Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp960674pxb;
        Fri, 13 Aug 2021 10:06:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxU6z+CBza9T/0/8o70kRyWYFXd7C6pp1Q9S/jbc6hYeE+ihcm27GG7djlUwVxbL5YY46HC
X-Received: by 2002:a05:6602:2436:: with SMTP id g22mr2778007iob.109.1628874368426;
        Fri, 13 Aug 2021 10:06:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628874368; cv=none;
        d=google.com; s=arc-20160816;
        b=0A89LelUTlk4luNTuB4mbzytD7lTmzrDUcqundKSyUjwWzesUiPqjiprha+lSDXhXG
         7wTTPRSMTFfBBh2EUj4M3rI0k4PYi7Csq6sxGvkMUtJ8LQShu1iT+OgdVu7smt1ZX3pm
         yxjwGom9c4Tmy4+nstXVsAavDqPG5UjKh/kzy40qDiDxSGAHTwyj+ggmeJmImfQK+s/4
         KNOS+XfRhk4WpfAeWhOl5qGFEQxEU2K9Oj7f/tMrWw30WAviyuVWunAU2MUG2zgfbENs
         pZw9Z+HN/Pw+0v+aBVz5+hNQHB9Qn6WWOIIqO5oY90tV0kgM1wyt+6gqQVDUrwqhgBMg
         OkhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9mRsxZJYe7NLcIGROza00MKj3ZzZ1tczHKszF2hq8vA=;
        b=Ci7HsgsyuDsZc6CUr8rY7SdrFD6uTEOJIqu/TJJtm03I7WHyWUiOzV3vU6rhwMFMt0
         +aP9fCPzgXM1iivFN4W4hpdjTZ+6srK7FHmAH8ShWJ3G8qm8xDMpngP6CilPJ1ON8KZc
         oeJYTczHA7q2ReYjPhZPd+99tsRXm3HzL48TYnnSDOk9IYwK91nX0LtSCFjTMgRx8lCm
         QegWfZYTojs4mECQTmSM7gnV12NOxi7fJWfL7uLp6I7dH1KIetMGp42bjsIwpbsOaYmg
         1auOcxkyhVcRwFK8IrrwUb6tGJI0b7tB/ZbNbvh5+wNtjFwnKOwypO7QBSPR0eDFOdwa
         gDWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fhsruix+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a16si1935865ilq.77.2021.08.13.10.05.56;
        Fri, 13 Aug 2021 10:06:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fhsruix+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242604AbhHMPVX (ORCPT <rfc822;liqb365@gmail.com> + 99 others);
        Fri, 13 Aug 2021 11:21:23 -0400
Received: from mail.kernel.org ([198.145.29.99]:60650 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S242116AbhHMPQE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Aug 2021 11:16:04 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 4108061151;
        Fri, 13 Aug 2021 15:15:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1628867700;
        bh=4/lgIPol+nChr+skAjQv3qf8yYM0c1FswG71RKog0+w=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fhsruix+EClnpoUhAVpIHSMlygkd1bExq8YwM7LdAiyqUDNGauGQwZAzNkZe/3X0R
         bUcfWdp6V5XMuNQVFQBIn+QwFy8+wD1BzfWtGZg0AGbslvJ1JYXPiEuhfOWDPSgN0F
         wrEdp/zya2P+ozIQOKuJx7PEN4VwzhXCbD2ahThw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>
Subject: [PATCH 5.10 05/19] bpf: Add lockdown check for probe_write_user helper
Date:   Fri, 13 Aug 2021 17:07:22 +0200
Message-Id: <20210813150522.805128828@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210813150522.623322501@linuxfoundation.org>
References: <20210813150522.623322501@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Daniel Borkmann <daniel@iogearbox.net>

commit 51e1bb9eeaf7868db56e58f47848e364ab4c4129 upstream.

Back then, commit 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper
to be called in tracers") added the bpf_probe_write_user() helper in order
to allow to override user space memory. Its original goal was to have a
facility to "debug, divert, and manipulate execution of semi-cooperative
processes" under CAP_SYS_ADMIN. Write to kernel was explicitly disallowed
since it would otherwise tamper with its integrity.

One use case was shown in cf9b1199de27 ("samples/bpf: Add test/example of
using bpf_probe_write_user bpf helper") where the program DNATs traffic
at the time of connect(2) syscall, meaning, it rewrites the arguments to
a syscall while they're still in userspace, and before the syscall has a
chance to copy the argument into kernel space. These days we have better
mechanisms in BPF for achieving the same (e.g. for load-balancers), but
without having to write to userspace memory.

Of course the bpf_probe_write_user() helper can also be used to abuse
many other things for both good or bad purpose. Outside of BPF, there is
a similar mechanism for ptrace(2) such as PTRACE_PEEK{TEXT,DATA} and
PTRACE_POKE{TEXT,DATA}, but would likely require some more effort.
Commit 96ae52279594 explicitly dedicated the helper for experimentation
purpose only. Thus, move the helper's availability behind a newly added
LOCKDOWN_BPF_WRITE_USER lockdown knob so that the helper is disabled under
the "integrity" mode. More fine-grained control can be implemented also
from LSM side with this change.

Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/security.h |    1 +
 kernel/trace/bpf_trace.c |    5 +++--
 security/security.c      |    1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -120,6 +120,7 @@ enum lockdown_reason {
 	LOCKDOWN_MMIOTRACE,
 	LOCKDOWN_DEBUGFS,
 	LOCKDOWN_XMON_WR,
+	LOCKDOWN_BPF_WRITE_USER,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -1272,12 +1272,13 @@ bpf_tracing_func_proto(enum bpf_func_id
 		return &bpf_get_numa_node_id_proto;
 	case BPF_FUNC_perf_event_read:
 		return &bpf_perf_event_read_proto;
-	case BPF_FUNC_probe_write_user:
-		return bpf_get_probe_write_proto();
 	case BPF_FUNC_current_task_under_cgroup:
 		return &bpf_current_task_under_cgroup_proto;
 	case BPF_FUNC_get_prandom_u32:
 		return &bpf_get_prandom_u32_proto;
+	case BPF_FUNC_probe_write_user:
+		return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ?
+		       NULL : bpf_get_probe_write_proto();
 	case BPF_FUNC_probe_read_user:
 		return &bpf_probe_read_user_proto;
 	case BPF_FUNC_probe_read_kernel:
--- a/security/security.c
+++ b/security/security.c
@@ -58,6 +58,7 @@ const char *const lockdown_reasons[LOCKD
 	[LOCKDOWN_MMIOTRACE] = "unsafe mmio",
 	[LOCKDOWN_DEBUGFS] = "debugfs access",
 	[LOCKDOWN_XMON_WR] = "xmon write access",
+	[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",