Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3480516pxb; Mon, 4 Apr 2022 18:19:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1J4ytBUsljp/z6o9KZtixy6UthvBLyGRENYBPIk4AG0VH/kOBQRpZPjF3U0N6maqfHJxw X-Received: by 2002:a17:90b:4c84:b0:1c7:7769:3cc7 with SMTP id my4-20020a17090b4c8400b001c777693cc7mr1189796pjb.73.1649121559915; Mon, 04 Apr 2022 18:19:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649121559; cv=none; d=google.com; s=arc-20160816; b=POK5leMJguALjCznRKM3bn2Lx8Hpu941Jh/ns5NsO6WGG46pe4LKNvdGinZoTMA6gv aJY+fiQoN8MOjwnu6Yo6T8jF0EBGhMTHSxXbJWdi1++SpF4caPQm30I2qcpkBZG4o2bo 3FYJBHeUX7XilsYs3KW2ci4EPlrcJ2/DUERxZe1qRlIJNzmPgv5FJeWnNskN5exR7Nrf hz08RqT5HEmreZ+VD/Y9IRXCF14Gf+nAsTImCfDboZdQ9jqc1Fh2I5ibTE8F4ompOukl H3rhJuEh6q4IU1K0sx030tH/I2G61YVXNc6T1dAG2OqBPta281k5HLrJfjezI5mCBg2o X8gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=hmBtyCSBQacoipPmCsuxywFD7dGIDZdmjd0lU4ylOC0=; b=bfRXM4Ts9Z3gYuq575CnvIXEaKusNwnL9Mu4oPftQClBqFb8otfWLyqcSAAzlkqguW E5XbW9XyTCR7Xs6wrV4M7NGPd/iIeopL1ytTyZ6QiVTFHGRq5mcTUaupQn4Bw0PHfkwU t9LCXRSZQDJcjU4vuO1REk+6IENAmkyTHAUAYcv96vGKgfQaOsAilteJSUqvsV992oGd cSquArcHkXC6R8WBeNsJf2tpG6X0zviBfE/h0lpProJiYao4/PdTPzjUcf8Kg3ToX2cj /TS3LfAbUBQYMTQoNTRRBR03Nq4v4NltTWvYgSdu0YaGFwF47Scu0JtSuRp9wWL+JYc7 L+fQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b15-20020a63714f000000b003821c6b79c7si11437125pgn.666.2022.04.04.18.19.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 18:19:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 22B5E1D251F; Mon, 4 Apr 2022 17:21:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232007AbiDDWuY (ORCPT + 99 others); Mon, 4 Apr 2022 18:50:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241870AbiDDWuH (ORCPT ); Mon, 4 Apr 2022 18:50:07 -0400 Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 645685FF31; Mon, 4 Apr 2022 15:03:22 -0700 (PDT) Received: by mail-ej1-f43.google.com with SMTP id qh7so12790956ejb.11; Mon, 04 Apr 2022 15:03:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hmBtyCSBQacoipPmCsuxywFD7dGIDZdmjd0lU4ylOC0=; b=pazOs1LZxFd2QSm53DZDOmnlSGL7KVTCzaflxn6GZaEfIhOmBo2eYNSD3QyaUBlMmF PDvUVKoKWwkTjbOfqyeXnfh9Jgb82xStxac7ZU875JYlSRaNL589m0Eag3qEXKtfl0Rt u3jfzSQdgDMP49rqHXDyezikswxxal3NDEn2EC3i1e+ZnwP+8OW4gIJAU20PTAye15h1 jJ4guY3Hh9bfSmL6OtBSx96yWxu6cVNe54f7A1DuQn2NdDa2gTWtnqlvzq0PIH6p3Jx8 GsYc4yBDYZTLS7lPy2kRe/oLtBaTn3OdMYAmbUjkb6mC0CMBRlKFcb3b7uDsDCA7fP7c fQug== X-Gm-Message-State: AOAM533VVEVS3sx303nMNd4gvHwft/JbswCrWXKcHggDLOF3Z9HWFSjU Wj6L3Kj/MBrQMbMntLG8cJ3gixiuGD0= X-Received: by 2002:a17:907:9482:b0:6da:a24e:e767 with SMTP id dm2-20020a170907948200b006daa24ee767mr292233ejc.479.1649109800676; Mon, 04 Apr 2022 15:03:20 -0700 (PDT) Received: from t490s.teknoraver.net (net-93-144-169-96.cust.dsl.teletu.it. [93.144.169.96]) by smtp.gmail.com with ESMTPSA id q16-20020a170906145000b006bdaf981589sm4806743ejc.81.2022.04.04.15.03.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 15:03:20 -0700 (PDT) From: Matteo Croce To: bpf@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , linux-kernel@vger.kernel.org Subject: [PATCH] bpf: make unprivileged BPF a compile time choice Date: Tue, 5 Apr 2022 00:03:14 +0200 Message-Id: <20220404220314.112912-1-mcroce@linux.microsoft.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matteo Croce Add a compile time option to permanently disable unprivileged BPF and the corresponding sysctl handler so that there's absolutely no concern about unprivileged BPF being enabled from userspace during runtime. Special purpose kernels can benefit from the build-time assurance that unprivileged eBPF is disabled in all of their kernel builds rather than having to rely on userspace to permanently disable it at boot time. The default behaviour is left unchanged, which is: unprivileged BPF compiled in but disabled at boot. Signed-off-by: Matteo Croce --- kernel/bpf/Kconfig | 10 +++++++++- kernel/bpf/syscall.c | 4 +++- kernel/sysctl.c | 4 ++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index d56ee177d5f8..dfaef1ac1516 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -67,10 +67,18 @@ config BPF_JIT_DEFAULT_ON def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON depends on HAVE_EBPF_JIT && BPF_JIT +config BPF_UNPRIV + bool "Unprivileged BPF" + default y + depends on BPF_SYSCALL + help + Enables unprivileged BPF and the corresponding + /proc/sys/kernel/unprivileged_bpf_disabled knob. + config BPF_UNPRIV_DEFAULT_OFF bool "Disable unprivileged BPF by default" default y - depends on BPF_SYSCALL + depends on BPF_UNPRIV help Disables unprivileged BPF by default by setting the corresponding /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index cdaa1152436a..b7e6aca87a18 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -53,7 +53,9 @@ static DEFINE_IDR(link_idr); static DEFINE_SPINLOCK(link_idr_lock); int sysctl_unprivileged_bpf_disabled __read_mostly = - IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0; + IS_BUILTIN(CONFIG_BPF_UNPRIV) ? + (IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0) + : 1; static const struct bpf_map_ops * const bpf_map_types[] = { #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 830aaf8ca08e..a5b6e960ca58 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -184,6 +184,7 @@ void __weak unpriv_ebpf_notify(int new_state) { } +#ifdef CONFIG_BPF_UNPRIV static int bpf_unpriv_handler(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { @@ -206,6 +207,7 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, return ret; } +#endif /* CONFIG_BPF_UNPRIV */ #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */ /* @@ -2300,6 +2302,7 @@ static struct ctl_table kern_table[] = { }, #endif #ifdef CONFIG_BPF_SYSCALL +#ifdef CONFIG_BPF_UNPRIV { .procname = "unprivileged_bpf_disabled", .data = &sysctl_unprivileged_bpf_disabled, @@ -2309,6 +2312,7 @@ static struct ctl_table kern_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_TWO, }, +#endif { .procname = "bpf_stats_enabled", .data = &bpf_stats_enabled_key.key, -- 2.35.1