From: David Miller <davem@davemloft.net>
To: chenbofeng.kernel@gmail.com
Cc: netdev@vger.kernel.org, Selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org, jeffv@google.com,
alexei.starovoitov@gmail.com, lorenzo@google.com,
daniel@iogearbox.net, sds@tycho.nsa.gov,
james.l.morris@oracle.com, paul@paul-moore.com, fengc@google.com
Subject: Re: [PATCH net-next v6 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control
Date: Wed, 18 Oct 2017 13:47:29 +0100 (WEST) [thread overview]
Message-ID: <20171018.134729.837318478487425125.davem@davemloft.net> (raw)
In-Reply-To: <20171016191135.8046-1-chenbofeng.kernel@gmail.com>
From: Chenbo Feng <chenbofeng.kernel@gmail.com>
Date: Mon, 16 Oct 2017 12:11:30 -0700
> Much like files and sockets, eBPF objects are accessed, controlled, and
> shared via a file descriptor (FD). Unlike files and sockets, the
> existing mechanism for eBPF object access control is very limited.
> Currently there are two options for granting accessing to eBPF
> operations: grant access to all processes, or only CAP_SYS_ADMIN
> processes. The CAP_SYS_ADMIN-only mode is not ideal because most users
> do not have this capability and granting a user CAP_SYS_ADMIN grants too
> many other security-sensitive permissions. It also unnecessarily allows
> all CAP_SYS_ADMIN processes access to eBPF functionality. Allowing all
> processes to access to eBPF objects is also undesirable since it has
> potential to allow unprivileged processes to consume kernel memory, and
> opens up attack surface to the kernel.
>
> Adding LSM hooks maintains the status quo for systems which do not use
> an LSM, preserving compatibility with userspace, while allowing security
> modules to choose how best to handle permissions on eBPF objects. Here
> is a possible use case for the lsm hooks with selinux module:
>
> The network-control daemon (netd) creates and loads an eBPF object for
> network packet filtering and analysis. It passes the object FD to an
> unprivileged network monitor app (netmonitor), which is not allowed to
> create, modify or load eBPF objects, but is allowed to read the traffic
> stats from the map.
>
> Selinux could use these hooks to grant the following permissions:
> allow netd self:bpf_map { create read write};
> allow netmonitor netd:fd use;
> allow netmonitor netd:bpf_map read;
>
> In this patch series, A file mode is added to bpf map to store the
> accessing mode. With this file mode flags, the map can be obtained read
> only, write only or read and write. With the help of this file mode,
> several security hooks can be added to the eBPF syscall implementations
> to do permissions checks. These LSM hooks are mainly focused on checking
> the process privileges before it obtains the fd for a specific bpf
> object. No matter from a file location or from a eBPF id. Besides that,
> a general check hook is also implemented at the start of bpf syscalls so
> that each security module can have their own implementation on the reset
> of bpf object related functionalities.
>
> In order to store the ownership and security information about eBPF
> maps, a security field pointer is added to the struct bpf_map. And the
> last two patch set are implementation of selinux check on these hooks
> introduced, plus an additional check when eBPF object is passed between
> processes using unix socket as well as binder IPC.
Series applied.
next prev parent reply other threads:[~2017-10-18 12:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 19:11 [PATCH net-next v6 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control Chenbo Feng
2017-10-16 19:11 ` [PATCH net-next v6 1/5] bpf: Add file mode configuration into bpf maps Chenbo Feng
2017-10-16 22:59 ` Daniel Borkmann
2017-10-18 13:52 ` Daniel Borkmann
2017-10-16 19:11 ` [PATCH net-next v6 2/5] bpf: Add tests for eBPF file mode Chenbo Feng
2017-10-16 23:00 ` Daniel Borkmann
2017-10-16 19:11 ` [PATCH net-next v6 3/5] security: bpf: Add LSM hooks for bpf object related syscall Chenbo Feng
2017-10-16 19:11 ` [PATCH net-next v6 4/5] selinux: bpf: Add selinux check for eBPF syscall operations Chenbo Feng
2017-10-16 19:11 ` [PATCH net-next v6 5/5] selinux: bpf: Add addtional check for bpf object file receive Chenbo Feng
2017-10-18 12:47 ` David Miller [this message]
2017-10-18 13:11 ` [PATCH net-next v6 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control David Miller
2017-10-19 1:49 ` James Morris
2017-10-19 9:48 ` Daniel Borkmann
2017-10-19 11:00 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171018.134729.837318478487425125.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=Selinux@tycho.nsa.gov \
--cc=alexei.starovoitov@gmail.com \
--cc=chenbofeng.kernel@gmail.com \
--cc=daniel@iogearbox.net \
--cc=fengc@google.com \
--cc=james.l.morris@oracle.com \
--cc=jeffv@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).