* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down [not found] ` <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> @ 2017-10-19 22:18 ` Alexei Starovoitov 2017-10-20 2:47 ` joeyli 2017-10-20 8:08 ` David Howells 2017-10-19 22:48 ` David Howells 1 sibling, 2 replies; 13+ messages in thread From: Alexei Starovoitov @ 2017-10-19 22:18 UTC (permalink / raw) To: David Howells Cc: linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote: > From: Chun-Yi Lee <jlee@suse.com> > > There are some bpf functions can be used to read kernel memory: > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > private keys in kernel memory (e.g. the hibernation image signing key) to > be read by an eBPF program. Prohibit those functions when the kernel is > locked down. > > Signed-off-by: Chun-Yi Lee <jlee@suse.com> > Signed-off-by: David Howells <dhowells@redhat.com> > cc: netdev@vger.kernel.org > --- > > kernel/trace/bpf_trace.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > index dc498b605d5d..35e85a3fdb37 100644 > --- a/kernel/trace/bpf_trace.c > +++ b/kernel/trace/bpf_trace.c > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > { > int ret; > > + if (kernel_is_locked_down("BPF")) { > + memset(dst, 0, size); > + return -EPERM; > + } That doesn't help the lockdown purpose. If you don't trust the root the only way to prevent bpf read memory is to disable the whole thing. Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() and don't add overhead to critical path like bpf_probe_read(). ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-19 22:18 ` [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down Alexei Starovoitov @ 2017-10-20 2:47 ` joeyli 2017-10-20 8:08 ` David Howells 1 sibling, 0 replies; 13+ messages in thread From: joeyli @ 2017-10-20 2:47 UTC (permalink / raw) To: Alexei Starovoitov Cc: David Howells, linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin Hi Alexei, Thanks for your review! On Thu, Oct 19, 2017 at 03:18:30PM -0700, Alexei Starovoitov wrote: > On Thu, Oct 19, 2017 at 03:52:49PM +0100, David Howells wrote: > > From: Chun-Yi Lee <jlee@suse.com> > > > > There are some bpf functions can be used to read kernel memory: > > bpf_probe_read, bpf_probe_write_user and bpf_trace_printk. These allow > > private keys in kernel memory (e.g. the hibernation image signing key) to > > be read by an eBPF program. Prohibit those functions when the kernel is > > locked down. > > > > Signed-off-by: Chun-Yi Lee <jlee@suse.com> > > Signed-off-by: David Howells <dhowells@redhat.com> > > cc: netdev@vger.kernel.org > > --- > > > > kernel/trace/bpf_trace.c | 11 +++++++++++ > > 1 file changed, 11 insertions(+) > > > > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c > > index dc498b605d5d..35e85a3fdb37 100644 > > --- a/kernel/trace/bpf_trace.c > > +++ b/kernel/trace/bpf_trace.c > > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > > { > > int ret; > > > > + if (kernel_is_locked_down("BPF")) { > > + memset(dst, 0, size); > > + return -EPERM; > > + } > > That doesn't help the lockdown purpose. > If you don't trust the root the only way to prevent bpf read > memory is to disable the whole thing. Not totally untrust root, I don't want that root reads arbitrary memory address through bpf. Is it not enough to lock down bpf_probe_read, bpf_probe_write_user and bpf_trace_printk? > Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() > and don't add overhead to critical path like bpf_probe_read(). > Yes, it give overhead to bpf_probe_read but it prevents arbitrary memory read. Another idea is signing bpf bytecode then verifying signture when loading to kernel. Thanks a lot! Joey Lee ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-19 22:18 ` [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down Alexei Starovoitov 2017-10-20 2:47 ` joeyli @ 2017-10-20 8:08 ` David Howells 2017-10-20 15:57 ` jlee 2017-10-20 16:03 ` David Howells 1 sibling, 2 replies; 13+ messages in thread From: David Howells @ 2017-10-20 8:08 UTC (permalink / raw) To: joeyli Cc: dhowells, Alexei Starovoitov, linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin Hi Joey, Should I just lock down sys_bpf() entirely for now? We can always free it up somewhat later. David ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 8:08 ` David Howells @ 2017-10-20 15:57 ` jlee 2017-10-20 23:00 ` Alexei Starovoitov 2017-10-23 14:51 ` David Howells 2017-10-20 16:03 ` David Howells 1 sibling, 2 replies; 13+ messages in thread From: jlee @ 2017-10-20 15:57 UTC (permalink / raw) To: David Howells Cc: Alexei Starovoitov, linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin On Fri, Oct 20, 2017 at 09:08:48AM +0100, David Howells wrote: > Hi Joey, > > Should I just lock down sys_bpf() entirely for now? We can always free it up > somewhat later. > > David OK~~ Please just remove my patch until we find out a way to verify bpf code or protect sensitive data in memory. I think that we don't need to lock down sys_bpf() now because we didn't lock down other interfaces for reading arbitrary address like /dev/mem and /dev/kmem. Thanks a lot! Joey Lee ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 15:57 ` jlee @ 2017-10-20 23:00 ` Alexei Starovoitov 2017-10-23 14:51 ` David Howells 1 sibling, 0 replies; 13+ messages in thread From: Alexei Starovoitov @ 2017-10-20 23:00 UTC (permalink / raw) To: jlee Cc: David Howells, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin On Fri, Oct 20, 2017 at 11:57:48PM +0800, jlee@suse.com wrote: > On Fri, Oct 20, 2017 at 09:08:48AM +0100, David Howells wrote: > > Hi Joey, > > > > Should I just lock down sys_bpf() entirely for now? We can always free it up > > somewhat later. > > > > David > > OK~~ Please just remove my patch until we find out a way to > verify bpf code or protect sensitive data in memory. > > I think that we don't need to lock down sys_bpf() now because > we didn't lock down other interfaces for reading arbitrary > address like /dev/mem and /dev/kmem. If you want to lock down read access you'd need to disable not only bpf, but all of kprobe and likey ftrace, since untrusted root can infer kernel data by observing function execution even if it cannot load modules and bpf progs. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 15:57 ` jlee 2017-10-20 23:00 ` Alexei Starovoitov @ 2017-10-23 14:51 ` David Howells 1 sibling, 0 replies; 13+ messages in thread From: David Howells @ 2017-10-23 14:51 UTC (permalink / raw) To: Alexei Starovoitov Cc: dhowells, jlee, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > If you want to lock down read access you'd need to disable > not only bpf, but all of kprobe and likey ftrace, since > untrusted root can infer kernel data by observing function > execution even if it cannot load modules and bpf progs. Okay. David ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 8:08 ` David Howells 2017-10-20 15:57 ` jlee @ 2017-10-20 16:03 ` David Howells 2017-10-20 16:43 ` jlee 2017-10-23 14:53 ` David Howells 1 sibling, 2 replies; 13+ messages in thread From: David Howells @ 2017-10-20 16:03 UTC (permalink / raw) To: jlee-IBi9RG/b67k Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA, Alexei Starovoitov, linux-security-module-u79uwXL29TY76Z2rM5mHXA, gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io, linux-efi-u79uwXL29TY76Z2rM5mHXA, matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA, gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r, linux-kernel-u79uwXL29TY76Z2rM5mHXA, jforbes-H+wXaHxf7aLQT0dZR+AlfA, Daniel Borkmann, David S. Miller, netdev-u79uwXL29TY76Z2rM5mHXA, Gary Lin jlee-IBi9RG/b67k@public.gmane.org wrote: > I think that we don't need to lock down sys_bpf() now because > we didn't lock down other interfaces for reading arbitrary > address like /dev/mem and /dev/kmem. Ummm... See patch 4. You even gave me a Reviewed-by for it ;-) David ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 16:03 ` David Howells @ 2017-10-20 16:43 ` jlee 2017-10-23 14:53 ` David Howells 1 sibling, 0 replies; 13+ messages in thread From: jlee @ 2017-10-20 16:43 UTC (permalink / raw) To: David Howells Cc: Alexei Starovoitov, linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin On Fri, Oct 20, 2017 at 05:03:22PM +0100, David Howells wrote: > jlee@suse.com wrote: > > > I think that we don't need to lock down sys_bpf() now because > > we didn't lock down other interfaces for reading arbitrary > > address like /dev/mem and /dev/kmem. > > Ummm... See patch 4. You even gave me a Reviewed-by for it ;-) > > David hm... patch 4 only prevents write_mem() but not read_mem(). Or I missed anything? Thanks Joey Lee ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-20 16:03 ` David Howells 2017-10-20 16:43 ` jlee @ 2017-10-23 14:53 ` David Howells [not found] ` <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> 1 sibling, 1 reply; 13+ messages in thread From: David Howells @ 2017-10-23 14:53 UTC (permalink / raw) To: jlee Cc: dhowells, Alexei Starovoitov, linux-security-module, gnomes, linux-efi, matthew.garrett, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev, Gary Lin jlee@suse.com wrote: > hm... patch 4 only prevents write_mem() but not read_mem(). > Or I missed anything? Actually, yes, as it happens, patch 11 prevents you from even opening /dev/mem and /dev/kmem by locking down open of /dev/port. So I've moved this bit to patch 4, simplified and posted a new variant for patch 4. David ^ permalink raw reply [flat|nested] 13+ messages in thread
[parent not found: <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>]
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down [not found] ` <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> @ 2017-10-25 7:07 ` joeyli 0 siblings, 0 replies; 13+ messages in thread From: joeyli @ 2017-10-25 7:07 UTC (permalink / raw) To: David Howells Cc: Alexei Starovoitov, linux-security-module-u79uwXL29TY76Z2rM5mHXA, gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io, linux-efi-u79uwXL29TY76Z2rM5mHXA, matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA, gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r, linux-kernel-u79uwXL29TY76Z2rM5mHXA, jforbes-H+wXaHxf7aLQT0dZR+AlfA, Daniel Borkmann, David S. Miller, netdev-u79uwXL29TY76Z2rM5mHXA, Gary Lin On Mon, Oct 23, 2017 at 03:53:00PM +0100, David Howells wrote: > jlee-IBi9RG/b67k@public.gmane.org wrote: > > > hm... patch 4 only prevents write_mem() but not read_mem(). > > Or I missed anything? > > Actually, yes, as it happens, patch 11 prevents you from even opening /dev/mem > and /dev/kmem by locking down open of /dev/port. So I've moved this bit to > patch 4, simplified and posted a new variant for patch 4. > Thank you for pointing out! Joey Lee ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down [not found] ` <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk> 2017-10-19 22:18 ` [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down Alexei Starovoitov @ 2017-10-19 22:48 ` David Howells [not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> 2017-11-09 17:15 ` David Howells 1 sibling, 2 replies; 13+ messages in thread From: David Howells @ 2017-10-19 22:48 UTC (permalink / raw) To: Alexei Starovoitov Cc: jlee, dhowells, linux-security-module, gnomes, linux-efi, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > > { > > int ret; > > > > + if (kernel_is_locked_down("BPF")) { > > + memset(dst, 0, size); > > + return -EPERM; > > + } > > That doesn't help the lockdown purpose. > If you don't trust the root the only way to prevent bpf read > memory is to disable the whole thing. > Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() > and don't add overhead to critical path like bpf_probe_read(). TBH, I've no idea how bpf does anything, so I can't say whether this is better, overkill or insufficient. David ^ permalink raw reply [flat|nested] 13+ messages in thread
[parent not found: <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>]
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down [not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> @ 2017-10-19 23:31 ` Alexei Starovoitov 0 siblings, 0 replies; 13+ messages in thread From: Alexei Starovoitov @ 2017-10-19 23:31 UTC (permalink / raw) To: David Howells Cc: jlee-IBi9RG/b67k, linux-security-module-u79uwXL29TY76Z2rM5mHXA, gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io, linux-efi-u79uwXL29TY76Z2rM5mHXA, gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r, linux-kernel-u79uwXL29TY76Z2rM5mHXA, jforbes-H+wXaHxf7aLQT0dZR+AlfA, Daniel Borkmann, David S. Miller, netdev-u79uwXL29TY76Z2rM5mHXA On Thu, Oct 19, 2017 at 11:48:34PM +0100, David Howells wrote: > Alexei Starovoitov <alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) > > > { > > > int ret; > > > > > > + if (kernel_is_locked_down("BPF")) { > > > + memset(dst, 0, size); > > > + return -EPERM; > > > + } > > > > That doesn't help the lockdown purpose. > > If you don't trust the root the only way to prevent bpf read > > memory is to disable the whole thing. > > Have a single check in sys_bpf() to disallow everything if kernel_is_locked_down() > > and don't add overhead to critical path like bpf_probe_read(). > > TBH, I've no idea how bpf does anything, so I can't say whether this is > better, overkill or insufficient. ok. To make it clear: Nacked-by: Alexei Starovoitov <ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> For the current patch. Unnecessary checks for no good reason in performance critical functions are not acceptable. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down 2017-10-19 22:48 ` David Howells [not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org> @ 2017-11-09 17:15 ` David Howells 1 sibling, 0 replies; 13+ messages in thread From: David Howells @ 2017-11-09 17:15 UTC (permalink / raw) To: Alexei Starovoitov Cc: dhowells, jlee, linux-security-module, gnomes, linux-efi, gregkh, linux-kernel, jforbes, Daniel Borkmann, David S. Miller, netdev Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > TBH, I've no idea how bpf does anything, so I can't say whether this is > > better, overkill or insufficient. > > ok. To make it clear: > Nacked-by: Alexei Starovoitov <ast@kernel.org> > For the current patch. > Unnecessary checks for no good reason in performance critical > functions are not acceptable. They aren't unnecessary checks. Can you please suggest if there's some way more suitable than just killing bpf entirely? I don't know the code, and I presume you do. David ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2017-11-09 17:15 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk>
[not found] ` <150842476953.7923.18174368926573855810.stgit@warthog.procyon.org.uk>
2017-10-19 22:18 ` [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down Alexei Starovoitov
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee
2017-10-20 23:00 ` Alexei Starovoitov
2017-10-23 14:51 ` David Howells
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee
2017-10-23 14:53 ` David Howells
[not found] ` <21530.1508770380-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-25 7:07 ` joeyli
2017-10-19 22:48 ` David Howells
[not found] ` <482.1508453314-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).