From: Beau Belgrave <beaub@linux.microsoft.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-trace-kernel@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>, bpf <bpf@vger.kernel.org>,
David Vernet <void@manifault.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Dave Thaler <dthaler@microsoft.com>,
Christian Brauner <brauner@kernel.org>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] tracing/user_events: Run BPF program if attached
Date: Wed, 17 May 2023 18:18:14 -0700 [thread overview]
Message-ID: <20230518011814.GA294@W11-BEAU-MD.localdomain> (raw)
In-Reply-To: <CAADnVQJwK3p1QyYEvAn9B86M4nkX69kuUvx2W0Yqwy0e=RSPPg@mail.gmail.com>
On Wed, May 17, 2023 at 05:56:34PM -0700, Alexei Starovoitov wrote:
> On Wed, May 17, 2023 at 5:19 PM Beau Belgrave <beaub@linux.microsoft.com> wrote:
> >
> > On Wed, May 17, 2023 at 05:10:47PM -0700, Alexei Starovoitov wrote:
> > > On Wed, May 17, 2023 at 9:50 AM Beau Belgrave <beaub@linux.microsoft.com> wrote:
> > > > >
> > > > > >
> > > > > > Looks like user events were designed with intention to be unprivileged.
> > > > > > When I looked at kernel/trace/trace_events_user.c I assumed root.
> > > > > > I doubt other people reviewed it from security perspective.
> > > > > >
> > > > > > Recommending "chmod a+rw /sys/kernel/tracing/user_events_data" doesn't sound like a good idea.
> > > > > >
> > > > > > For example, I think the following is possible:
> > > > > > fd = open("/sys/kernel/tracing/user_events_data")
> > > > > > ioclt(fd, DIAG_IOCSDEL)
> > > > > > user_events_ioctl_del
> > > > > > delete_user_event(info->group, name);
> > > > > >
> > > > > > 'info' is different for every FD, but info->group is the same for all users/processes/fds,
> > > > > > because only one global init_group is created.
> > > > > > So one user can unregister other user event by knowing 'name'.
> > > > > > A security hole, no?
> > >
> > > ...
> > >
> > > > Regarding deleting events, only users that are given access can delete
> > > > events. They must know the event name, just like users with access to
> > > > delete files must know a path (and have access to it). Since the
> > > > write_index and other details are per-process, unless the user has
> > > > access to either /sys/kernel/tracing/events/user_events/* or
> > > > /sys/kernel/tracing/user_events_status, they do not know which names are
> > > > being used.
> > > >
> > > > If that is not enough, we could require CAP_SYSADMIN to be able to
> > > > delete events even when they have access to the file. Users can also
> > > > apply SELinux policies per-file to achieve further isolation, if
> > > > required.
> > >
> > > Whether /sys/kernel/tracing/user_events_status gets g+rw
> > > or it gets a+rw (as your documentation recommends)
> > > it is still a security issue.
> > > The "event name" is trivial to find out by looking at the source code
> > > of the target process or just "string target_binary".
> >
> > I guess, if they have access to the binary, etc.
> > So they need both access to the binary and to the tracefs directory.
> > We would not give them access like this in any normal setup other than a
> > developer environment.
> >
> > > Restricting to cap_sysadmin is not the answer, since you want unpriv.
> >
> > We do not need unpriv to delete events, only to write and create events.
> >
> > We allow unregistering call-sites, which would still work unpriv with
> > this requirement.
> >
> > > SElinux is not the answer either.
> > > Since it's unpriv, different processes should not be able to mess with
> > > user events of other processes.
> >
> > How is this different than uprobes if we give a user access to
> > /sys/kernel/tracing/dynamic_events? Users can delete those as well. I
> > don't see a difference here.
>
> Because kprobe/uprobe are root only.
> No sane person will do chmod a+rw /sys/kernel/tracing/uprobe_events.
> It's just like chmod a+rw /etc/passwd
>
> Whereas this is your recommended approach for user_events.
>
I believe those instructions are for development only. I'll get them
changed to a more secure approach. We don't want to folks leaving it
wide open.
We should tell folks to use a group and give access to the group like
Steven said earlier.
> > In our production environments we are not giving out wide security to
> > this file.
>
> Fine by me. Keep it insecure and broken. Do not send bpf patches then.
> I refuse to have bpf callable from such subsystems.
> Somebody will inevitably blame bpf for the insecurity of user_events.
The delete IOCTL is different than reg/unreg. I don't see a problem with
adding a CAP_SYSADMIN check on the delete IOCTL (and other delete paths)
to prevent this. It shouldn't affect anything we are doing to add this
and it makes it so non-admins cannot delete any events if they are given
write access to the user_events_data file.
Thanks,
-Beau
next prev parent reply other threads:[~2023-05-18 1:18 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 16:37 [PATCH] tracing/user_events: Run BPF program if attached Beau Belgrave
2023-05-09 15:24 ` Alexei Starovoitov
2023-05-09 17:01 ` Steven Rostedt
2023-05-09 20:30 ` Steven Rostedt
2023-05-09 20:42 ` Steven Rostedt
2023-05-15 16:57 ` Alexei Starovoitov
2023-05-15 18:33 ` Steven Rostedt
2023-05-15 19:35 ` Beau Belgrave
2023-05-15 21:38 ` Steven Rostedt
2023-05-15 19:24 ` Beau Belgrave
2023-05-15 21:57 ` Steven Rostedt
2023-05-17 0:36 ` Alexei Starovoitov
2023-05-17 0:56 ` Linus Torvalds
2023-05-17 1:46 ` Linus Torvalds
2023-05-17 2:29 ` Steven Rostedt
2023-05-17 3:03 ` Linus Torvalds
2023-05-17 17:22 ` Beau Belgrave
2023-05-17 18:15 ` Linus Torvalds
2023-05-17 19:07 ` Beau Belgrave
2023-05-17 19:26 ` Linus Torvalds
2023-05-17 19:36 ` Beau Belgrave
2023-05-17 19:36 ` Linus Torvalds
2023-05-17 19:37 ` Linus Torvalds
2023-05-17 23:00 ` Beau Belgrave
2023-05-17 23:14 ` Linus Torvalds
2023-05-17 23:25 ` Steven Rostedt
2023-05-18 0:14 ` Beau Belgrave
2023-05-18 0:23 ` Linus Torvalds
2023-05-17 20:08 ` Linus Torvalds
2023-05-17 1:26 ` Steven Rostedt
2023-05-17 16:50 ` Beau Belgrave
2023-05-18 0:10 ` Alexei Starovoitov
2023-05-18 0:19 ` Beau Belgrave
2023-05-18 0:56 ` Alexei Starovoitov
2023-05-18 1:18 ` Beau Belgrave [this message]
2023-05-18 2:08 ` Steven Rostedt
2023-05-18 3:14 ` Alexei Starovoitov
2023-05-18 13:36 ` Steven Rostedt
2023-05-18 17:28 ` Beau Belgrave
2023-06-01 9:46 ` Christian Brauner
2023-06-01 15:24 ` Beau Belgrave
2023-06-01 15:57 ` Christian Brauner
2023-06-01 16:29 ` Beau Belgrave
2023-06-06 13:37 ` Masami Hiramatsu
2023-06-06 17:05 ` Beau Belgrave
2023-06-07 14:07 ` Masami Hiramatsu
2023-06-07 19:26 ` Beau Belgrave
2023-06-08 0:25 ` Masami Hiramatsu
2023-05-17 17:51 ` Beau Belgrave
2023-06-06 13:57 ` Masami Hiramatsu
2023-06-06 16:57 ` Andrii Nakryiko
2023-06-06 20:57 ` Beau Belgrave
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230518011814.GA294@W11-BEAU-MD.localdomain \
--to=beaub@linux.microsoft.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=dthaler@microsoft.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=torvalds@linux-foundation.org \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox