
index 1bc6241b755b..1500578f9a30 100644
--- a/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
+++ b/tools/testing/selftests/bpf/prog_tests/deny_namespace.c
@@ -5,6 +5,8 @@
#include <sched.h>
#include "cap_helpers.h"
#include <stdio.h>
+#include <stdbool.h>
+#include <sys/prctl.h>
static int wait_for_pid(pid_t pid)
{
@@ -29,7 +31,7 @@ static int wait_for_pid(pid_t pid)
* positive return value -> userns creation failed
* 0 -> userns creation succeeded
*/
-static int create_user_ns(void)
+static int create_user_ns(bool bpf)
{
pid_t pid;
@@ -40,6 +42,8 @@ static int create_user_ns(void)
if (pid == 0) {
if (unshare(CLONE_NEWUSER))
_exit(EXIT_FAILURE);
+ if (bpf && prctl(PR_CAPBSET_READ, CAP_SYS_ADMIN))
+ _exit(EXIT_FAILURE);
_exit(EXIT_SUCCESS);
}
@@ -53,11 +57,11 @@ static void test_userns_create_bpf(void)
cap_enable_effective(cap_mask, &old_caps);
- ASSERT_OK(create_user_ns(), "priv new user ns");
+ ASSERT_OK(create_user_ns(true), "priv new user ns");
cap_disable_effective(cap_mask, &old_caps);
- ASSERT_EQ(create_user_ns(), EPERM, "unpriv new user ns");
+ ASSERT_EQ(create_user_ns(true), EPERM, "unpriv new user ns");
if (cap_mask & old_caps)
cap_enable_effective(cap_mask, NULL);
@@ -70,7 +74,7 @@ static void test_unpriv_userns_create_no_bpf(void)
cap_disable_effective(cap_mask, &old_caps);
- ASSERT_OK(create_user_ns(), "no-bpf unpriv new user ns");
+ ASSERT_OK(create_user_ns(false), "no-bpf unpriv new user ns");
if (cap_mask & old_caps)
cap_enable_effective(cap_mask, NULL);
diff --git a/tools/testing/selftests/bpf/progs/test_deny_namespace.c b/tools/testing/selftests/bpf/progs/test_deny_namespace.c
index e96b901a733c..051906f80f4c 100644
--- a/tools/testing/selftests/bpf/progs/test_deny_namespace.c
+++ b/tools/testing/selftests/bpf/progs/test_deny_namespace.c
@@ -9,12 +9,13 @@ typedef struct { unsigned long long val; } kernel_cap_t;
struct cred {
kernel_cap_t cap_effective;
+ kernel_cap_t cap_userns;
} __attribute__((preserve_access_index));
char _license[] SEC("license") = "GPL";
SEC("lsm.s/userns_create")
-int BPF_PROG(test_userns_create, const struct cred *cred, int ret)
+int BPF_PROG(test_userns_create, struct cred *cred, int ret)
{
kernel_cap_t caps = cred->cap_effective;
__u64 cap_mask = 1ULL << CAP_SYS_ADMIN;
@@ -23,8 +24,10 @@ int BPF_PROG(test_userns_create, const struct cred *cred, int ret)
return 0;
ret = -EPERM;
- if (caps.val & cap_mask)
+ if (caps.val & cap_mask) {
+ cred->cap_userns.val &= ~cap_mask;
return 0;
+ }
return -EPERM;
}
--
2.45.2
next prev parent reply other threads:[~2024-06-09 10:40 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-09 10:43 [PATCH v2 0/4] Introduce user namespace capabilities Jonathan Calmels
2024-06-09 10:43 ` [PATCH v2 1/4] capabilities: Add " Jonathan Calmels
2024-06-10 1:50 ` Serge E. Hallyn
2024-06-10 8:47 ` Jonathan Calmels
2024-06-10 12:48 ` Serge E. Hallyn
2024-06-10 13:00 ` Serge E. Hallyn
2024-06-11 8:20 ` Jonathan Calmels
2024-06-15 15:19 ` Serge E. Hallyn
2024-06-09 10:43 ` [PATCH v2 2/4] capabilities: Add securebit to restrict userns caps Jonathan Calmels
2024-06-10 2:33 ` Serge E. Hallyn
2024-06-10 9:46 ` Jonathan Calmels
2024-06-10 13:05 ` Serge E. Hallyn
2024-06-28 14:43 ` Jarkko Sakkinen
2024-06-28 14:45 ` Jarkko Sakkinen
2024-06-09 10:43 ` [PATCH v2 3/4] capabilities: Add sysctl to mask off " Jonathan Calmels
2024-06-09 10:43 ` Jonathan Calmels [this message]
2024-06-10 0:18 ` [PATCH v2 4/4] bpf,lsm: Allow editing capabilities in BPF-LSM hooks Paul Moore
2024-06-11 8:09 ` Jonathan Calmels
2024-06-11 10:31 ` John Johansen
2024-06-11 19:01 ` Paul Moore
2024-06-11 22:20 ` Jonathan Calmels
2024-06-11 22:38 ` Paul Moore
2024-06-12 8:20 ` Jonathan Calmels
2024-06-12 17:29 ` Paul Moore
2024-06-13 3:54 ` John Johansen
2024-06-13 8:50 ` Jonathan Calmels
2024-06-13 20:55 ` Paul Moore
2024-06-15 15:20 ` Serge E. Hallyn
2024-06-13 10:45 ` Dr. Greg
2024-06-13 20:43 ` Paul Moore
2024-06-10 20:12 ` [PATCH v2 0/4] Introduce user namespace capabilities Josef Bacik
2024-06-11 8:33 ` Jonathan Calmels
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240609104355.442002-5-jcalmels@3xx0.net \
--to=jcalmels@3xx0.net \
--cc=andrii@kernel.org \
--cc=apparmor@lists.ubuntu.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=containers@lists.linux.dev \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=j.granados@samsung.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=john.johansen@canonical.com \
--cc=jolsa@kernel.org \
--cc=kees@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mcgrof@kernel.org \
--cc=mykolal@fb.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sdf@google.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox