Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <f539bfef-c098-5ff0-51ef-bfa8fd0c4661@meta.com>
Date:   Tue, 17 Jan 2023 09:24:56 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
 Gecko/20100101 Thunderbird/102.6.1
Subject: Re: [PATCH] bpf: security enhancement by limiting the offensive eBPF
 helpers
Content-Language: en-US
To:     WritePaper <clangllvm@126.com>, ast@kernel.org,
        daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev,
        song@kernel.org, yhs@fb.com
Cc:     john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
        haoluo@google.com, jolsa@kernel.org, rostedt@goodmis.org,
        mhiramat@kernel.org, bpf@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
References: <20230117151256.605977-1-clangllvm@126.com>
From:   Yonghong Song <yhs@meta.com>
In-Reply-To: <20230117151256.605977-1-clangllvm@126.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?emhId0xpQjM4dEJzMHordkwxRDlmNFdrcGl5Tm5ENUVVZ0IwOW14ME1zdFd0?=
 =?utf-8?B?SFlTRGRXejl1OHowcGdadGFlNjNiUCs0RzQ3T2Z4UEJVZ0Mwa3plN21RYldw?=
 =?utf-8?B?bVJZYUk1dmVPKzA2bHlkbWk3bWZoRnN6ZjlIOEFiWEMvRjBoaXQ4WHp5cUlE?=
 =?utf-8?B?WEpmcEI3RVNMNGE1YWxRS2ZTdEE3WkQ1SnBLZ1FpbHNOMlVNQjB3ZGVOWnky?=
 =?utf-8?B?TlZyWUZ1U0RiazV5Ty80aHM0NzZtYnl2Uk1Bd0NLZmZQTTlIYnNiQmRWSjlM?=
 =?utf-8?B?M2NWTVRRbGtSaDRVQ0h0cHY3elZHeTRJUDMrUGkwL3RJVWJPc3plRUtzdmpo?=
 =?utf-8?B?blUvUGN4REdKb05NUWNYcW4wbktpVVc1VmVyeUUveTM3TXZWYjlnUFh1UEN6?=
 =?utf-8?B?Q3dLUjVlckRJTWdiRDR3dldvZDgySGZKL3hjV0pRUW1Pd3hHZzltajJTSVBH?=
 =?utf-8?B?cWRYZUlyNTMzVHZLT1pRdHR4cnZibXUxZzZrL0lLb1hNR0ZmaDA2T0RBTHN5?=
 =?utf-8?B?T1Bmak9oWTdYQXBOQStDYVI1R2hON21xWTBiWFhBMGZoTHlKaTVadU0vODBz?=
 =?utf-8?B?QjV4bnJrTjAwdUdjWG5EMm5ma3Y1SDRpWEZ5RHF2dTBSaUJHMHdVRGxKUEg3?=
 =?utf-8?B?L3VhT2JvZHo2SW53NFJ0a0VkNllRMHhSS2ljNVJxbFJRYUszVG1sV1BPTG1O?=
 =?utf-8?B?ai9LS0MyeC9ra1lVYkNMYkdnbkNUSURXdEY4Y0h0NGN4YXJzM0JveUhKMHdK?=
 =?utf-8?B?b2l6ZUxPZkt4Z1pUZ2NELzBCY3V3WlQ4eDczY1A2bGdhYWJYL2t5RkZQT3ps?=
 =?utf-8?B?NkhaRlpDdnJvcmpyc3REaHo3TVJsRzhGMWc0cHQ5R3p4MkoxWlFWVk9DSVpF?=
 =?utf-8?B?ckxwMWxVMnFZTkY0c2pqakYwRlpUbmJacnh4QWszbzdVeld0TUp0aDFiRGZj?=
 =?utf-8?B?RWZtRi84THMyaVNYRUp1dGxQMGNmeEl4NTRZdTR1VmlDUzQ4YjlSTHBRSHRX?=
 =?utf-8?B?WHhqTTF0TlpSajdSWXR0OWdEanNMM0VTMUlUZC9UN0d2QmZXTCthMkVTaHM5?=
 =?utf-8?B?T0FwcHorbFVmaEtuZlI5NlJOemM3aUZMdzFFdTk3TmRzUE1YM0NhZWsxSEp3?=
 =?utf-8?B?MmhZYzJsQVUxcDhLZVBEZGluUlRDM25yNFJ4ZFVVakVROWZpeUxFVThyeEd1?=
 =?utf-8?B?Z2pHRndCZjRDSFBUcVoxY2FLcjZGek5aNkJsMVk3RC9wNjhxaFNlQjgrN1JM?=
 =?utf-8?B?eFVienBwWWVIWXhzVjNxVHl0UmNLbDhqNFZDZnI2dGRkMVJDWm0rMGVqbXRn?=
 =?utf-8?B?ck5FVDNVcjdiU2ZNVjUrbGR0T3N2K3UvSWZrSXpkdDRFQ2JCc0RwZGdNT2ti?=
 =?utf-8?B?clNxQ01pdElCTDdXWWRPcFhZQUxOWTk5VWJjYjNoS3krZms3aEFSOGEvZ2I2?=
 =?utf-8?B?cW95UmhJK2JoY2VmZnRXd1kwL2Vacmg4WmhyUkYyN0pXdDdtNEJXbmViajU0?=
 =?utf-8?B?VVhKbE91cVUycUUrWnZGUnRYTHl3Q2JRRDVRaGN5SUlOY3R3bzU0Q3JDSG5H?=
 =?utf-8?B?amNnTi9nRUVnbENCZ1ZIQ3ovWkMwK0xqbTkxUTd5ZEV5WTE4a2lHM3ovWm91?=
 =?utf-8?B?MERRSTVFYmdyb1dYbUhKRXZaQUZrSitIbFc5czErdmJFK0N5RUlMOWdkZ3BF?=
 =?utf-8?B?TnBmT2lOK2ZubGkxaUxHWC84WUJQdkt2WmJJUXFFWlg5UnVic0hLZkJLQ0pG?=
 =?utf-8?B?QVdzK0RXSGsyYzBBeVdMOEdKRExNa1FrSFo1d0RidlhQdG5rdGNadHlyMWg3?=
 =?utf-8?B?NTBsVk12T0s2bVF0QzZIdVg2Wk9sa0xyOGJVTWFKblJMWkQ4bW4rNk5zK3dh?=
 =?utf-8?B?TWZXY2psL1BPbTVLNU9iMUhLb1R5Y3pqK1J4M0JCc25RM2NOYWkvQkJ1RWtB?=
 =?utf-8?B?a080bzJxWlJPczNmam9FcnlIM2ZteVFDdjVIY0FpT0ZzVGp3aUo0RlZ4U0tn?=
 =?utf-8?B?VHJGMkxrQlVBdkdTUFV2c0Fnd2lPNEpNdEI0ZWIwZFFMMjQ3R3I4bHFxcTFC?=
 =?utf-8?B?cndNczJOVnNzL1hjNmR0VVM4Tk9ROGNjOGF4ekhhMzlma3Fta3BjUXZDZTRC?=
 =?utf-8?B?WTUxR0hoSTNKZFZHdWwzNmhCSWUraEx2TVZWcVJUV0RVbTRWSzk4WWR4RGZj?=
 =?utf-8?B?Z2c9PQ==?=
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eab1b4f9-6eb4-4f67-ffae-08daf8afc2c7
X-MS-Exchange-CrossTenant-AuthSource: SN6PR1501MB2064.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jan 2023 17:24:59.8604
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: vGrXcCYczCj2Guuqs28+VK35aBpM8QBFanak2KfS+L/201TLrHFl+Jv+5+GOCySM
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB3799
X-Proofpoint-ORIG-GUID: Ih4rGLEPaq3irxn-PFc9X08b07kzoQAe
X-Proofpoint-GUID: Ih4rGLEPaq3irxn-PFc9X08b07kzoQAe
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.219,Aquarius:18.0.923,Hydra:6.0.562,FMLib:17.11.122.1
 definitions=2023-01-17_08,2023-01-17_01,2022-06-22_01
X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 1/17/23 7:12 AM, WritePaper wrote:
> The bpf_send_singal and bpf_override_return is similar to
> bpf_write_user and can affect userspace processes. Thus, these two
> helpers should also be constraint by security lockdown.
> 
> Signed-off-by: WritePaper <clangllvm@126.com>
> ---
>   include/linux/security.h | 3 +++
>   kernel/trace/bpf_trace.c | 6 ++++--
>   2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 5b67f208f..cb90b2860 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -123,6 +123,9 @@ enum lockdown_reason {
>   	LOCKDOWN_DEBUGFS,
>   	LOCKDOWN_XMON_WR,
>   	LOCKDOWN_BPF_WRITE_USER,
> +	LOCKDOWN_BPF_SEND_SIGNAL,
> +	LOCKDOWN_BPF_OVERRIDE_RETURN,
> +	LOCKDOWN_OFFENSIVE_BPF_MAX,

LOCKDOWN_OFFENSIVE_BPF_MAX is not used.

>   	LOCKDOWN_DBG_WRITE_KERNEL,
>   	LOCKDOWN_RTAS_ERROR_INJECTION,
>   	LOCKDOWN_INTEGRITY_MAX,
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 3bbd3f0c8..3a80f4b6f 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -1463,7 +1463,8 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>   		return &bpf_cgrp_storage_delete_proto;
>   #endif
>   	case BPF_FUNC_send_signal:
> -		return &bpf_send_signal_proto;
> +		return security_locked_down(LOCKDOWN_BPF_SEND_SIGNAL) < 0 ?
> +		       NULL : &bpf_send_signal_proto;

You should add the same security_locked_down(LOCKDOWN_BPF_SEND_SIGNAL) 
check with below bpf_send_signal_thread() helper.

>   	case BPF_FUNC_send_signal_thread:
>   		return &bpf_send_signal_thread_proto;
>   	case BPF_FUNC_perf_event_read_value:
> @@ -1531,7 +1532,8 @@ kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>   		return &bpf_get_stack_proto;
>   #ifdef CONFIG_BPF_KPROBE_OVERRIDE
>   	case BPF_FUNC_override_return:
> -		return &bpf_override_return_proto;
> +		return security_locked_down(LOCKDOWN_BPF_OVERRIDE_RETURN) < 0 ?
> +		       NULL : &bpf_override_return_proto;
>   #endif
>   	case BPF_FUNC_get_func_ip:
>   		return prog->expected_attach_type == BPF_TRACE_KPROBE_MULTI ?