Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp229120rwd; Wed, 17 May 2023 17:42:05 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6SrHVVTnYsnp9U2UcdWIEKAKXVxlz/X5cG8ZT+7cRjEQZSr1NZ+8brJ9zxw5mow40e71HS X-Received: by 2002:a17:902:ab1d:b0:1ac:aaf6:ee48 with SMTP id ik29-20020a170902ab1d00b001acaaf6ee48mr575179plb.67.1684370525118; Wed, 17 May 2023 17:42:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684370525; cv=none; d=google.com; s=arc-20160816; b=M3VAP/fwcVO7Am8JVA6Q7m8+EpDeVQlU54uRJ7/PnB0/8JFCuqWtx1xeZimzLfL6t7 2Aah/j3NNnAe4A9RgoYVixGiS9y/f8l5682TslvXFJqkNYJ4rW/Tu7MZW1pDphkx6aPB mFPftv44VkHKhSuGrCvB60gi5ct9hDi8Y7CdCvVcmujXENEn+Gg2BTmZGxylRZjxFOkZ /t7joVbT2V3oalWHDDAN8pdWgf58JM4Y18DAG2Cbfq0Oj0uaUxgtCYXNDL4uXx/Fw26/ FECeSBw0hu49avpjX303iqmjgm2nnN+xkRFGfLOOYtcsK0ZoYvnWBamwtTxkCIQegHG2 K3Zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=S9M1alb9uVliozl8bLTgpyAqeJ7VivwcVSxNbnWDzAs=; b=aSr4NLYIF1cX+uxJ7Ftny3mGyaH9UzRFKJ5o37BLtHYQkg+HXQ5j3ZTDkEKgQaapYi xMMP0SAwNyeZoG9VvVi/xQqgsRTC0L4GdeoCAjh9ir7yIpedtQ1FgRHuAeXKNqYqyu6M yOWnNL2A1PgKcaXYsSaB/MVC1Yl57vJLfgjDib5iRJsOUNcssqGY8ZLe1rcRtByy37sb g3i1ryEAATx+hCZR8ZYplYyY1977xIy5Wa2Mb+hEFsPZtZYyhSy1KAMjb/xuwQg0J3Z3 iWBRNL6qrhTwx4gumpAlh8VgX5AygwiwmYZAICqTRxeO38tPIFCGhdyv83KLvcLYrdZr mwPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=GO6GItu+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n15-20020a170902d2cf00b001ab23ced2d2si3513806plc.613.2023.05.17.17.41.50; Wed, 17 May 2023 17:42:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=GO6GItu+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229630AbjERATY (ORCPT + 99 others); Wed, 17 May 2023 20:19:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229568AbjERATW (ORCPT ); Wed, 17 May 2023 20:19:22 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 070EAE8; Wed, 17 May 2023 17:19:21 -0700 (PDT) Received: from W11-BEAU-MD.localdomain (unknown [76.135.27.212]) by linux.microsoft.com (Postfix) with ESMTPSA id 3B5A420F32C8; Wed, 17 May 2023 17:19:20 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 3B5A420F32C8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1684369160; bh=S9M1alb9uVliozl8bLTgpyAqeJ7VivwcVSxNbnWDzAs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=GO6GItu+7HwEA3QvXmgxHBYe0idt/BW4ZpMAqoNVT5SGXc3SUAJNXSnu3BaT/oiDw pDL3gkCZakdBm0H1FtDO51gaZAuQuI1c7TghktL45OyC9cqESxZalztH+hPhrDw0S7 jTSL4AiN2LsFcjxS4c0Y4tb0gFo7/lOMe5PXtXMw= Date: Wed, 17 May 2023 17:19:16 -0700 From: Beau Belgrave To: Alexei Starovoitov Cc: Steven Rostedt , Masami Hiramatsu , LKML , linux-trace-kernel@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , bpf , David Vernet , Linus Torvalds , Dave Thaler , Christian Brauner , Christoph Hellwig Subject: Re: [PATCH] tracing/user_events: Run BPF program if attached Message-ID: <20230518001916.GB254@W11-BEAU-MD.localdomain> References: <20230508163751.841-1-beaub@linux.microsoft.com> <20230509130111.62d587f1@rorschach.local.home> <20230509163050.127d5123@rorschach.local.home> <20230515165707.hv65ekwp2djkjj5i@MacBook-Pro-8.local> <20230515192407.GA85@W11-BEAU-MD.localdomain> <20230517003628.aqqlvmzffj7fzzoj@MacBook-Pro-8.local> <20230516212658.2f5cc2c6@gandalf.local.home> <20230517165028.GA71@W11-BEAU-MD.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 17, 2023 at 05:10:47PM -0700, Alexei Starovoitov wrote: > On Wed, May 17, 2023 at 9:50 AM Beau Belgrave wrote: > > > > > > > > > > > Looks like user events were designed with intention to be unprivileged. > > > > When I looked at kernel/trace/trace_events_user.c I assumed root. > > > > I doubt other people reviewed it from security perspective. > > > > > > > > Recommending "chmod a+rw /sys/kernel/tracing/user_events_data" doesn't sound like a good idea. > > > > > > > > For example, I think the following is possible: > > > > fd = open("/sys/kernel/tracing/user_events_data") > > > > ioclt(fd, DIAG_IOCSDEL) > > > > user_events_ioctl_del > > > > delete_user_event(info->group, name); > > > > > > > > 'info' is different for every FD, but info->group is the same for all users/processes/fds, > > > > because only one global init_group is created. > > > > So one user can unregister other user event by knowing 'name'. > > > > A security hole, no? > > ... > > > Regarding deleting events, only users that are given access can delete > > events. They must know the event name, just like users with access to > > delete files must know a path (and have access to it). Since the > > write_index and other details are per-process, unless the user has > > access to either /sys/kernel/tracing/events/user_events/* or > > /sys/kernel/tracing/user_events_status, they do not know which names are > > being used. > > > > If that is not enough, we could require CAP_SYSADMIN to be able to > > delete events even when they have access to the file. Users can also > > apply SELinux policies per-file to achieve further isolation, if > > required. > > Whether /sys/kernel/tracing/user_events_status gets g+rw > or it gets a+rw (as your documentation recommends) > it is still a security issue. > The "event name" is trivial to find out by looking at the source code > of the target process or just "string target_binary". I guess, if they have access to the binary, etc. So they need both access to the binary and to the tracefs directory. We would not give them access like this in any normal setup other than a developer environment. > Restricting to cap_sysadmin is not the answer, since you want unpriv. We do not need unpriv to delete events, only to write and create events. We allow unregistering call-sites, which would still work unpriv with this requirement. > SElinux is not the answer either. > Since it's unpriv, different processes should not be able to mess with > user events of other processes. How is this different than uprobes if we give a user access to /sys/kernel/tracing/dynamic_events? Users can delete those as well. I don't see a difference here. In our production environments we are not giving out wide security to this file. > It's a fundamental requirement of any kernel api. > This has to be fixed before any bpf discussion. > If it means that you need to redesign user_events do it now and > excuses like "it's uapi now, so we cannot fix it" are not going to fly. Thanks, -Beau