Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3542327pxb; Mon, 4 Apr 2022 20:35:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwn6OgmC0obJPoeeY6e2ahPHd6vpl1tHQjk5wi9PMr6p9lV760U0t+ZziLqC6wo5oOJ+4Gc X-Received: by 2002:a63:f001:0:b0:399:2b1f:a38a with SMTP id k1-20020a63f001000000b003992b1fa38amr1170645pgh.244.1649129751697; Mon, 04 Apr 2022 20:35:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649129751; cv=none; d=google.com; s=arc-20160816; b=gJBjvKjDwZ1mwmgIdkCYEYhK0WbGBbyfJNEwhKbf1AP7bPvyOz1VY/gOrX9Hzp1DGT ahfmbqz9kd23oasMcQrjat0M4nE43x+Mi6KRrTkp4DX/5fl+XGsSVfX3uaGVpFe5Mnsq 9WoqbVM4IkENwWhnWvUDFa3Su8sZJuJjGhPLhJZsNSfO2kbjXGYCNHiBls9lSIycYW2y +VXQoIr0D3VGg1uFcJO3AhCJTUq+hSYfMt9AnowyOtoDH9WRssgV1lAr5PzbPp2tYHa5 k3avNM002hIDY8IGat2Rfv+2jcgHq0WTFIfRJGuwIzF6pwkOrwzmQh8STmhq9sBuzUl5 2LJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zFyw1VrfGv7NEuMWOTezqzL8GubbV0WO1PDpwo/w7kk=; b=Z30vpjTS3gFXyul4KxKTQ0C74p03NtkEcWX3b0hK3nMxZFmjXPj4omqPhED99MM4hn P/TkrXsCaAf+7VJTQFx98ba8RmcM/jZANAn+EOnZgIlRBz8q1qddZEG0r1xAYMyV16xe LeVQ+Z7tKtjYjZQCLyTZ1CIoTYvl7/7QREvLgTfW7UDyEZkiSTRRLqW33foZWve0Nv7G 2A9XTRsEbz6VpgLjkh1owRuqa6A1+eYI8zyzG+YuOR9qrG8A4kJFqTQgDHLZdCWvR6fJ J4OmWKcipP8Ja8A37HDRc8F4RhTuza/cZjeaPMaaSdUCdlb6JaRz4HOhC8imDAqokrlv KBiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bWdBSLUI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id u12-20020a63790c000000b003822873c27dsi12424815pgc.572.2022.04.04.20.35.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 20:35:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bWdBSLUI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 716C81F890C; Mon, 4 Apr 2022 19:36:19 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229792AbiDECiM (ORCPT + 99 others); Mon, 4 Apr 2022 22:38:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229759AbiDECiD (ORCPT ); Mon, 4 Apr 2022 22:38:03 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 76AAC2F495C for ; Mon, 4 Apr 2022 18:37:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BC31A60DF4 for ; Tue, 5 Apr 2022 00:00:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 282E8C34110 for ; Tue, 5 Apr 2022 00:00:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649116847; bh=zFyw1VrfGv7NEuMWOTezqzL8GubbV0WO1PDpwo/w7kk=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=bWdBSLUI+7ck2uFwst/Wr2cHYEkFknCnMDZocNWxNvOa3rFJhbrqzNivASRIfRJhp 7t3DEU5YrBy5rFZ4ShY4l38+2evMlYp7IH/ObNV8M4PbAjmpaO3OWWUqDTBq5b+c9q 6lacliLYrvxSnrUTvp7YTgzFHVeRfCi8sldoWjia0oC1pWGrP19M2LCFyWGSTd0rLC rE2PgTbkPbx+Pu0x9IYEoCCnFt3bSKR0b5ZQXd3MYaCkG8oXQeWylkwVVjEhdufkbp Ys3P/ySvPVSZqBrmKMzQg9VOI3IG2thADHEOji/U8F5mTR+j8nKmy0P4s5d5aaw46C OsX9BL2yYuvSw== Received: by mail-wr1-f41.google.com with SMTP id c7so16994207wrd.0 for ; Mon, 04 Apr 2022 17:00:47 -0700 (PDT) X-Gm-Message-State: AOAM530JX/kZKd9lIMJkLiymKLDJAGt6vBptKKzBxsddcC1IaxzfQia8 MRrHG1eXCaepwi/JNEHetM5NdbcUyGwzRssh7aIucw== X-Received: by 2002:aa7:c157:0:b0:418:f8e3:4c87 with SMTP id r23-20020aa7c157000000b00418f8e34c87mr671966edp.271.1649116835186; Mon, 04 Apr 2022 17:00:35 -0700 (PDT) MIME-Version: 1.0 References: <20220328175033.2437312-1-roberto.sassu@huawei.com> <20220331022727.ybj4rui4raxmsdpu@MBP-98dd607d3435.dhcp.thefacebook.com> <20220401235537.mwziwuo4n53m5cxp@MBP-98dd607d3435.dhcp.thefacebook.com> In-Reply-To: From: KP Singh Date: Tue, 5 Apr 2022 02:00:24 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 00/18] bpf: Secure and authenticated preloading of eBPF programs To: Alexei Starovoitov Cc: Roberto Sassu , Djalal Harouni , "corbet@lwn.net" , "viro@zeniv.linux.org.uk" , "ast@kernel.org" , "daniel@iogearbox.net" , "andrii@kernel.org" , "shuah@kernel.org" , "mcoquelin.stm32@gmail.com" , "alexandre.torgue@foss.st.com" , "zohar@linux.ibm.com" , "linux-doc@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" , "netdev@vger.kernel.org" , "bpf@vger.kernel.org" , "linux-kselftest@vger.kernel.org" , "linux-stm32@st-md-mailman.stormreply.com" , "linux-arm-kernel@lists.infradead.org" , "linux-integrity@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 5, 2022 at 12:49 AM Alexei Starovoitov wrote: > > On Mon, Apr 4, 2022 at 10:21 AM Roberto Sassu wrote: > > > > > From: Djalal Harouni [mailto:tixxdz@gmail.com] > > > Sent: Monday, April 4, 2022 9:45 AM > > > On Sun, Apr 3, 2022 at 5:42 PM KP Singh wrote: > > > > > > > > On Sat, Apr 2, 2022 at 1:55 AM Alexei Starovoitov > > > > wrote: > > > ... > > > > > > > > > > > Pinning > > > > > > them to unreachable inodes intuitively looked the > > > > > > way to go for achieving the stated goal. > > > > > > > > > > We can consider inodes in bpffs that are not unlinkable by root > > > > > in the future, but certainly not for this use case. > > > > > > > > Can this not be already done by adding a BPF_LSM program to the > > > > inode_unlink LSM hook? > > > > > > > > > > Also, beside of the inode_unlink... and out of curiosity: making sysfs/bpffs/ > > > readonly after pinning, then using bpf LSM hooks > > > sb_mount|remount|unmount... > > > family combining bpf() LSM hook... isn't this enough to: > > > 1. Restrict who can pin to bpffs without using a full MAC > > > 2. Restrict who can delete or unmount bpf filesystem > > > I like this approach better, you will have to restrict the BPF, if you want to implement MAC policy using BPF. Can you please try implementing something using these hooks? > > > ? > > > > I'm thinking to implement something like this. > > > > First, I add a new program flag called > > BPF_F_STOP_ONCONFIRM, which causes the ref count > > of the link to increase twice at creation time. In this way, > > user space cannot make the link disappear, unless a > > confirmation is explicitly sent via the bpf() system call. I don't like this approach, this just sounds like an intentional dangling reference, prone to refcounting errors and it does not really solve the purpose you want to achieve. And you will still need a policy around the BPF syscall, so why not just use the LSM hooks as suggested above? > > > > Another advantage is that other LSMs can decide > > whether or not they allow a program with this flag > > (in the bpf security hook). > > > > This would work regardless of the method used to > > load the eBPF program (user space or kernel space). > > > > Second, I extend the bpf() system call with a new > > subcommand, BPF_LINK_CONFIRM_STOP, which > > decreases the ref count for the link of the programs > > with the BPF_F_STOP_ONCONFIRM flag. I will also > > introduce a new security hook (something like > > security_link_confirm_stop), so that an LSM has the > > opportunity to deny the stop (the bpf security hook > > would not be sufficient to determine exactly for > > which link the confirmation is given, an LSM should > > be able to deny the stop for its own programs). > > > > What do you think? > > Hack upon a hack? Makes no sense.