Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3496178pxb; Mon, 4 Apr 2022 18:50:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4K84ODD6uFtH/4lVrAA+KQTggXIFQvwopgX2hU8r5cGlTI259gcqZV8JOPm0z/3cf2Wvj X-Received: by 2002:a63:ed17:0:b0:382:aad5:ff7c with SMTP id d23-20020a63ed17000000b00382aad5ff7cmr848168pgi.243.1649123455529; Mon, 04 Apr 2022 18:50:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649123455; cv=none; d=google.com; s=arc-20160816; b=nU4TxuABgfLWkZ/Cg07TT9ggAcg6h5LdWDfk1Km2wised3aHYd4Lh1v3buvVeGIlJU ATmMuV6VxVWYllrYDU1bWNJG0zwdq+rhwxmjsf8X9i8KbPXOWNfpI4dAeRxaqzkkDDWf aA+gXin/KkHDcsAGmcPG3o7zUYptPJF8Y6ZA/eBgQYajlicVKp7dQV9F1E8wbpjBit7w 5x5Gj2VK9YaZdvbcoui2crGpxXpdJADBgVq5+KtmcNjZ9tCeGeRA5hpI/1PIULvqtns1 AEq72oNzQVl2rljXBa8808FEln+q7Bkrw8RHUysSzeWDZ9TNstOMVokmrpzIIv8s7uBX VVWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=IPddEyg+SttSZdKMwWWTwnt18c45hOfH5RFwD2ymD5A=; b=d3jLj/cjBhVz3LFNBr6W6wDd2i5ngHPMAvrzth/vIlAsGOJ9GxJ7yJ1PVEL14sCAD+ 7a6RXuJN7ver0UK+s9AYIZTh34SlF+YIOjdZjoq5O1rENnWhEMpgCfu3ignVDuMfW4VR ispq49XceYFeKQ+7VVIIG0xnzEmzEWOzbrr6JVtSFJZqY0n010+9wBLbvfkc1Aa1hgrK wgMRcrPtfCi9L7yMH78FMHYIi42ejdpHBUFU/t0Bx1jFOmR2wmeFCBY5Jc1AySXmiudK b4eeZ0pomXcCmBi8BF6WA0yunig0NfAcTyiTKZPs4o0DDB1grcdTaz1M0Ac4Q0ALEzQx gmlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rH7jNlrx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id lw6-20020a17090b180600b001cabe55b466si978162pjb.30.2022.04.04.18.50.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 18:50:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rH7jNlrx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CDA552D8679; Mon, 4 Apr 2022 17:52:45 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352366AbiDBBF2 (ORCPT + 99 others); Fri, 1 Apr 2022 21:05:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350006AbiDBBFX (ORCPT ); Fri, 1 Apr 2022 21:05:23 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86DA632F for ; Fri, 1 Apr 2022 18:03:32 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0252061C24 for ; Sat, 2 Apr 2022 01:03:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66A98C2BBE4 for ; Sat, 2 Apr 2022 01:03:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1648861411; bh=IbghA2dqiYhWXecxL6uJJ7n1Ce58U1f1jXhOOf0w2DA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rH7jNlrxTa2a7iQ8rdXTpvheqHOoZ4kAjGpdY38jgAgzwkKO+3ZmgO6y5/n1oMUVz FP9q39hyOcmErC6tdqUemW1IbK5qVuNlQ4CNXQ0IZMCNW6k9S75rkRJ9Dqq+Fi1EVc KIptMOjsavfxQ5q4X3PH5CwZZiXiOzofPIVssQfvOv1BKZpUvMCdo0Q3jA7QFEZ1nF PF4RIRMDFqND8oDYldVj57SuupX7nBKfTC2TgyQLXqQMXu9UqRYhnaUrmvIBNId1ye d5o50Lu1+117VrK9gAzpLOK60GBnnYSYTPFaF4CjQ4JvlsNjyeAlEVSqkMl6OdDBrN m1b0jI3XIpeKQ== Received: by mail-wr1-f50.google.com with SMTP id m30so6459911wrb.1 for ; Fri, 01 Apr 2022 18:03:31 -0700 (PDT) X-Gm-Message-State: AOAM532+gw3mZPfG8lrUeqy5w1kc5u+8+ODlCaRkDVqaesU+lFIpnx1n 8Igeym7mprpUE5cKMS6DXUClmL8Fq79yxpZjy0oPKw== X-Received: by 2002:a17:907:3f9e:b0:6da:842e:873e with SMTP id hr30-20020a1709073f9e00b006da842e873emr2038636ejc.383.1648861399066; Fri, 01 Apr 2022 18:03:19 -0700 (PDT) MIME-Version: 1.0 References: <20220328175033.2437312-1-roberto.sassu@huawei.com> <20220331022727.ybj4rui4raxmsdpu@MBP-98dd607d3435.dhcp.thefacebook.com> <20220401235537.mwziwuo4n53m5cxp@MBP-98dd607d3435.dhcp.thefacebook.com> In-Reply-To: <20220401235537.mwziwuo4n53m5cxp@MBP-98dd607d3435.dhcp.thefacebook.com> From: KP Singh Date: Sat, 2 Apr 2022 03:03:08 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/18] bpf: Secure and authenticated preloading of eBPF programs To: Alexei Starovoitov Cc: Roberto Sassu , "corbet@lwn.net" , "viro@zeniv.linux.org.uk" , "ast@kernel.org" , "daniel@iogearbox.net" , "andrii@kernel.org" , "shuah@kernel.org" , "mcoquelin.stm32@gmail.com" , "alexandre.torgue@foss.st.com" , "zohar@linux.ibm.com" , "linux-doc@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kselftest@vger.kernel.org" , "linux-stm32@st-md-mailman.stormreply.com" , "linux-arm-kernel@lists.infradead.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 2, 2022 at 1:55 AM Alexei Starovoitov wrote: > > On Thu, Mar 31, 2022 at 08:25:22AM +0000, Roberto Sassu wrote: > > > From: Alexei Starovoitov [mailto:alexei.starovoitov@gmail.com] > > > Sent: Thursday, March 31, 2022 4:27 AM > > > On Mon, Mar 28, 2022 at 07:50:15PM +0200, Roberto Sassu wrote: > > > > eBPF already allows programs to be preloaded and kept running without > > > > intervention from user space. There is a dedicated kernel module called > > > > bpf_preload, which contains the light skeleton of the iterators_bpf eBPF > > > > program. If this module is enabled in the kernel configuration, its loading > > > > will be triggered when the bpf filesystem is mounted (unless the module is > > > > built-in), and the links of iterators_bpf are pinned in that filesystem > > > > (they will appear as the progs.debug and maps.debug files). > > > > > > > > However, the current mechanism, if used to preload an LSM, would not > > > offer > > > > the same security guarantees of LSMs integrated in the security > > > subsystem. > > > > Also, it is not generic enough to be used for preloading arbitrary eBPF > > > > programs, unless the bpf_preload code is heavily modified. > > > > > > > > More specifically, the security problems are: > > > > - any program can be pinned to the bpf filesystem without limitations > > > > (unless a MAC mechanism enforces some restrictions); > > > > - programs being executed can be terminated at any time by deleting the > > > > pinned objects or unmounting the bpf filesystem. > > > > > > So many things to untangle here. > > > > Hi Alexei > > > > thanks for taking the time to provide such detailed > > explanation. > > > > > The above paragraphs are misleading and incorrect. > > > The commit log sounds like there are security issues that this > > > patch set is fixing. > > > This is not true. +1 these are not security issues. They are limitations of your MAC policy. > > > > I reiterate the goal: enforce a mandatory policy with > > an out-of-tree LSM (a kernel module is fine), with the > > same guarantees of LSMs integrated in the security > > subsystem. > > To make it 100% clear: > Any in-kernel feature that benefits out-of-tree module will be rejected. > > > The root user is not part of the TCB (i.e. is untrusted), > > all the changes that user wants to make must be subject > > of decision by the LSM enforcing the mandatory policy. > > > > I thought about adding support for LSMs from kernel > > modules via a new built-in LSM (called LoadLSM), but Kernel modules cannot implement LSMs, this has already been proposed on the lists and has been rejected. > > Such approach will be rejected. See above. > > > > I suspect there is huge confusion on what these two "progs.debug" > > > and "maps.debug" files are in a bpffs instance. > > > They are debug files to pretty pring loaded maps and progs for folks who > > > like to use 'cat' to examine the state of the system instead of 'bpftool'. > > > The root can remove these files from bpffs. > > > > > > There is no reason for kernel module to pin its bpf progs. > > > If you want to develop DIGLIM as a kernel module that uses light skeleton > > > just do: > > > #include > > > #include > > > #include "diglim.lskel.h" > > > > > > static struct diglim_bpf *skel; > > > > > > static int __init load(void) > > > { > > > skel = diglim_bpf__open_and_load(); > > > err = diglim_bpf__attach(skel); > > > } > > > /* detach skel in __fini */ > > > > > > It's really that short. > > > > > > Then you will be able to > > > - insmod diglim.ko -> will load and attach bpf progs. > > > - rmmod diglim -> will detach them. > > > > root can stop the LSM without consulting the security > > policy. The goal of having root untrusted is not achieved. Ofcourse, this is an issue, if you are using BPF to define a MAC policy, the policy needs to be comprehensive to prevent itself from being overridden. This is why We have so many LSM hooks. If you think some are missing, let's add them. This is why implementing a policy is not trivial, but we need to allow users to build such policies with the help from the kernel and not by using out-of-tree modules. I do think we can add some more helpers (e.g. for modifying xattrs from BPF) that would help us build complex policies. > > Out-of-tree module can do any hack. > For example: > 1. don't do detach skel in __fini > rmmod will remove the module, but bpf progs will keep running. > 2. do module_get(THIS_MODULE) in __init > rmmod will return EBUSY > and have some out-of-band way of dropping mod refcnt. > 3. hack into sys_delete_module. if module_name==diglem return EBUSY. > 4. add proper LSM hook to delete_module +1 I recommend this (but not from an out of tree module) > > > My point was that pinning progs seems to be the > > recommended way of keeping them running. > > Not quite. bpf_link refcnt is what keeps progs attached. > bpffs is mainly used for: > - to pass maps/links from one process to another > when passing fd is not possible. > - to solve the case of crashing user space. > The user space agent will restart and will pick up where > it's left by reading map, link, prog FDs from bpffs. > - pinning bpf iterators that are later used to 'cat' such files. > That is what bpf_preload is doing by creating two debug > files "maps.debug" and "progs.debug". > > > Pinning > > them to unreachable inodes intuitively looked the > > way to go for achieving the stated goal. > > We can consider inodes in bpffs that are not unlinkable by root > in the future, but certainly not for this use case. Can this not be already done by adding a BPF_LSM program to the inode_unlink LSM hook? > > > Or maybe I > > should just increment the reference count of links > > and don't decrement during an rmmod? > > I suggest to abandon out-of-tree goal. > Only then we can help and continue this discussion. +1