From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: "Toke Høiland-Jørgensen" <toke@kernel.org>,
"Lorenz Bauer" <oss@lmb.io>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@google.com>
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: Closing the BPF map permission loophole
Date: Wed, 28 Sep 2022 13:23:45 +0200 [thread overview]
Message-ID: <fe9fe2443b8401a076330a3019bd46f6c815a023.camel@huaweicloud.com> (raw)
In-Reply-To: <87mtajss8j.fsf@toke.dk>
On Wed, 2022-09-28 at 12:33 +0200, Toke Høiland-Jørgensen wrote:
> Roberto Sassu <roberto.sassu@huaweicloud.com> writes:
>
> > On Wed, 2022-09-28 at 09:52 +0100, Lorenz Bauer wrote:
> > > On Mon, 26 Sep 2022, at 17:18, Roberto Sassu wrote:
> > > > Uhm, if I get what you mean, you would like to add DAC controls
> > > > to
> > > > the
> > > > pinned map to decide if you can get a fd and with which modes.
> > > >
> > > > The problem I see is that a map exists regardless of the pinned
> > > > path
> > > > (just by ID).
> > >
> > > Can you spell this out for me? I imagine you're talking about
> > > MAP_GET_FD_BY_ID, but that is CAP_SYS_ADMIN only, right? Not
> > > great
> > > maybe, but no gaping hole IMO.
> >
> > +linux-security-module ML (they could be interested in this topic
> > as
> > well)
> >
> > Good to know! I didn't realize it before.
> >
> > I figured out better what you mean by escalating privileges.
> >
> > Pin a read-only fd, get a read-write fd from the pinned path.
> >
> > What you want to do is, if I pin a read-only fd, I should get read-
> > only
> > fds too, right?
> >
> > I think here there could be different views. From my perspective,
> > pinning is just creating a new link to an existing object.
> > Accessing
> > the link does not imply being able to access the object itself (the
> > same happens for files).
> >
> > I understand what you want to achieve. If I have to choose a
> > solution,
> > that would be doing something similar to files, i.e. add owner and
> > mode
> > information to the bpf_map structure (m_uid, m_gid, m_mode). We
> > could
> > add the MAP_CHMOD and MAP_CHOWN operations to the bpf() system call
> > to
> > modify the new fields.
> >
> > When you pin the map, the inode will get the owner and mode from
> > bpf_map. bpf_obj_get() will then do DAC-style verification similar
> > to
> > MAC-style verification (with security_bpf_map()).
>
> As someone pointed out during the discussing at LPC, this will
> effectively allow a user to create files owned by someone else, which
> is
> probably not a good idea either from a security PoV. (I.e., user A
> pins
> map owned by user B, so A creates a file owned by B).
Uhm, I see what you mean. Right, it is not a good idea, the owner of
the file should the one that pinned the map.
Other than that, DAC verification on the map would be still correct, as
it would be independent from the DAC verification of the file.
Roberto
next prev parent reply other threads:[~2022-09-28 11:24 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <a6c0bb85-6eeb-407e-a515-06f67e70db57@www.fastmail.com>
[not found] ` <8e243ad132ecf2885fc65c33c7793f0703937890.camel@huaweicloud.com>
[not found] ` <7f7c3337-74f1-424e-a14d-578c4c7ee2fe@www.fastmail.com>
[not found] ` <65546f56be138ab326544b7b2e59bb3175ec884a.camel@huaweicloud.com>
[not found] ` <b0c00f80-c11e-4f5d-ba63-2e9fb7cad561@www.fastmail.com>
[not found] ` <9aba20351924aa0d82d258205030ad4f2c404de2.camel@huaweicloud.com>
[not found] ` <98a26e5c-d44f-4e65-8186-c4e94918daa1@www.fastmail.com>
[not found] ` <06a47f11778ca9d074c815e57dc1c75d073b3a85.camel@huaweicloud.com>
[not found] ` <439dd1e5-71b8-49ed-8268-02b3428a55a4@www.fastmail.com>
2022-09-28 9:42 ` Closing the BPF map permission loophole Roberto Sassu
2022-09-28 10:33 ` Toke Høiland-Jørgensen
2022-09-28 11:23 ` Roberto Sassu [this message]
2022-09-29 0:24 ` Paul Moore
2022-09-29 7:54 ` Roberto Sassu
2022-09-29 15:27 ` Casey Schaufler
2022-09-30 7:42 ` Roberto Sassu
2022-09-29 22:30 ` Paul Moore
2022-09-30 9:56 ` Roberto Sassu
2022-09-30 20:43 ` Paul Moore
2022-10-04 8:03 ` Roberto Sassu
[not found] ` <21be7356-8710-408a-94e3-1a0d3f5f842e@www.fastmail.com>
2022-10-06 7:15 ` Roberto Sassu
[not found] ` <CAEf4BzawXPiXY3mNabi0ggyTS9wtg6mh8x97=fYGhuGj4=2hnw@mail.gmail.com>
2022-10-31 11:53 ` Roberto Sassu
2022-11-04 21:10 ` Andrii Nakryiko
2022-11-07 12:11 ` Roberto Sassu
2022-12-12 16:10 ` Roberto Sassu
2022-12-12 17:07 ` Alexei Starovoitov
2022-12-12 18:19 ` Roberto Sassu
2022-12-16 10:23 ` Roberto Sassu
2022-12-20 20:44 ` Paul Moore
2022-12-21 9:53 ` Roberto Sassu
2022-12-22 0:55 ` Paul Moore
2023-01-10 9:11 ` Roberto Sassu
2023-01-13 23:44 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe9fe2443b8401a076330a3019bd46f6c815a023.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=oss@lmb.io \
--cc=sdf@google.com \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).