Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4040743yba; Tue, 9 Apr 2019 09:52:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwVyblZ5M1PodSMTF8MxfPto1aQCjXdHc2/f0wyih2PLQOk2MWTUi7RWM/GholeyQAw3kz X-Received: by 2002:a63:e845:: with SMTP id a5mr36599420pgk.246.1554828723623; Tue, 09 Apr 2019 09:52:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554828723; cv=none; d=google.com; s=arc-20160816; b=R6zANCuz+3v9o4hjpcfkurrt2bU4hSy1FMwmxOS1koKx5t2CVnMagP/Jx63c7MPyM2 4jhtk75xBOC70fxs0YyCVLHgKOQsjMlzzogqf7W1V5+NaNZ4ytjyHRh+aYzJ2xUPnf3j tlDDXyC/uKwQ03kJApCMIkx8gYA0ZFa8ZjZu6f/KjYz+DT6OiSVsuDHFZY2NokUWEenk Ptl35Nycl2cebBKjwNArMu/KjGKhvGIKkf+150CipnEh/epC0omVp0u+6Be9tz5+fogN 97uRTqnW6v8yuN3sQP2+NxDzwWpkb7sXroOXQI1LRmXO9ssjDwhLZ3otemUsQkXx3s5i Pusg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=NxnZbHwHubpNIgpah9U2ewhbtY55fWGlzvBw7C3ceyQ=; b=IujkkXpYsX4Sj+B5lZLXkFD5f3h9JXdoXrrhq4LiD+VPAvLeY8fAo6+86Mof1a95iL oZSB1vW3ex1Z8XUZRoDZJ1tdg+nTWtjw/HOGN4/fjmDAB1ZCr+ERmAxCHA3wNONBx3Zz kR2mNoW1mU2IcqkXLnPLiGoWC/iZYe4DDbOHdpZ/XCq8x7qP7LjUYVucB3ZiRgozB2rr kQF4RlrjDUjNr31A2NFKXx59uxYtlm0Y8S5pZx09+6BMCo+rlY3HvSNRiMAuyoG0LeWw WikBk9Dz0slM4spc6gQZgix3v0J5ydHDuZNT6rA15pLH+trIoVCUftiPZKR6QEniEoUK f3/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=g55M3HTb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q9si28620300pll.41.2019.04.09.09.51.47; Tue, 09 Apr 2019 09:52:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=g55M3HTb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726507AbfDIQvH (ORCPT + 99 others); Tue, 9 Apr 2019 12:51:07 -0400 Received: from mail-vs1-f67.google.com ([209.85.217.67]:40024 "EHLO mail-vs1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726509AbfDIQvF (ORCPT ); Tue, 9 Apr 2019 12:51:05 -0400 Received: by mail-vs1-f67.google.com with SMTP id f22so10220789vso.7 for ; Tue, 09 Apr 2019 09:51:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NxnZbHwHubpNIgpah9U2ewhbtY55fWGlzvBw7C3ceyQ=; b=g55M3HTbJl2nGEzdInj5BhFDcFCYRLfErTmcVhRIKpELhgbSj1X0w+TOoFf1DFOgqR nIGQIBLYgfVZ+MMYY4lH3twSib14DZF0k8XARdzkZRAIBTpeHR/3dGqo20XTMY71f9aN xChEflprCQ3jjqkj+kT06bR8oVnOtXhtNLeEE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NxnZbHwHubpNIgpah9U2ewhbtY55fWGlzvBw7C3ceyQ=; b=OpwFwiSLOpdBFNfDGYdO9Wy4lA5Y/D+K2+c5YkTL9b+bs6FCpKnabzHJLClU21s9Bl Q4a6j1tU8UOSDMGa+dXouBtUaO9L0Xlvn6hAVIftObay7DJ4cH9EeQ5IRWzWIyJiMkRY b01ldNbzCe1PR2bCmbzxn4czhJDCSW8ydrab0nBH1o+Qfccr2+QoAGHEh2cdhQr0N6U6 TqVTTSpgIm4uaLzkQvpTC4ujvzn/NTqf6LJKzTDPWTgoeWr7AT4WK/mjTNZrpHySGR1V v5jynQZCgWVKOvpWkV7Ebn8iVbG+11rqDx+T3poI0WKd774nfdLbh2rcWtdJ7EojszvP EOAg== X-Gm-Message-State: APjAAAX34nnan5iO4iK56Jd2Z3MgRuh5MBylVMoTs7YbsKefSqIPrQ/J rexGnAI1CCoRyW5DLzMwIID8zbMrT4g= X-Received: by 2002:a67:f414:: with SMTP id p20mr20362709vsn.94.1554828664340; Tue, 09 Apr 2019 09:51:04 -0700 (PDT) Received: from mail-vs1-f52.google.com (mail-vs1-f52.google.com. [209.85.217.52]) by smtp.gmail.com with ESMTPSA id 8sm611430vks.11.2019.04.09.09.51.03 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 Apr 2019 09:51:04 -0700 (PDT) Received: by mail-vs1-f52.google.com with SMTP id f22so10220747vso.7 for ; Tue, 09 Apr 2019 09:51:03 -0700 (PDT) X-Received: by 2002:a67:f04e:: with SMTP id q14mr21174654vsm.133.1554828663194; Tue, 09 Apr 2019 09:51:03 -0700 (PDT) MIME-Version: 1.0 References: <20190406170257.qlptcrfth2rb3rxo@ast-mbp.dhcp.thefacebook.com> In-Reply-To: <20190406170257.qlptcrfth2rb3rxo@ast-mbp.dhcp.thefacebook.com> From: Kees Cook Date: Tue, 9 Apr 2019 09:50:50 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook To: Alexei Starovoitov Cc: Andrey Ignatov , Network Development , Alexei Starovoitov , Daniel Borkmann , Roman Gushchin , kernel-team , Luis Chamberlain , Alexey Dobriyan , LKML , "linux-fsdevel@vger.kernel.org" , linux-security-module , Jann Horn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 6, 2019 at 10:03 AM Alexei Starovoitov wrote: > > On Sat, Apr 06, 2019 at 09:43:50AM -0700, Kees Cook wrote: > > On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov wrote: > > > BPF_CGROUP_SYSCTL hook is placed before calling to sysctl's proc_handler so > > > that accesses (read/write) to sysctl can be controlled for specific cgroup > > > and either allowed or denied, or traced. > > > > This sounds more like an LSM than BPF. > > not at all. the key difference is being cgroup scoped. > essentially for different containers. Okay, works for me. I was looking at it from the perspective of something providing resource access control policy, which usually falls into the LSM world. > bpf prog is attached to this hook in a particular cgroup > and executed for sysctls for tasks that belong to that cgroup. So it's root limiting root-in-a-container? Nice to have some boundaries there, for sure. > > Can the BPF be removed (or rather, > > what's the lifetime of such BPF?) > > same as all other cgroup-bpf hooks. > Do you have a specific concern or just asking how life time of programs > is managed? > High level description of lifetime is here: > https://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html I'm mostly curious about the access control stacking. i.e. can in-container root add new eBPF to its own cgroup, and if so, can it undo the restrictions already present? (I assume it can't, but figured I'd ask...) -- Kees Cook