Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp960674pxb; Fri, 13 Aug 2021 10:06:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxU6z+CBza9T/0/8o70kRyWYFXd7C6pp1Q9S/jbc6hYeE+ihcm27GG7djlUwVxbL5YY46HC X-Received: by 2002:a05:6602:2436:: with SMTP id g22mr2778007iob.109.1628874368426; Fri, 13 Aug 2021 10:06:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628874368; cv=none; d=google.com; s=arc-20160816; b=0A89LelUTlk4luNTuB4mbzytD7lTmzrDUcqundKSyUjwWzesUiPqjiprha+lSDXhXG 7wTTPRSMTFfBBh2EUj4M3rI0k4PYi7Csq6sxGvkMUtJ8LQShu1iT+OgdVu7smt1ZX3pm yxjwGom9c4Tmy4+nstXVsAavDqPG5UjKh/kzy40qDiDxSGAHTwyj+ggmeJmImfQK+s/4 KNOS+XfRhk4WpfAeWhOl5qGFEQxEU2K9Oj7f/tMrWw30WAviyuVWunAU2MUG2zgfbENs pZw9Z+HN/Pw+0v+aBVz5+hNQHB9Qn6WWOIIqO5oY90tV0kgM1wyt+6gqQVDUrwqhgBMg OkhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9mRsxZJYe7NLcIGROza00MKj3ZzZ1tczHKszF2hq8vA=; b=Ci7HsgsyuDsZc6CUr8rY7SdrFD6uTEOJIqu/TJJtm03I7WHyWUiOzV3vU6rhwMFMt0 +aP9fCPzgXM1iivFN4W4hpdjTZ+6srK7FHmAH8ShWJ3G8qm8xDMpngP6CilPJ1ON8KZc oeJYTczHA7q2ReYjPhZPd+99tsRXm3HzL48TYnnSDOk9IYwK91nX0LtSCFjTMgRx8lCm QegWfZYTojs4mECQTmSM7gnV12NOxi7fJWfL7uLp6I7dH1KIetMGp42bjsIwpbsOaYmg 1auOcxkyhVcRwFK8IrrwUb6tGJI0b7tB/ZbNbvh5+wNtjFwnKOwypO7QBSPR0eDFOdwa gDWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fhsruix+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a16si1935865ilq.77.2021.08.13.10.05.56; Fri, 13 Aug 2021 10:06:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fhsruix+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242604AbhHMPVX (ORCPT + 99 others); Fri, 13 Aug 2021 11:21:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:60650 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242116AbhHMPQE (ORCPT ); Fri, 13 Aug 2021 11:16:04 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4108061151; Fri, 13 Aug 2021 15:15:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628867700; bh=4/lgIPol+nChr+skAjQv3qf8yYM0c1FswG71RKog0+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fhsruix+EClnpoUhAVpIHSMlygkd1bExq8YwM7LdAiyqUDNGauGQwZAzNkZe/3X0R bUcfWdp6V5XMuNQVFQBIn+QwFy8+wD1BzfWtGZg0AGbslvJ1JYXPiEuhfOWDPSgN0F wrEdp/zya2P+ozIQOKuJx7PEN4VwzhXCbD2ahThw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Andrii Nakryiko Subject: [PATCH 5.10 05/19] bpf: Add lockdown check for probe_write_user helper Date: Fri, 13 Aug 2021 17:07:22 +0200 Message-Id: <20210813150522.805128828@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210813150522.623322501@linuxfoundation.org> References: <20210813150522.623322501@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Borkmann commit 51e1bb9eeaf7868db56e58f47848e364ab4c4129 upstream. Back then, commit 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") added the bpf_probe_write_user() helper in order to allow to override user space memory. Its original goal was to have a facility to "debug, divert, and manipulate execution of semi-cooperative processes" under CAP_SYS_ADMIN. Write to kernel was explicitly disallowed since it would otherwise tamper with its integrity. One use case was shown in cf9b1199de27 ("samples/bpf: Add test/example of using bpf_probe_write_user bpf helper") where the program DNATs traffic at the time of connect(2) syscall, meaning, it rewrites the arguments to a syscall while they're still in userspace, and before the syscall has a chance to copy the argument into kernel space. These days we have better mechanisms in BPF for achieving the same (e.g. for load-balancers), but without having to write to userspace memory. Of course the bpf_probe_write_user() helper can also be used to abuse many other things for both good or bad purpose. Outside of BPF, there is a similar mechanism for ptrace(2) such as PTRACE_PEEK{TEXT,DATA} and PTRACE_POKE{TEXT,DATA}, but would likely require some more effort. Commit 96ae52279594 explicitly dedicated the helper for experimentation purpose only. Thus, move the helper's availability behind a newly added LOCKDOWN_BPF_WRITE_USER lockdown knob so that the helper is disabled under the "integrity" mode. More fine-grained control can be implemented also from LSM side with this change. Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Signed-off-by: Greg Kroah-Hartman --- include/linux/security.h | 1 + kernel/trace/bpf_trace.c | 5 +++-- security/security.c | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) --- a/include/linux/security.h +++ b/include/linux/security.h @@ -120,6 +120,7 @@ enum lockdown_reason { LOCKDOWN_MMIOTRACE, LOCKDOWN_DEBUGFS, LOCKDOWN_XMON_WR, + LOCKDOWN_BPF_WRITE_USER, LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_KCORE, LOCKDOWN_KPROBES, --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -1272,12 +1272,13 @@ bpf_tracing_func_proto(enum bpf_func_id return &bpf_get_numa_node_id_proto; case BPF_FUNC_perf_event_read: return &bpf_perf_event_read_proto; - case BPF_FUNC_probe_write_user: - return bpf_get_probe_write_proto(); case BPF_FUNC_current_task_under_cgroup: return &bpf_current_task_under_cgroup_proto; case BPF_FUNC_get_prandom_u32: return &bpf_get_prandom_u32_proto; + case BPF_FUNC_probe_write_user: + return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ? + NULL : bpf_get_probe_write_proto(); case BPF_FUNC_probe_read_user: return &bpf_probe_read_user_proto; case BPF_FUNC_probe_read_kernel: --- a/security/security.c +++ b/security/security.c @@ -58,6 +58,7 @@ const char *const lockdown_reasons[LOCKD [LOCKDOWN_MMIOTRACE] = "unsafe mmio", [LOCKDOWN_DEBUGFS] = "debugfs access", [LOCKDOWN_XMON_WR] = "xmon write access", + [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM", [LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_KCORE] = "/proc/kcore access", [LOCKDOWN_KPROBES] = "use of kprobes",