From: "Andy Lutomirski" <luto@kernel.org>
To: "Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii.nakryiko@gmail.com>,
"Maryam Tahhan" <mtahhan@redhat.com>
Cc: "Andrii Nakryiko" <andrii@kernel.org>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
"Kees Cook" <keescook@chromium.org>,
"Christian Brauner" <brauner@kernel.org>,
lennart@poettering.net, cyphar@cyphar.com, kernel-team@meta.com
Subject: Re: [PATCH v2 bpf-next 00/18] BPF token
Date: Sat, 24 Jun 2023 08:28:04 -0700 [thread overview]
Message-ID: <8340aaf2-8b4c-4f7d-8eed-f72f615f6fd0@app.fastmail.com> (raw)
In-Reply-To: <fe47aeb6-dae8-43a6-bcb0-ada2ebf62e08@app.fastmail.com>
On Sat, Jun 24, 2023, at 6:59 AM, Andy Lutomirski wrote:
> On Fri, Jun 23, 2023, at 4:23 PM, Daniel Borkmann wrote:
>
> If this series was about passing a “may load kernel modules” token
> around, I think it would get an extremely chilly reception, even though
> we have module signatures. I don’t see anything about BPF that makes
> BPF tokens more reasonable unless a real security model is developed
> first.
>
To be clear, I'm not saying that there should not be a mechanism to use BPF from a user namespace. I'm saying the mechanism should have explicit access control. It wouldn't need to solve all problems right away, but it should allow incrementally more features to be enabled as the access control solution gets more powerful over time.
BPF, unlike kernel modules, has a verifier. While it would be a departure from current practice, permission to use BPF could come with an explicit list of allowed functions and allowed hooks.
(The hooks wouldn't just be a list, presumably -- premission to install an XDP program would be scoped to networks over which one has CAP_NET_ADMIN, presumably. Other hooks would have their own scoping. Attaching to a cgroup should (and maybe already does?) require some kind of permission on the cgroup. Etc.)
If new, more restrictive functions are needed, they could be added.
Alternatively, people could try a limited form of BPF proxying. It wouldn't need to be a full proxy -- an outside daemon really could approve the attachment of a BPF program, and it could parse the program, examine the list of function it uses and what the proposed attachment is to, and make an educated decision. This would need some API changes (maybe), but it seems eminently doable.
next prev parent reply other threads:[~2023-06-24 15:28 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 23:53 [PATCH v2 bpf-next 00/18] BPF token Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 01/18] bpf: introduce BPF token object Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 02/18] libbpf: add bpf_token_create() API Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 03/18] selftests/bpf: add BPF_TOKEN_CREATE test Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 04/18] bpf: move unprivileged checks into map_create() and bpf_prog_load() Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 05/18] bpf: inline map creation logic in map_create() function Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 06/18] bpf: centralize permissions checks for all BPF map types Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 07/18] bpf: add BPF token support to BPF_MAP_CREATE command Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 08/18] libbpf: add BPF token support to bpf_map_create() API Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 09/18] selftests/bpf: add BPF token-enabled test for BPF_MAP_CREATE command Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 10/18] bpf: add BPF token support to BPF_BTF_LOAD command Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 11/18] libbpf: add BPF token support to bpf_btf_load() API Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 12/18] selftests/bpf: add BPF token-enabled BPF_BTF_LOAD selftest Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 13/18] bpf: keep BPF_PROG_LOAD permission checks clear of validations Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 14/18] bpf: add BPF token support to BPF_PROG_LOAD command Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 15/18] bpf: take into account BPF token when fetching helper protos Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 16/18] bpf: consistenly use BPF token throughout BPF verifier logic Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 17/18] libbpf: add BPF token support to bpf_prog_load() API Andrii Nakryiko
2023-06-07 23:53 ` [PATCH v2 bpf-next 18/18] selftests/bpf: add BPF token-enabled BPF_PROG_LOAD tests Andrii Nakryiko
2023-06-08 18:49 ` [PATCH v2 bpf-next 00/18] BPF token Stanislav Fomichev
2023-06-08 22:17 ` Andrii Nakryiko
2023-06-09 11:17 ` Toke Høiland-Jørgensen
2023-06-09 18:21 ` Andrii Nakryiko
2023-06-09 21:21 ` Toke Høiland-Jørgensen
2023-06-09 22:03 ` Andrii Nakryiko
2023-06-12 10:49 ` Toke Høiland-Jørgensen
2023-06-12 22:08 ` Andrii Nakryiko
2023-06-13 21:48 ` Hao Luo
2023-06-14 12:06 ` Toke Høiland-Jørgensen
2023-06-15 22:55 ` Andrii Nakryiko
2023-06-09 18:32 ` Andy Lutomirski
2023-06-09 19:08 ` Andrii Nakryiko
2023-06-19 17:40 ` Andy Lutomirski
2023-06-21 23:48 ` Andrii Nakryiko
2023-06-22 8:22 ` Maryam Tahhan
2023-06-22 16:49 ` Andy Lutomirski
[not found] ` <5a75d1f0-4ed9-399c-4851-2df0755de9b5@redhat.com>
2023-06-22 18:40 ` Andrii Nakryiko
2023-06-22 21:04 ` Maryam Tahhan
2023-06-22 23:35 ` Andrii Nakryiko
2023-06-23 1:02 ` Andy Lutomirski
2023-06-23 15:10 ` Andy Lutomirski
2023-06-23 23:23 ` Daniel Borkmann
2023-06-24 13:59 ` Andy Lutomirski
2023-06-24 15:28 ` Andy Lutomirski [this message]
2023-06-26 15:23 ` Daniel Borkmann
2023-07-04 20:48 ` Andy Lutomirski
2023-07-04 21:06 ` Andy Lutomirski
2023-06-27 10:22 ` Djalal Harouni
2023-06-26 22:31 ` Andrii Nakryiko
2023-06-26 22:08 ` Andrii Nakryiko
2023-06-22 19:05 ` Andrii Nakryiko
2023-06-23 3:28 ` Andy Lutomirski
2023-06-23 16:13 ` Casey Schaufler
2023-06-26 22:08 ` Andrii Nakryiko
2023-06-22 18:20 ` Andrii Nakryiko
2023-06-23 23:07 ` Toke Høiland-Jørgensen
2023-06-26 22:08 ` Andrii Nakryiko
2023-07-04 21:05 ` Andy Lutomirski
2023-06-09 22:29 ` Djalal Harouni
2023-06-09 22:57 ` Andrii Nakryiko
2023-06-12 12:02 ` Djalal Harouni
2023-06-12 14:31 ` Djalal Harouni
2023-06-12 22:27 ` Andrii Nakryiko
2023-06-14 0:23 ` Djalal Harouni
2023-06-14 9:39 ` Christian Brauner
2023-06-15 22:48 ` Andrii Nakryiko
2023-06-23 22:18 ` Daniel Borkmann
2023-06-26 22:08 ` Andrii Nakryiko
2023-06-15 22:47 ` Andrii Nakryiko
2023-06-12 12:44 ` Dave Tucker
2023-06-12 15:52 ` Djalal Harouni
2023-06-12 23:04 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8340aaf2-8b4c-4f7d-8eed-f72f615f6fd0@app.fastmail.com \
--to=luto@kernel.org \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=keescook@chromium.org \
--cc=kernel-team@meta.com \
--cc=lennart@poettering.net \
--cc=linux-security-module@vger.kernel.org \
--cc=mtahhan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).