Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

From: Kees Cook
Date: Tue Mar 24 2020 - 14:34:58 EST


On Tue, Mar 24, 2020 at 07:31:30PM +0100, KP Singh wrote:
> On 24-Mär 19:27, KP Singh wrote:
> > We do not have a specific capable check for BPF_PROG_TYPE_LSM programs
> > now. There is a general check which requires CAP_SYS_ADMIN when
> > unprivileged BPF is disabled:
> >
> > in kernel/bpf/sycall.c:
> >
> > if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
> > return -EPERM;
> >
> > AFAIK, Most distros disable unprivileged eBPF.
> >
> > Now that I look at this, I think we might need a CAP_MAC_ADMIN check
> > though as unprivileged BPF being enabled will result in an
> > unprivileged user being able to load MAC policies.
>
> Actually we do have an extra check for loading BPF programs:
>
>
> in kernel/bpf/syscall.c:bpf_prog_load
>
> if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
> type != BPF_PROG_TYPE_CGROUP_SKB &&
> !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> Do you think we still need a CAP_MAC_ADMIN check for LSM programs?

IMO, these are distinct privileges on the non-SELinux system. I think
your patch is fine as-is.

--
Kees Cook