From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: bpf@vger.kernel.org, kapron@google.com, teknoraver@meta.com,
roberto.sassu@huawei.com, paul@paul-moore.com, code@tyhicks.com,
xiyou.wangcong@gmail.com, bboscaccy@linux.microsoft.com,
ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org,
yonghong.song@linux.dev, john.fastabend@gmail.com,
kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com,
jolsa@kernel.org
Subject: [PATCH 0/1] libbpf: Convert ELF notes into read-only maps
Date: Wed, 5 Feb 2025 11:06:32 -0800 [thread overview]
Message-ID: <20250205190918.2288389-1-bboscaccy@linux.microsoft.com> (raw)
While attempting to implement a bpf-based gatekeeper program as was
described
https://lore.kernel.org/all/20250109214617.485144-1-bboscaccy@linux.microsoft.com/T/#mb10f3112df1a66c725df9d6035c5a68c72a0eb8d
we noticed that relying on IMA and fs-verity signatures alone was
insufficient. A user with sufficient privileges could ptrace, ld
preload or poke at memory in some other way while using a signed
lskel, leaving the signature intact, allowing them to load whatever
they wished into the kernel effectively circumventing the
gatekeeper. That may be considered insecure in some scenarios.
Here we propose a very simple method of allowing metadata to be stored
in skeletons or dynamic libbpf-based loaders, by simply treating note
sections as read-only maps that are visible to the gatekeeper
program. Gatekeeper programs can then iterate the fd_array and see if
there are any relevant maps that they wish to consult. No changes to
the kernel-proper are required for this, and this should help
facilitate the implementation and design of secure bpf-based
gatekeepers, while keeping with the overall philosophy of bpf and not
enforcing any obtusive abstractions upon anyone.
Blaise Boscaccy (1):
libbpf: Convert ELF notes into read-only maps
tools/bpf/bpftool/gen.c | 4 ++--
tools/lib/bpf/libbpf.c | 6 ++++++
2 files changed, 8 insertions(+), 2 deletions(-)
--
2.48.1
next reply other threads:[~2025-02-05 19:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-05 19:06 Blaise Boscaccy [this message]
2025-02-05 19:06 ` [PATCH 1/1] libbpf: Convert ELF notes into read-only maps Blaise Boscaccy
2025-02-05 21:22 ` Andrii Nakryiko
2025-02-06 18:34 ` Blaise Boscaccy
2025-02-06 22:04 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250205190918.2288389-1-bboscaccy@linux.microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=code@tyhicks.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kapron@google.com \
--cc=kpsingh@kernel.org \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox