Re: [PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)

From: Stephen Smalley
Date: Thu Jan 09 2020 - 14:54:40 EST


On 1/9/20 2:43 PM, KP Singh wrote:
On 10-Jan 06:07, James Morris wrote:
On Thu, 9 Jan 2020, Stephen Smalley wrote:

On 1/9/20 1:11 PM, James Morris wrote:
On Wed, 8 Jan 2020, Stephen Smalley wrote:

The cover letter subject line and the Kconfig help text refer to it as a
BPF-based "MAC and Audit policy". It has an enforce config option that
enables the bpf programs to deny access, providing access control. IIRC,
in
the earlier discussion threads, the BPF maintainers suggested that Smack
and
other LSMs could be entirely re-implemented via it in the future, and that
such an implementation would be more optimal.

In this case, the eBPF code is similar to a kernel module, rather than a
loadable policy file. It's a loadable mechanism, rather than a policy, in
my view.

I thought you frowned on dynamically loadable LSMs for both security and
correctness reasons?

Based on the feedback from the lists we've updated the design for v2.

In v2, LSM hook callbacks are allocated dynamically using BPF
trampolines, appended to a separate security_hook_heads and run
only after the statically allocated hooks.

The security_hook_heads for all the other LSMs (SELinux, AppArmor etc)
still remains __lsm_ro_after_init and cannot be modified. We are still
working on v2 (not ready for review yet) but the general idea can be
seen here:

https://github.com/sinkap/linux-krsi/blob/patch/v1/trampoline_prototype/security/bpf/lsm.c


Evaluating the security impact of this is the next step. My understanding
is that eBPF via BTF is constrained to read only access to hook
parameters, and that its behavior would be entirely restrictive.

I'd like to understand the security impact more fully, though. Can the
eBPF code make arbitrary writes to the kernel, or read anything other than
the correctly bounded LSM hook parameters?


As mentioned, the BPF verifier does not allow writes to BTF types.

And a traditional security module would necessarily fall
under GPL; is the eBPF code required to be likewise? If not, KRSI is a
gateway for proprietary LSMs...

Right, we do not want this to be a GPL bypass.

This is not intended to be a GPL bypass and the BPF verifier checks
for license compatibility of the loaded program with GPL.

IIUC, it checks that the program is GPL compatible if it uses a function marked GPL-only. But what specifically is marked GPL-only that is required for eBPF programs using KRSI?


- KP


If these issues can be resolved, this may be a "safe" way to support
loadable LSM applications.

Again, I'd be interested in knowing how this is is handled in the
networking stack (keeping in mind that LSM is a much more invasive API,
and may not be directly comparable).

--
James Morris
<jmorris@xxxxxxxxx>