Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp727808pxm; Fri, 25 Feb 2022 18:29:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyDXEdqI7hNghY+mePGjxpjRBh0UYXO2ddMcRuINIeyZDBn9/nQVDuFk5QkD9dzhlhRmCsT X-Received: by 2002:a05:6a00:1a8b:b0:4e1:e24b:88a8 with SMTP id e11-20020a056a001a8b00b004e1e24b88a8mr10480446pfv.80.1645842548496; Fri, 25 Feb 2022 18:29:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645842548; cv=none; d=google.com; s=arc-20160816; b=wNF0VaFfPgIgtAAhaX7n2OYpEK4iynYD96YZPDqJlqUlX4hM2Oe0adVJukW1pYBqfw HycniPM+mXl9rSmiv3Pht8sfDZgyL1WZdUeWC/wgJduZD8BiHHfuLFXe0dF0OjgxoJdw 2vu98RXsTS7wB0uDgbaB74wPpQsLUuNjvenPExplSz7+IsZvtxmb/tKTlxnppdNkdryM kSR55aO9brEFSBmSgBquDzYEGwHSLMO7+y4HzMv5Fvbk0y1ejVJqCEpbc+Qesg0AAofp rcUffktjFRxrQ1qQXosKb1Y70DSqm/QA0vpuiEvbt0mILx7eNiPgg+ZZJ8nXjpjHru5t AynA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:dkim-signature; bh=p4juH2rEFqz2fRb0q0EOdUgi0xcehQjhls9oJX8T4Ro=; b=Ami4Joz9LuqnxYqfaW/2H33WAObb6ZQR3bS/pJ8MO9TwOITQNmyK05aMwzZWdLGcg0 Hov/6GVoMKVK9QfUu1WTWEZh0HrIN8WosK3HxScDSdt0zXxjjcSm6b1923Xw5EJXyCv3 D2Ig1bpd48xW/X+ZPJZOqJ56cTRdBM9UOuf95rbEfOd0S2IX8u5FtzXKcJ/AMwtY4QeM hVh3R0Pg4izw0ADxryLr0V6KHIs7L4QyVGxa+7A/Pymz6BAuHsLHmKD2+5yHJ9ielVsb bGsykoPY6jq1M3Z4ngvWZRTjCXYp9eXrbky/R+YdvZorkO6FHANZqV8mY7bLYrqE3XWx 1/yA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Xih7N6C6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id lb14-20020a17090b4a4e00b001b91a185bafsi3755159pjb.156.2022.02.25.18.29.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Feb 2022 18:29:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=Xih7N6C6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 331092E1FC6; Fri, 25 Feb 2022 17:56:57 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239770AbiBYXos (ORCPT + 99 others); Fri, 25 Feb 2022 18:44:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239540AbiBYXoe (ORCPT ); Fri, 25 Feb 2022 18:44:34 -0500 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5BD731B755F for ; Fri, 25 Feb 2022 15:44:01 -0800 (PST) Received: by mail-yb1-xb4a.google.com with SMTP id i6-20020a255406000000b006241e97e420so4963555ybb.5 for ; Fri, 25 Feb 2022 15:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=p4juH2rEFqz2fRb0q0EOdUgi0xcehQjhls9oJX8T4Ro=; b=Xih7N6C6oWH75MqvjSdcB5rlpKfs8fpSY2hs91oDFWZdSoraz3WAhCnm6FRYONgPev UI+qioAt0hPDvIh8XuqBrXDNUb6U4WgiJHojKbt1wBjEVLKol0Bmno7jX9SuVh3jnBYp Tmg8Hn2FVymogh6B0K1aCrwZteoMTbwCtIyLP5HMft7/k6PBiVaDBNofejnldDu0f0ng Jg8ENvWPshI9CqMg+5UCyI74YPmB5rpgQq78dq7e7gZPi6mzpLl/hpj979WiHsoarytX hWBOmkVTOxeuSu4nNhnBQNpeQsYgTQKIBfEm3Fy08XDlfL7PiVhvwjOk212C3F9vsH4P y2/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=p4juH2rEFqz2fRb0q0EOdUgi0xcehQjhls9oJX8T4Ro=; b=29sYXrQ/p45ickD/A/pTvzeityNlguahQ5Jb5cCdjb7Km1TXPe00tcY6J2jAFnYskk 9E4CZbrHx8FizDkMcge2U2as1R3Q9pe2rzRrXtGyN5VVGLiRZDg+8QaRTPP5PRmyWSJt 3oSJL+Ul3lsr8nvsi7rcwuUwY3GDH9DHJBCbtob+yNyGleZR2Tpb3EcqkqENj2YTj0b9 jRkoMtvadEQ8bBTJC0jVxXx7/H3E/wuzNeauTwPmz4CUERzgPHCNoctQyMdi3nbpQi9L vsMPYSU1KkdDBmZAyuZxecajHWpP50fL6XLX/ZqmTsp5az30B9ZNGmjY19w2rB2aiyNX FQhg== X-Gm-Message-State: AOAM532RBBWctmC7VYWHRUbwKYDKfqhJ/HP+WWFcMJvWgjPl8Vs0Q9zZ tNcSq5s17Eu1EEz+CGKUuc4T6KKg9jU= X-Received: from haoluo.svl.corp.google.com ([2620:15c:2cd:202:378d:645d:49ad:4f8b]) (user=haoluo job=sendgmr) by 2002:a25:6b4d:0:b0:624:7295:42ee with SMTP id o13-20020a256b4d000000b00624729542eemr9575122ybm.290.1645832640625; Fri, 25 Feb 2022 15:44:00 -0800 (PST) Date: Fri, 25 Feb 2022 15:43:37 -0800 In-Reply-To: <20220225234339.2386398-1-haoluo@google.com> Message-Id: <20220225234339.2386398-8-haoluo@google.com> Mime-Version: 1.0 References: <20220225234339.2386398-1-haoluo@google.com> X-Mailer: git-send-email 2.35.1.574.g5d30c73bfb-goog Subject: [PATCH bpf-next v1 7/9] bpf: Lift permission check in __sys_bpf when called from kernel. From: Hao Luo To: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann Cc: Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Shakeel Butt , Joe Burton , Tejun Heo , joshdon@google.com, sdf@google.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Hao Luo Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org After we introduced sleepable tracing programs, we now have an interesting problem. There are now three execution paths that can reach bpf_sys_bpf: 1. called from bpf syscall. 2. called from kernel context (e.g. kernel modules). 3. called from bpf programs. Ideally, capability check in bpf_sys_bpf is necessary for the first two scenarios. But it may not be necessary for the third case. The use case of sleepable tracepoints is to allow root user to deploy bpf progs which run when a certain kernel tracepoints are triggered. An example use case is to monitor cgroup creation and perform bpf operations whenever a cgroup is created. These operations include pinning an iter to export the cgroup's state. Using sleepable tracing is preferred because it eliminates the need of a userspace daemon to monitor cgroup changes. However, in this use case, the current task who triggers the tracepoint may be unprivileged and the permission check in __sys_bpf will thus prevent it from making bpf syscalls. Therefore the tracing progs deployed by root can not be used by non-root users. A solution to this problem is to lift the permission check if the caller of bpf_sys_bpf comes from either kernel context or bpf programs. An alternative of lifting this permission check would be introducing an 'unpriv' version of bpf_sys_bpf, which doesn't check the current task's capability. If the owner of the tracing prog wants it to be exclusively used by root users, they can use the 'priv' version of bpf_sys_bpf; if the owner wants it to be usable for non-root users, they can use the 'unpriv' version. Signed-off-by: Hao Luo --- kernel/bpf/syscall.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 0a12f52fe8a9..3bf88002ee56 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -4613,7 +4613,7 @@ static int __sys_bpf(int cmd, bpfptr_t uattr, unsigned int size) union bpf_attr attr; int err; - if (sysctl_unprivileged_bpf_disabled && !bpf_capable()) + if (sysctl_unprivileged_bpf_disabled && !bpf_capable() && !uattr.is_kernel) return -EPERM; err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size); -- 2.35.1.574.g5d30c73bfb-goog