Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp812217yba; Fri, 12 Apr 2019 14:28:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqyEh1FZZmB/SI0LOM5BbyDDOfmxcNwkzAqPaLONjagXQzi1HT0RuuNdH7Bp9KcKOUhJQSZR X-Received: by 2002:a62:1b8a:: with SMTP id b132mr59792448pfb.19.1555104502349; Fri, 12 Apr 2019 14:28:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555104502; cv=none; d=google.com; s=arc-20160816; b=ZEaD61nw7o25sshIH1ebMfVRazKiEvIGrdx0Q9UXJATdUjX84I6Q8uKkpBDIeeHYcG /EF0uM6FxHQk7zoD7yNONpwq668jRnnJdR5p3NHbiIoshqDyo9zZc+Nb9gnVi0lEEM8d 2brOVXpqqwRKiOctoEsWcQL/4XjjaACeIshmmwq2tkWN9k9ATSqDwYTv2z+wf7Kzo2il Dlf3YPjkDGgTwXSOCr5TS7TFPGmX1COU/Una9okO/vexuzCnWkYn+6vGUgoyM39AMgmO S6mTi9C1kCPHSFJRdxIcVVrKmGVNIqyv4uqD76ezC53yNQ0kH6ojkJ2ombGDdYw6Sk1O HP9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=B+wEy+TCLeOhl90NXP78eV9UW4581ezgGAHLtxRD4bI=; b=dq4rDeVX0grMJkUPHH41vkzHps9kJ2YzC6sXBw5FYnvuqvj7z1G0Jgdppnu6s8xdHZ q01r1l96aCJE/KuV4n0wYHu9c9NcrvH8UzhLU351rZ1TyYqwfMx8JyuXPT9Fj6ie3KGm wmIArlvZvklWdjFOg1VG9IbrkiLSxfu9+d8JB1Vb8uL845kAstb6PBySPVc3O3HGgZzD Ot6zwB+YB8fgZPRAm0JcHWFsvz1rE12AYRXC81LTllpwTsxYh/zeffSJGw8WY/q+T+E7 TqFE0GyjVf96GZ6s+uRWlxNlhiieMKcF/TZ6gXWhkdtPb0iyh6GWBggZv/nbWvRzs7z+ +D+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FSiugtdj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i96si19168793plb.331.2019.04.12.14.28.03; Fri, 12 Apr 2019 14:28:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FSiugtdj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727048AbfDLV1S (ORCPT + 99 others); Fri, 12 Apr 2019 17:27:18 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:41164 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726771AbfDLV1S (ORCPT ); Fri, 12 Apr 2019 17:27:18 -0400 Received: by mail-pf1-f196.google.com with SMTP id 188so5719071pfd.8; Fri, 12 Apr 2019 14:27:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=B+wEy+TCLeOhl90NXP78eV9UW4581ezgGAHLtxRD4bI=; b=FSiugtdjW9YSKjMNhWOqp5jmFrdnd+zZd0etYlQpj/YVBaavJf9xzpd6JrExmvrL4S JO+WiRjeSSDxfdl7S35yR5ekivPJoCD1BqGwHsE6fme1bDeyneip4/wb5fl5ftGfrMnA EEIZHrRP6E8JIgQvlC2Mv56/Is3PqGcwHzyV5EwBjHRg23f1E4WpHSi/A+DLKz9Op/+q P69mLcdNte4tikCCqs51Czyl1eqFPEyoK+2gmc5b5afXtgEyJtxm4I310+XaNeYVhxNu /4HOMMdLv5Fj9Q3HeczERbHg2LfGeViQ7vTEBxY3QCDEZ1tZY8jJTk8ijQTzGTU1E7tm Gl7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=B+wEy+TCLeOhl90NXP78eV9UW4581ezgGAHLtxRD4bI=; b=fOcj905Djq1TdR2W6ZL4KeD4d0Fyg0cLu8HwOXwu9Ff0PffLwq8ugBvse6nVUP5Ibu bbGTV4U7HqmxheRo5ySnImsqJGMewrVMNJGSlY1Eaz1IbyJDxnCbZVl71JLYrjHC4Zjv g+/iVvWAKpWwwcUhOXgx0IAbm3FiXUmPFMe8Ys/9EyRPcanw9Z7/4nf0PJktOs9vND8n lEU6l8wLgOipcZfd6TubSC324p1l7V39LS/ilWvVM/H4+bTijP2Dr7YVJuFds2qA/nHu wLlxDeOiZqJ7/izq3IgFW+LU8+RSKCTY9NiQUqUHUxNkl7AdeoA1kaVaQp1hf5eOqch0 wRpA== X-Gm-Message-State: APjAAAVExhLaVtrloeB/RtFgIg+n1UWERFIxCkvAO3kOwGrUCJWZl0CO jxHnTNeRo8hFm64vEuaUoJh46gO4 X-Received: by 2002:a62:4602:: with SMTP id t2mr58883228pfa.26.1555104436814; Fri, 12 Apr 2019 14:27:16 -0700 (PDT) Received: from ast-mbp.dhcp.thefacebook.com ([2620:10d:c090:200::1:e505]) by smtp.gmail.com with ESMTPSA id v19sm58098423pfn.62.2019.04.12.14.27.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2019 14:27:15 -0700 (PDT) Date: Fri, 12 Apr 2019 14:27:14 -0700 From: Alexei Starovoitov To: Andrey Ignatov Cc: netdev@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, guro@fb.com, kernel-team@fb.com, Luis Chamberlain , Kees Cook , Alexey Dobriyan , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, jannh@google.com Subject: Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook Message-ID: <20190412212712.iv6ksgtfr7nhcelv@ast-mbp.dhcp.thefacebook.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180223 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 05, 2019 at 12:35:22PM -0700, Andrey Ignatov wrote: > v2->v3: > - simplify C based selftests by relying on variable offset stack access. > > v1->v2: > - add fs/proc/proc_sysctl.c mainteners to Cc:. > > The patch set introduces new BPF hook for sysctl. > > It adds new program type BPF_PROG_TYPE_CGROUP_SYSCTL and attach type > BPF_CGROUP_SYSCTL. > > BPF_CGROUP_SYSCTL hook is placed before calling to sysctl's proc_handler so > that accesses (read/write) to sysctl can be controlled for specific cgroup > and either allowed or denied, or traced. > > The hook has access to sysctl name, current sysctl value and (on write > only) to new sysctl value via corresponding helpers. New sysctl value can > be overridden by program. Both name and values (current/new) are > represented as strings same way they're visible in /proc/sys/. It is up to > program to parse these strings. > > To help with parsing the most common kind of sysctl value, vector of > integers, two new helpers are provided: bpf_strtol and bpf_strtoul with > semantic similar to user space strtol(3) and strtoul(3). > > The hook also provides bpf_sysctl context with two fields: > * @write indicates whether sysctl is being read (= 0) or written (= 1); > * @file_pos is sysctl file position to read from or write to, can be > overridden. > > The hook allows to make better isolation for containerized applications > that are run as root so that one container can't change a sysctl and affect > all other containers on a host, make changes to allowed sysctl in a safer > way and simplify sysctl tracing for cgroups. Applied to bpf-next. Thanks! Andrey, as a follow up please add a doc describing that this bpf hook cannot be used as a security mechanism to limit sysctl usage. Like: explaining that task_dfl_cgroup(current) is checked at the time of read/write, it's not a replacement for sysctl_perm, root can detach bpf progs, etc. I think the commit 7568f4cbbeae ("selftests/bpf: C based test for sysctl and strtoX") gives an idea of what is possible with this hook and intended usage, but it needs to be clearly documented that it's for 'trusted root' environment.