Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1489826pxb; Wed, 30 Mar 2022 04:55:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfEaIMX5f/An27L5zkTsWvdPySOtk3MbK9jKI3qChW8nHuEhGEuZXE7FG+F4Wsqx0OFwS1 X-Received: by 2002:a17:906:1f11:b0:685:d50e:3bf9 with SMTP id w17-20020a1709061f1100b00685d50e3bf9mr40435455ejj.275.1648641343188; Wed, 30 Mar 2022 04:55:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648641343; cv=none; d=google.com; s=arc-20160816; b=cgoYGt3hvaBMkWqdgjSurikJnnxb3JXbZ1EGssEnCSpsWnHaD39JNeTDcEG0IGs4fU ax45Rm/iKPZTHxWLTMoBDXy6MbYJSzEJU6f4Ct+c/x5AyQ1/sshlAulGDACzkcOIglFY 628mxTy3aPVSkTiD7U2rbUqI1Jf0or8HOJuboIOf9609m7XlMh929kxtkzmMd+fZ6LVk wIO+j9lGTZuGWrkgU9KcMwmjNQYfl7hDdXh8AIy/0T1BRTMnBGI0siLmReu1YHyiyD5Q NiGj/SMDHECW4XNvUySVovEZD58y8IRKV75BMpDUNQJoy1f1fKAfi/Lv6P5r7L6WfZFy 9n0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=74O0cY+bOP3wHBSafmTjrdQXSiGpOdiTWDZVtBoQYXc=; b=niY4rogRR9uh+sIxde2xYUphLROxTM8Oepii2yGfIhyQTvOdSSJ81NNSm6uyZ7zzHW aN2Ck33KbkHDtlRz52xyZt8trVONfEvdsBxwzslzITOhLMMnmkSHaJt8SfYA23Iosv4I g/nySAWEIkmh/xmiF+IJGIzJzc6Nvo2pCse1qHOWy9xOUT96d28I8/RVTXWcEnAxaKNQ BRitMdVJEmFgTJO1U7KRXHCtoWqPYxOE6Pw9ITb4Sol7R4sE3XmFIBoY8JSOv6gEEjed CC6vPiiT3EzV7qr+omELjDe8xaPyy4a1fXSuObjwR6HikO1YOokjsUDm9yh6u4J8YFOk CW/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WvcbotgB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y2-20020aa7c242000000b00418c2b5bedcsi20739811edo.446.2022.03.30.04.55.16; Wed, 30 Mar 2022 04:55:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=WvcbotgB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241328AbiC2Xxs (ORCPT + 99 others); Tue, 29 Mar 2022 19:53:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241256AbiC2Xx0 (ORCPT ); Tue, 29 Mar 2022 19:53:26 -0400 Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DE9A214043; Tue, 29 Mar 2022 16:51:34 -0700 (PDT) Received: by mail-io1-xd35.google.com with SMTP id h63so22937976iof.12; Tue, 29 Mar 2022 16:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=74O0cY+bOP3wHBSafmTjrdQXSiGpOdiTWDZVtBoQYXc=; b=WvcbotgBYKiLC714YGuezgXnN5lhQOgSKqIhHWIcs9SJ/TjZ4qDiqztKVhq/c/fbb7 CRtEocnpbz+n+n5R4BSUrwuS9w0k9zSF+7f5EXq/mk6amSJaPcWyoRv3RhXelFYfeMxL 6E82rTdvv4aC+vwPLUB3zQkanX7p8PkgSR49eK6jlxnnT+JBe4fF1F6F4YILiHIQ1Dfo YThyrVAbT2ezC4Vir9buU/Cc4wEcqylttF1i8ZPdMSV2rVOD8XZluQqt4Tq9JsLSMwr6 /TK8qSeBHIm8gGPHU96piNQ1TWROyWk1JGmJNBYf3RhsSgpygDw04QQq8iXLcNuXa1/n SfbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=74O0cY+bOP3wHBSafmTjrdQXSiGpOdiTWDZVtBoQYXc=; b=ctgEN0VYGSzWUpZBYk8xpBz6+KGrgfPifmjeplkjaCFzdX2NfL+WOxoyR7DElhQp6t ni3I/f4t9C9ano7pv5ChiXce3E2dWA7CHUfVpGyi7ylC+oIMICN9kgAH9/iqfXCBOOyK Jn2P6XdiCrsRfn9bTZea3nmO0v4skSPvJUfisFJxEnSMYCCAG+atOnYfjUqvLDCXNCS/ +/9Axpp4ZfP+nf3rR7ZJ+f/il0BYa42udAvsMWAhApcOTN7+6lPEBtM+kFq1hXa/YKX3 o3A0H5peqs7ZL/+pU8WpyfhHoLczTtsM3ZdJBI3Xzf+qv4j/eu8+n+tp6vL8azJZ8Lxx Tz2A== X-Gm-Message-State: AOAM530qBxKDak1eHcileEbi12ctd84yA5YCmTNwdiWKhDZk79RN7KrA ghXP3oWGJ9B8GRkZqpaOtozm88jlkya0+paPhVM= X-Received: by 2002:a05:6638:148e:b0:321:6b54:d966 with SMTP id j14-20020a056638148e00b003216b54d966mr17338496jak.103.1648597893376; Tue, 29 Mar 2022 16:51:33 -0700 (PDT) MIME-Version: 1.0 References: <20220328175033.2437312-1-roberto.sassu@huawei.com> In-Reply-To: <20220328175033.2437312-1-roberto.sassu@huawei.com> From: Andrii Nakryiko Date: Tue, 29 Mar 2022 16:51:22 -0700 Message-ID: Subject: Re: [PATCH 00/18] bpf: Secure and authenticated preloading of eBPF programs To: Roberto Sassu Cc: Jonathan Corbet , Al Viro , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , KP Singh , Shuah Khan , mcoquelin.stm32@gmail.com, alexandre.torgue@foss.st.com, Mimi Zohar , Linux Doc Mailing List , linux-fsdevel@vger.kernel.org, Networking , bpf , "open list:KERNEL SELFTEST FRAMEWORK" , linux-stm32@st-md-mailman.stormreply.com, linux-arm-kernel , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, open list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 28, 2022 at 10:51 AM Roberto Sassu wrote: > > eBPF already allows programs to be preloaded and kept running without > intervention from user space. There is a dedicated kernel module called > bpf_preload, which contains the light skeleton of the iterators_bpf eBPF > program. If this module is enabled in the kernel configuration, its loading > will be triggered when the bpf filesystem is mounted (unless the module is > built-in), and the links of iterators_bpf are pinned in that filesystem > (they will appear as the progs.debug and maps.debug files). > > However, the current mechanism, if used to preload an LSM, would not offer > the same security guarantees of LSMs integrated in the security subsystem. > Also, it is not generic enough to be used for preloading arbitrary eBPF > programs, unless the bpf_preload code is heavily modified. > > More specifically, the security problems are: > - any program can be pinned to the bpf filesystem without limitations > (unless a MAC mechanism enforces some restrictions); > - programs being executed can be terminated at any time by deleting the > pinned objects or unmounting the bpf filesystem. > > The usability problems are: > - only a fixed amount of links can be pinned; > - only links can be pinned, other object types are not supported; > - code to pin objects has to be written manually; > - preloading multiple eBPF programs is not practical, bpf_preload has to be > modified to include additional light skeletons. > > Solve the security problems by mounting the bpf filesystem from the kernel, > by preloading authenticated kernel modules (e.g. with module.sig_enforce) > and by pinning objects to that filesystem. This particular filesystem > instance guarantees that desired eBPF programs run until the very end of > the kernel lifecycle, since even root cannot interfere with it. > > Solve the usability problems by generalizing the pinning function, to > handle not only links but also maps and progs. Also increment the object > reference count and call the pinning function directly from the preload > method (currently in the bpf_preload kernel module) rather than from the > bpf filesystem code itself, so that a generic eBPF program can do those > operations depending on its objects (this also avoids the limitation of the > fixed-size array for storing the objects to pin). > > Then, simplify the process of pinning objects defined by a generic eBPF > program by automatically generating the required methods in the light > skeleton. Also, generate a separate kernel module for each eBPF program to > preload, so that existing ones don't have to be modified. Finally, support > preloading multiple eBPF programs by allowing users to specify a list from > the kernel configuration, at build time, or with the new kernel option > bpf_preload_list=, at run-time. > > To summarize, this patch set makes it possible to plug in out-of-tree LSMs > matching the security guarantees of their counterpart in the security > subsystem, without having to modify the kernel itself. The same benefits > are extended to other eBPF program types. > > Only one remaining problem is how to support auto-attaching eBPF programs > with LSM type. It will be solved with a separate patch set. > > Patches 1-2 export some definitions, to build out-of-tree kernel modules > with eBPF programs to preload. Patches 3-4 allow eBPF programs to pin > objects by themselves. Patches 5-10 automatically generate the methods for > preloading in the light skeleton. Patches 11-14 make it possible to preload > multiple eBPF programs. Patch 15 automatically generates the kernel module > for preloading an eBPF program, patch 16 does a kernel mount of the bpf > filesystem, and finally patches 17-18 test the functionality introduced. > This approach of moving tons of pretty generic code into codegen of lskel seems suboptimal. Why so much code has to be codegenerated? Especially that tiny module code? Can you please elaborate on why it can't be done in a way that doesn't require such extensive light skeleton codegen changes? > Roberto Sassu (18): > bpf: Export bpf_link_inc() > bpf-preload: Move bpf_preload.h to include/linux > bpf-preload: Generalize object pinning from the kernel > bpf-preload: Export and call bpf_obj_do_pin_kernel() > bpf-preload: Generate static variables > bpf-preload: Generate free_objs_and_skel() > bpf-preload: Generate preload() > bpf-preload: Generate load_skel() > bpf-preload: Generate code to pin non-internal maps > bpf-preload: Generate bpf_preload_ops > bpf-preload: Store multiple bpf_preload_ops structures in a linked > list > bpf-preload: Implement new registration method for preloading eBPF > programs > bpf-preload: Move pinned links and maps to a dedicated directory in > bpffs > bpf-preload: Switch to new preload registration method > bpf-preload: Generate code of kernel module to preload > bpf-preload: Do kernel mount to ensure that pinned objects don't > disappear > bpf-preload/selftests: Add test for automatic generation of preload > methods > bpf-preload/selftests: Preload a test eBPF program and check pinned > objects please use proper prefixes: bpf (for kernel-side changes), libbpf, bpftool, selftests/bpf, etc > > .../admin-guide/kernel-parameters.txt | 8 + > fs/namespace.c | 1 + > include/linux/bpf.h | 5 + > include/linux/bpf_preload.h | 37 ++ > init/main.c | 2 + > kernel/bpf/inode.c | 295 +++++++++-- > kernel/bpf/preload/Kconfig | 25 +- > kernel/bpf/preload/bpf_preload.h | 16 - > kernel/bpf/preload/bpf_preload_kern.c | 85 +--- > kernel/bpf/preload/iterators/Makefile | 9 +- > .../bpf/preload/iterators/iterators.lskel.h | 466 +++++++++++------- > kernel/bpf/syscall.c | 1 + > .../bpf/bpftool/Documentation/bpftool-gen.rst | 13 + > tools/bpf/bpftool/bash-completion/bpftool | 6 +- > tools/bpf/bpftool/gen.c | 331 +++++++++++++ > tools/bpf/bpftool/main.c | 7 +- > tools/bpf/bpftool/main.h | 1 + > tools/testing/selftests/bpf/Makefile | 32 +- > .../bpf/bpf_testmod_preload/.gitignore | 7 + > .../bpf/bpf_testmod_preload/Makefile | 20 + > .../gen_preload_methods.expected.diff | 97 ++++ > .../bpf/prog_tests/test_gen_preload_methods.c | 27 + > .../bpf/prog_tests/test_preload_methods.c | 69 +++ > .../selftests/bpf/progs/gen_preload_methods.c | 23 + > 24 files changed, 1246 insertions(+), 337 deletions(-) > create mode 100644 include/linux/bpf_preload.h > delete mode 100644 kernel/bpf/preload/bpf_preload.h > create mode 100644 tools/testing/selftests/bpf/bpf_testmod_preload/.gitignore > create mode 100644 tools/testing/selftests/bpf/bpf_testmod_preload/Makefile > create mode 100644 tools/testing/selftests/bpf/prog_tests/gen_preload_methods.expected.diff > create mode 100644 tools/testing/selftests/bpf/prog_tests/test_gen_preload_methods.c > create mode 100644 tools/testing/selftests/bpf/prog_tests/test_preload_methods.c > create mode 100644 tools/testing/selftests/bpf/progs/gen_preload_methods.c > > -- > 2.32.0 >