Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3497443pxb; Mon, 4 Apr 2022 18:53:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+xpwfwjjnAtdo8wSO2TGUCzDVzjvOXKAjBeS9NhliDaVp4hp3pETlAKkBgY3dCgr9Ywuy X-Received: by 2002:a63:310c:0:b0:386:afa:45bb with SMTP id x12-20020a63310c000000b003860afa45bbmr900768pgx.133.1649123622695; Mon, 04 Apr 2022 18:53:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649123622; cv=none; d=google.com; s=arc-20160816; b=APQyszq9ewIet8bEH4HgVIiqABiLRWT8CujbGppCbOJnegPLOZSOBZ/sq9TOIrOnVZ bqxnfEpaKOqTIznLyE9/2ANFaw8EDHFG5DtmApnGT+YuOHGOuaFcYY0I6iPCm0vMmdEJ GNM38l4VA5fT+ukSze1c5NcSShvgx08GoBUUwjcLAZLNvEGifhQ93b4S/5GpaNzbnp1B OvRa6R0zs3Q0xwwA2giKvLR1YMTQKM/kWnS8AvRe+UxiotY8XI2bQjFx2PaUZC7c/Wkq V5NqX+loPCVGF6fCcalYG4vSKIUPAzE5r524LSD8u/6o/QxdjhutpeQyiRRFC2+0MUUN o8yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DiZpMTn/EVNY/pnuPoizyqHMne6cPx1y5mye2ibx/ok=; b=tbaSiexy5DbHifPGOAgEbo8WA4vAR6DbPefai9NumSaE4WVPbadM33oCp3e7peOgzJ RMMHK3AiNkEBf+f8Jak1rEo2gTK5d5ADbmx09WWbZx9kiagZDFqarRaPFDPckHVS/v67 h/2DXhWiNwto8l+QY/o4y9gPWnByvv/lD7UbL+XcywzrBDebK0PvEIBG/HMZoKXIS/TB GIDNGRv57E/VJlw8tvYiN7hpCFhoDMB7J4frWUeGYGufYe7pcqZH1voVq427nYslrZKU KwbVH24qXqu+DLfMQnbh/iZse3h0hObwM/wZvJvp98rKyoGcGEt+hVpFPwUVqiSzaT+r 15LA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bgnp+RZ4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id pg11-20020a17090b1e0b00b001bd14e03053si919811pjb.43.2022.04.04.18.53.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 18:53:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bgnp+RZ4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D0BFB2CB3BD; Mon, 4 Apr 2022 17:57:13 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241963AbiDDXNi (ORCPT + 99 others); Mon, 4 Apr 2022 19:13:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57918 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243817AbiDDXLn (ORCPT ); Mon, 4 Apr 2022 19:11:43 -0400 Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 162182CCBE; Mon, 4 Apr 2022 15:49:21 -0700 (PDT) Received: by mail-pl1-x636.google.com with SMTP id n18so9354987plg.5; Mon, 04 Apr 2022 15:49:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DiZpMTn/EVNY/pnuPoizyqHMne6cPx1y5mye2ibx/ok=; b=bgnp+RZ4/8nfeh0NMWErXmEtEshX86JerNFp8dq/RD44FxWiFAl972gOEJDqV++XyA By4VZtAU4QVALrso+XOALjElN48YFB3TiZeU9RcQxb+9XSdszdEltEwvn9K8oecLmXTQ TQQfzdCYgQyp4jsdjY5EwU/Uh3faCKJvnJbzu8VpGOGyjkhm+VjdOWOKNFg2CdC9WIHu 9qKlg3mhSFcqJlntThMyi4VG3ISf3oNk+2Ry4A/oRGT+IxjxU5e24QVPCkZiEspbB6Ae CcLSJd1INuQNNkvMz1KILSOVf2EODqUP+szWpO3DLZgvPGzGiBVeiL6R9WCUXhOUmtMv ed7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DiZpMTn/EVNY/pnuPoizyqHMne6cPx1y5mye2ibx/ok=; b=nSCgURZ9JtxcJTR+gACePQ7grQ99Rs3SQJCalGLbJ+at5C/uDs3SiSxMp25l1hEy06 vLzTo/Y4/4+bIaiHf4ryPBEyur+gKx+PC6L1CE8BwZbRj1v33J5h6stAYgHNs1dQyC27 EEtaLda69g5EbVG5ZavTivO78JyH/thLvgSkEkgkS8KiWK07yg4GpV91nWfONClwId0q 9gakhqxUbknXKhWvStYfxRkG8VVJuWJl/HfEUAlN7dB0bXdiq4uehDEUDTQ9HW9oMQky VTbYsyEOuNUHHJAhDmZoN2BXvagxwZnZel7ozHsvqg5F45QmItecDpsHPAcLpBw+DDDh 5Puw== X-Gm-Message-State: AOAM531MhNqDQmgeDTREiYYf8WTj6/maWDYT/GssIs2GpwqiBtA595Yi lPvLCizoW27lrkeKoGvYVMEs47HZn3ALs1YRYD0= X-Received: by 2002:a17:902:ba83:b0:154:727e:5fc5 with SMTP id k3-20020a170902ba8300b00154727e5fc5mr475882pls.55.1649112560582; Mon, 04 Apr 2022 15:49:20 -0700 (PDT) MIME-Version: 1.0 References: <20220328175033.2437312-1-roberto.sassu@huawei.com> <20220331022727.ybj4rui4raxmsdpu@MBP-98dd607d3435.dhcp.thefacebook.com> <20220401235537.mwziwuo4n53m5cxp@MBP-98dd607d3435.dhcp.thefacebook.com> In-Reply-To: From: Alexei Starovoitov Date: Mon, 4 Apr 2022 15:49:09 -0700 Message-ID: Subject: Re: [PATCH 00/18] bpf: Secure and authenticated preloading of eBPF programs To: Roberto Sassu Cc: Djalal Harouni , KP Singh , "corbet@lwn.net" , "viro@zeniv.linux.org.uk" , "ast@kernel.org" , "daniel@iogearbox.net" , "andrii@kernel.org" , "shuah@kernel.org" , "mcoquelin.stm32@gmail.com" , "alexandre.torgue@foss.st.com" , "zohar@linux.ibm.com" , "linux-doc@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kselftest@vger.kernel.org" , "linux-stm32@st-md-mailman.stormreply.com" , "linux-arm-kernel@lists.infradead.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 4, 2022 at 10:21 AM Roberto Sassu wrote: > > > From: Djalal Harouni [mailto:tixxdz@gmail.com] > > Sent: Monday, April 4, 2022 9:45 AM > > On Sun, Apr 3, 2022 at 5:42 PM KP Singh wrote: > > > > > > On Sat, Apr 2, 2022 at 1:55 AM Alexei Starovoitov > > > wrote: > > ... > > > > > > > > > Pinning > > > > > them to unreachable inodes intuitively looked the > > > > > way to go for achieving the stated goal. > > > > > > > > We can consider inodes in bpffs that are not unlinkable by root > > > > in the future, but certainly not for this use case. > > > > > > Can this not be already done by adding a BPF_LSM program to the > > > inode_unlink LSM hook? > > > > > > > Also, beside of the inode_unlink... and out of curiosity: making sysfs/bpffs/ > > readonly after pinning, then using bpf LSM hooks > > sb_mount|remount|unmount... > > family combining bpf() LSM hook... isn't this enough to: > > 1. Restrict who can pin to bpffs without using a full MAC > > 2. Restrict who can delete or unmount bpf filesystem > > > > ? > > I'm thinking to implement something like this. > > First, I add a new program flag called > BPF_F_STOP_ONCONFIRM, which causes the ref count > of the link to increase twice at creation time. In this way, > user space cannot make the link disappear, unless a > confirmation is explicitly sent via the bpf() system call. > > Another advantage is that other LSMs can decide > whether or not they allow a program with this flag > (in the bpf security hook). > > This would work regardless of the method used to > load the eBPF program (user space or kernel space). > > Second, I extend the bpf() system call with a new > subcommand, BPF_LINK_CONFIRM_STOP, which > decreases the ref count for the link of the programs > with the BPF_F_STOP_ONCONFIRM flag. I will also > introduce a new security hook (something like > security_link_confirm_stop), so that an LSM has the > opportunity to deny the stop (the bpf security hook > would not be sufficient to determine exactly for > which link the confirmation is given, an LSM should > be able to deny the stop for its own programs). > > What do you think? Hack upon a hack? Makes no sense.