[PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[Chenbo Feng]

From: Chenbo Feng <fengc@google.com>

This allows cgroup eBPF program to classify packet based on their
protocol or other detail information. Currently program need
CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
process with CAP_NET_ADMIN can already see all packets on the system,
for example, by creating an iptables rules that causes the packet to
be passed to userspace via NFLOG.

Signed-off-by: Chenbo Feng <fengc@google.com>
---
 kernel/bpf/verifier.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 339c8a1..94a9bc9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2419,6 +2419,7 @@ static bool may_access_skb(enum bpf_prog_type type)
 	case BPF_PROG_TYPE_SOCKET_FILTER:
 	case BPF_PROG_TYPE_SCHED_CLS:
 	case BPF_PROG_TYPE_SCHED_ACT:
+	case BPF_PROG_TYPE_CGROUP_SKB:
 		return true;
 	default:
 		return false;
-- 
2.7.4

[PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Chenbo Feng]

From: Chenbo Feng <fengc@google.com>

Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
capability while attaching the program to a cgroup only requires the
user have CAP_NET_ADMIN privilege. We can escape the capability
check when load the program just like socket filter program to make
the capability requirement consistent.

Change since v1:
Change the code style in order to be compliant with checkpatch.pl
preference

Signed-off-by: Chenbo Feng <fengc@google.com>
---
 kernel/bpf/syscall.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 265a0d8..59da103 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -815,7 +815,9 @@ static int bpf_prog_load(union bpf_attr *attr)
 	    attr->kern_version != LINUX_VERSION_CODE)
 		return -EINVAL;
 
-	if (type != BPF_PROG_TYPE_SOCKET_FILTER && !capable(CAP_SYS_ADMIN))
+	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
+	    type != BPF_PROG_TYPE_CGROUP_SKB &&
+	    !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 
 	/* plain bpf_prog allocation */
-- 
2.7.4

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Alexei Starovoitov]

On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
> 
> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
> capability while attaching the program to a cgroup only requires the
> user have CAP_NET_ADMIN privilege. We can escape the capability
> check when load the program just like socket filter program to make
> the capability requirement consistent.
> 
> Change since v1:
> Change the code style in order to be compliant with checkpatch.pl
> preference
> 
> Signed-off-by: Chenbo Feng <fengc@google.com>

as far as I can see they're indeed the same as socket filters, so
Acked-by: Alexei Starovoitov <ast@kernel.org>

but I don't quite understand how it helps, since as you said
attaching such unpriv fd to cgroup still requires root.
Do you have more patches to follow?

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Alexei Starovoitov]

On Thu, Jun 01, 2017 at 06:55:09PM -0700, Chenbo Feng wrote:
> On Thu, Jun 1, 2017 at 4:42 PM, Alexei Starovoitov <
> alexei.starovoitov@gmail.com> wrote:
> 
> > On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
> > > From: Chenbo Feng <fengc@google.com>
> > >
> > > Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
> > > capability while attaching the program to a cgroup only requires the
> > > user have CAP_NET_ADMIN privilege. We can escape the capability
> > > check when load the program just like socket filter program to make
> > > the capability requirement consistent.
> > >
> > > Change since v1:
> > > Change the code style in order to be compliant with checkpatch.pl
> > > preference
> > >
> > > Signed-off-by: Chenbo Feng <fengc@google.com>
> >
> > as far as I can see they're indeed the same as socket filters, so
> > Acked-by: Alexei Starovoitov <ast@kernel.org>
> >
> > but I don't quite understand how it helps, since as you said
> > attaching such unpriv fd to cgroup still requires root.
> > Do you have more patches to follow?
> >
> > Actually not, the purpose of this patch is only to make sure if a program
> have
> CAP_NET_ADMIN but not CAP_SYS_ADMIN it can still load and attach eBPF
> programs to cgroup.

got it. Thanks

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Daniel Borkmann]

On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
> On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fengc@google.com>
>>
>> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
>> capability while attaching the program to a cgroup only requires the
>> user have CAP_NET_ADMIN privilege. We can escape the capability
>> check when load the program just like socket filter program to make
>> the capability requirement consistent.
>>
>> Change since v1:
>> Change the code style in order to be compliant with checkpatch.pl
>> preference
>>
>> Signed-off-by: Chenbo Feng <fengc@google.com>
>
> as far as I can see they're indeed the same as socket filters, so
> Acked-by: Alexei Starovoitov <ast@kernel.org>
>
> but I don't quite understand how it helps, since as you said
> attaching such unpriv fd to cgroup still requires root.
> Do you have more patches to follow?

Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
then we must at least also zero out the not-yet-initialized memory
for the mac header for egress case in __cgroup_bpf_run_filter_skb().

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Chenbo Feng]

On 06/06/2017 09:56 AM, Daniel Borkmann wrote:
> On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
>> On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
>>> From: Chenbo Feng <fengc@google.com>
>>>
>>> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
>>> capability while attaching the program to a cgroup only requires the
>>> user have CAP_NET_ADMIN privilege. We can escape the capability
>>> check when load the program just like socket filter program to make
>>> the capability requirement consistent.
>>>
>>> Change since v1:
>>> Change the code style in order to be compliant with checkpatch.pl
>>> preference
>>>
>>> Signed-off-by: Chenbo Feng <fengc@google.com>
>>
>> as far as I can see they're indeed the same as socket filters, so
>> Acked-by: Alexei Starovoitov <ast@kernel.org>
>>
>> but I don't quite understand how it helps, since as you said
>> attaching such unpriv fd to cgroup still requires root.
>> Do you have more patches to follow?
>
> Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
> then we must at least also zero out the not-yet-initialized memory
> for the mac header for egress case in __cgroup_bpf_run_filter_skb().
>

Do you mean something like:

if (type == BPF_CGROUP_INET_EGRESS) {

         offset = skb_network_header(skb) - skb_mac_header(skb);

         memset(skb_mac_header(skb), 0, offset)

}

And could you explain more on why we need to do this if we remove the 
CAP_SYS_ADMIN check? I thought we still cannot directly access the 
sk_buff without using bpf_skb_load_bytes helper and we still need a 
CAP_NET_ADMIN in order to attach and run the program on egress side right?

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[Daniel Borkmann]

On 06/07/2017 12:44 AM, Chenbo Feng wrote:
> On 06/06/2017 09:56 AM, Daniel Borkmann wrote:
>> On 06/02/2017 01:42 AM, Alexei Starovoitov wrote:
>>> On Wed, May 31, 2017 at 06:16:00PM -0700, Chenbo Feng wrote:
>>>> From: Chenbo Feng <fengc@google.com>
>>>>
>>>> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
>>>> capability while attaching the program to a cgroup only requires the
>>>> user have CAP_NET_ADMIN privilege. We can escape the capability
>>>> check when load the program just like socket filter program to make
>>>> the capability requirement consistent.
>>>>
>>>> Change since v1:
>>>> Change the code style in order to be compliant with checkpatch.pl
>>>> preference
>>>>
>>>> Signed-off-by: Chenbo Feng <fengc@google.com>
>>>
>>> as far as I can see they're indeed the same as socket filters, so
>>> Acked-by: Alexei Starovoitov <ast@kernel.org>
>>>
>>> but I don't quite understand how it helps, since as you said
>>> attaching such unpriv fd to cgroup still requires root.
>>> Do you have more patches to follow?
>>
>> Hmm, when we relax this from capable(CAP_SYS_ADMIN) to unprivileged,
>> then we must at least also zero out the not-yet-initialized memory
>> for the mac header for egress case in __cgroup_bpf_run_filter_skb().
>
> Do you mean something like:
>
> if (type == BPF_CGROUP_INET_EGRESS) {
>
>          offset = skb_network_header(skb) - skb_mac_header(skb);
>
>          memset(skb_mac_header(skb), 0, offset)

That won't work, reason is the same as per 92046578ac88 ("bpf: cgroup
skb progs cannot access ld_abs/ind"), meaning that mac header is not
yet set at that point in time, but more below.

> }
>
> And could you explain more on why we need to do this if we remove the
 > CAP_SYS_ADMIN check? I thought we still cannot directly access the
 > sk_buff without using bpf_skb_load_bytes helper and we still need a
 > CAP_NET_ADMIN in order to attach and run the program on egress side right?

Ok, forget this comment of mine. The __cgroup_bpf_run_filter_skb() does
__skb_push()/__skb_pull(), but for egress case the offset is always 0, so
we don't start at mac header but at network header instead, meaning memset()
is not needed.

Thanks,
Daniel

Re: [PATCH net-next v2 2/2] bpf: Remove the capability check for cgroup skb eBPF program

[David Miller]

From: Chenbo Feng <chenbofeng.kernel@gmail.com>
Date: Wed, 31 May 2017 18:16:00 -0700

> From: Chenbo Feng <fengc@google.com>
> 
> Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN
> capability while attaching the program to a cgroup only requires the
> user have CAP_NET_ADMIN privilege. We can escape the capability
> check when load the program just like socket filter program to make
> the capability requirement consistent.
> 
> Change since v1:
> Change the code style in order to be compliant with checkpatch.pl
> preference
> 
> Signed-off-by: Chenbo Feng <fengc@google.com>

Applied.

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[Alexei Starovoitov]

On Wed, May 31, 2017 at 06:15:59PM -0700, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
> 
> This allows cgroup eBPF program to classify packet based on their
> protocol or other detail information. Currently program need
> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
> process with CAP_NET_ADMIN can already see all packets on the system,
> for example, by creating an iptables rules that causes the packet to
> be passed to userspace via NFLOG.
> 
> Signed-off-by: Chenbo Feng <fengc@google.com>

Acked-by: Alexei Starovoitov <ast@kernel.org>

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[David Miller]

From: Chenbo Feng <chenbofeng.kernel@gmail.com>
Date: Wed, 31 May 2017 18:15:59 -0700

> From: Chenbo Feng <fengc@google.com>
> 
> This allows cgroup eBPF program to classify packet based on their
> protocol or other detail information. Currently program need
> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
> process with CAP_NET_ADMIN can already see all packets on the system,
> for example, by creating an iptables rules that causes the packet to
> be passed to userspace via NFLOG.
> 
> Signed-off-by: Chenbo Feng <fengc@google.com>

Applied.

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[Daniel Borkmann]

On 06/01/2017 03:15 AM, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
>
> This allows cgroup eBPF program to classify packet based on their
> protocol or other detail information. Currently program need
> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
> process with CAP_NET_ADMIN can already see all packets on the system,
> for example, by creating an iptables rules that causes the packet to
> be passed to userspace via NFLOG.
>
> Signed-off-by: Chenbo Feng <fengc@google.com>

Sorry, but I am puzzled what above change log has to do with the
below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
to may_access_skb(), since one can already use bpf_skb_load_bytes()
helper to access pkt data, which is a much more flexible interface.
Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?

> ---
>   kernel/bpf/verifier.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 339c8a1..94a9bc9 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -2419,6 +2419,7 @@ static bool may_access_skb(enum bpf_prog_type type)
>   	case BPF_PROG_TYPE_SOCKET_FILTER:
>   	case BPF_PROG_TYPE_SCHED_CLS:
>   	case BPF_PROG_TYPE_SCHED_ACT:
> +	case BPF_PROG_TYPE_CGROUP_SKB:
>   		return true;
>   	default:
>   		return false;
>

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[Daniel Borkmann]

On 06/06/2017 02:04 PM, Daniel Borkmann wrote:
> On 06/01/2017 03:15 AM, Chenbo Feng wrote:
>> From: Chenbo Feng <fengc@google.com>
>>
>> This allows cgroup eBPF program to classify packet based on their
>> protocol or other detail information. Currently program need
>> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
>> process with CAP_NET_ADMIN can already see all packets on the system,
>> for example, by creating an iptables rules that causes the packet to
>> be passed to userspace via NFLOG.
>>
>> Signed-off-by: Chenbo Feng <fengc@google.com>
>
> Sorry, but I am puzzled what above change log has to do with the
> below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
> to may_access_skb(), since one can already use bpf_skb_load_bytes()
> helper to access pkt data, which is a much more flexible interface.
> Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?

See my other email [1], this one is also problematic wrt SKF_LL_OFF.

   [1] http://patchwork.ozlabs.org/patch/771946/

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[David Miller]

From: Chenbo Feng <fengc@google.com>
Date: Tue, 6 Jun 2017 13:24:11 -0700

> On Tue, Jun 6, 2017 at 9:40 AM, Daniel Borkmann <daniel@iogearbox.net>
> wrote:
> 
>> On 06/06/2017 02:04 PM, Daniel Borkmann wrote:
>>
>>> On 06/01/2017 03:15 AM, Chenbo Feng wrote:
>>>
>>>> From: Chenbo Feng <fengc@google.com>
>>>>
>>>> This allows cgroup eBPF program to classify packet based on their
>>>> protocol or other detail information. Currently program need
>>>> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
>>>> process with CAP_NET_ADMIN can already see all packets on the system,
>>>> for example, by creating an iptables rules that causes the packet to
>>>> be passed to userspace via NFLOG.
>>>>
>>>> Signed-off-by: Chenbo Feng <fengc@google.com>
>>>>
>>>
>>> Sorry, but I am puzzled what above change log has to do with the
>>> below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
>>> to may_access_skb(), since one can already use bpf_skb_load_bytes()
>>> helper to access pkt data, which is a much more flexible interface.
>>> Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?
>>>
>>
>> See my other email [1], this one is also problematic wrt SKF_LL_OFF.
>>
>>   [1] http://patchwork.ozlabs.org/patch/771946/
> 
> 
> Oh sorry I just find out the bpf_skb_load_bytes helper already can achieve
> the goal. There is no point to add my patch then. Thanks you for pointing
> it out and fixing it.

If something now needs to be reverted, you need to send that revert to me.

Thanks.

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[Daniel Borkmann]

On 06/06/2017 10:26 PM, David Miller wrote:
> From: Chenbo Feng <fengc@google.com>
> Date: Tue, 6 Jun 2017 13:24:11 -0700
>
>> On Tue, Jun 6, 2017 at 9:40 AM, Daniel Borkmann <daniel@iogearbox.net>
>> wrote:
>>
>>> On 06/06/2017 02:04 PM, Daniel Borkmann wrote:
>>>
>>>> On 06/01/2017 03:15 AM, Chenbo Feng wrote:
>>>>
>>>>> From: Chenbo Feng <fengc@google.com>
>>>>>
>>>>> This allows cgroup eBPF program to classify packet based on their
>>>>> protocol or other detail information. Currently program need
>>>>> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
>>>>> process with CAP_NET_ADMIN can already see all packets on the system,
>>>>> for example, by creating an iptables rules that causes the packet to
>>>>> be passed to userspace via NFLOG.
>>>>>
>>>>> Signed-off-by: Chenbo Feng <fengc@google.com>
>>>>>
>>>>
>>>> Sorry, but I am puzzled what above change log has to do with the
>>>> below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
>>>> to may_access_skb(), since one can already use bpf_skb_load_bytes()
>>>> helper to access pkt data, which is a much more flexible interface.
>>>> Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?
>>>>
>>>
>>> See my other email [1], this one is also problematic wrt SKF_LL_OFF.
>>>
>>>    [1] http://patchwork.ozlabs.org/patch/771946/
>>
>>
>> Oh sorry I just find out the bpf_skb_load_bytes helper already can achieve
>> the goal. There is no point to add my patch then. Thanks you for pointing
>> it out and fixing it.
>
> If something now needs to be reverted, you need to send that revert to me.

It's sitting here: http://patchwork.ozlabs.org/patch/771946/

Re: [PATCH net-next v2 1/2] bpf: Allow CGROUP_SKB eBPF program to access sk_buff

[David Miller]

From: Daniel Borkmann <daniel@iogearbox.net>
Date: Tue, 06 Jun 2017 22:27:15 +0200

> On 06/06/2017 10:26 PM, David Miller wrote:
>> From: Chenbo Feng <fengc@google.com>
>> Date: Tue, 6 Jun 2017 13:24:11 -0700
>>
>>> On Tue, Jun 6, 2017 at 9:40 AM, Daniel Borkmann <daniel@iogearbox.net>
>>> wrote:
>>>
>>>> On 06/06/2017 02:04 PM, Daniel Borkmann wrote:
>>>>
>>>>> On 06/01/2017 03:15 AM, Chenbo Feng wrote:
>>>>>
>>>>>> From: Chenbo Feng <fengc@google.com>
>>>>>>
>>>>>> This allows cgroup eBPF program to classify packet based on their
>>>>>> protocol or other detail information. Currently program need
>>>>>> CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A
>>>>>> process with CAP_NET_ADMIN can already see all packets on the system,
>>>>>> for example, by creating an iptables rules that causes the packet to
>>>>>> be passed to userspace via NFLOG.
>>>>>>
>>>>>> Signed-off-by: Chenbo Feng <fengc@google.com>
>>>>>>
>>>>>
>>>>> Sorry, but I am puzzled what above change log has to do with the
>>>>> below diff?! Back then we decided not to add BPF_PROG_TYPE_CGROUP_SKB
>>>>> to may_access_skb(), since one can already use bpf_skb_load_bytes()
>>>>> helper to access pkt data, which is a much more flexible interface.
>>>>> Mind to elaborate why you cannot use bpf_skb_load_bytes() instead?
>>>>>
>>>>
>>>> See my other email [1], this one is also problematic wrt SKF_LL_OFF.
>>>>
>>>>    [1] http://patchwork.ozlabs.org/patch/771946/
>>>
>>>
>>> Oh sorry I just find out the bpf_skb_load_bytes helper already can
>>> achieve
>>> the goal. There is no point to add my patch then. Thanks you for
>>> pointing
>>> it out and fixing it.
>>
>> If something now needs to be reverted, you need to send that revert to
>> me.
> 
> It's sitting here: http://patchwork.ozlabs.org/patch/771946/

I see that now, applied to net-next, thanks!