Re: [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)

From: Stephen Smalley
Date: Thu Jan 09 2020 - 13:58:42 EST


On 1/9/20 1:11 PM, James Morris wrote:
On Wed, 8 Jan 2020, Stephen Smalley wrote:

The cover letter subject line and the Kconfig help text refer to it as a
BPF-based "MAC and Audit policy". It has an enforce config option that
enables the bpf programs to deny access, providing access control. IIRC, in
the earlier discussion threads, the BPF maintainers suggested that Smack and
other LSMs could be entirely re-implemented via it in the future, and that
such an implementation would be more optimal.

In this case, the eBPF code is similar to a kernel module, rather than a
loadable policy file. It's a loadable mechanism, rather than a policy, in
my view.

I thought you frowned on dynamically loadable LSMs for both security and correctness reasons? And a traditional security module would necessarily fall under GPL; is the eBPF code required to be likewise? If not, KRSI is a gateway for proprietary LSMs...

This would be similar to the difference between iptables rules and
loadable eBPF networking code. I'd be interested to know how the
eBPF networking scenarios are handled wrt kernel ABI.


Again, not arguing for or against, but wondering if people fully understand
the implications. If it ends up being useful, people will build access
control systems with it, and it directly exposes a lot of kernel internals to
userspace. There was a lot of concern originally about the LSM hook interface
becoming a stable ABI and/or about it being misused. Exposing that interface
along with every kernel data structure exposed through it to userspace seems
like a major leap.

Agreed this is a leap, although I'm not sure I'd characterize it as
exposure to userspace -- it allows dynamic extension of the LSM API from
userland, but the code is executed in the kernel.

KP: One thing I'd like to understand better is the attack surface
introduced by this. IIUC, the BTF fields are read only, so the eBPF code
should not be able to modify any LSM parameters, correct?


Even if the mainline kernel doesn't worry about any kind
of stable interface guarantees for it, the distros might be forced to provide
some kABI guarantees for it to appease ISVs and users...

How is this handled currently for other eBPF use-cases?