Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs

From: Daniel Borkmann
Date: Tue Oct 06 2015 - 08:45:36 EST

Next message: Dave Martin: "Re: [PATCHv2] ARM64:Fix MINSIGSTKSZ and SIGSTKSZ"
Previous message: Arnd Bergmann: "Re: [PATCH 1/3] mce: change asm/ioctls.h for linux/ioctl.h"
In reply to: Daniel Borkmann: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Next in thread: Alexei Starovoitov: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/06/2015 02:51 AM, Alexei Starovoitov wrote:

On 10/5/15 3:14 PM, Daniel Borkmann wrote:

One scenario that comes to mind ... what happens when there are kernel
pointers stored in skb->cb[] (either from the current layer or an old
one from a different layer that the skb went through previously, but
which did not get overwritten)?

Socket filters could read a portion of skb->cb[] also when unprived and
leak that out through maps. I think the verifier doesn't catch that,
right?

...

Please keep poking.

;)

I'm still wondering whether sysctl_bpf_enable_unprivileged is a good
way to go with regards to controlling capabilties of bpf(2), hmm, but
don't really have a good idea at the moment.

So, the rationale of this is to give it some soaking time before flipping
the switch that then defaults to on, and later on to still have a
possibility for an admin to turn it off (if not silently overwritten by
some system application later on ;)).

I think only having a Kconfig doesn't really make sense as distros
will blindly turn lots of stuff on anyway. A hidden Kconfig entry
that is not exposed into menuconfig might allow for sorting everything
out first, but with the issue of getting only little testing exposure.

If I see this correctly, perf_event_open(2) has a number of paranoia
levels with some helpers wrapped around it, f.e.:

/*
* perf event paranoia level:
* -1 - not paranoid at all
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
* 2 - disallow kernel profiling for unpriv
*/
int sysctl_perf_event_paranoid __read_mostly = 1;

Should instead something similar be adapted on bpf(2) as well? Or, would
that even be more painful for application developers shipping their stuff
through distros in the end (where they might then decide to just setup
everything BPF-related and then drop privs)?

I'm also wondering with regards to seccomp, which could adapt to eBPF at
some point and be used by unprivileged programs. Perhaps then, a single
paranoia alike setting might not suit to all eBPF subsystem users. Any
ideas?

Thanks,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Martin: "Re: [PATCHv2] ARM64:Fix MINSIGSTKSZ and SIGSTKSZ"
Previous message: Arnd Bergmann: "Re: [PATCH 1/3] mce: change asm/ioctls.h for linux/ioctl.h"
In reply to: Daniel Borkmann: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Next in thread: Alexei Starovoitov: "Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]