Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp233657rwd;
        Wed, 17 May 2023 17:47:10 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ7yQigWiD92oo/RJuAynra2T0bcj2QAqOSMZGH3M9tFeXTzqwGXIoq26aARvmpuijB2H9Sg
X-Received: by 2002:a17:902:d4c2:b0:1ac:6d4c:c24b with SMTP id o2-20020a170902d4c200b001ac6d4cc24bmr850895plg.3.1684370830181;
        Wed, 17 May 2023 17:47:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684370830; cv=none;
        d=google.com; s=arc-20160816;
        b=Has8/V7ffMmqhBTiZNT+SME9giNomJs+wPidN0vZzNlRtkR5bjECw6hL9cpjjWH875
         nN3dONF7ChQwh0n1bvQ10aCCfLwHSlQ8sKoVFPINkbbcq2YyMydXwepc7r2s9mmmCU6D
         4Bl/t1HkXO+sz5biYrRwMFZJ0jYIeZB8AfZWEYLl57Iz86Q9eAxoatPZvCBLZITMpwvi
         6PJocrAjUl6+52QNAntpD0LCjw8dPoTqHmrAMhGVs1Se2VSwD6QiX40NHrcOd5IFdW4o
         7NAekmCDbbhR9aCkC1zkrM3axFibHUb6LFgEe5LNEADYbuo3Xn/rdXXE7f6Ofh1YKU41
         deaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=6K4d5YK+mpRfL2+wKbjuMm+AaFZH6AIR6I+UPmGqU/Y=;
        b=kNHZMYcev0z2vjxGTQgwnC75GShn3ZxiVCKoxwRWF+jygQn6F7VsxRMDELeE1wFuDF
         W8x4bBWRg1flnijEn4tUUjuPYepKaOKvdvhHAMWoVAYnFyxZhO1HjbeUCosb8QONPW66
         EqheyTXAwwF8XdAoYweOV/FDrujLz7c94hFBqa3jbCO8+NiXznfkIuRSObFhntIDSubL
         x9IjBMOa5+qUcB7+cXymsbfRKeSgmoc9dZ4L+Xqkql0/kljYLr1SH1OFf6aMtuO1rxbm
         LkXt9lus4e941f21rZWAH423LRr7YqgGxjeRO2F4Y+I7RFy2G967N6pBf54NyB6LVxWI
         du5A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=q4FcSYo0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j11-20020a170902da8b00b001a69f1cea63si9405plx.223.2023.05.17.17.46.55;
        Wed, 17 May 2023 17:47:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20221208 header.b=q4FcSYo0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229683AbjERALp (ORCPT <rfc822;41i3n8@gmail.com> + 99 others);
        Wed, 17 May 2023 20:11:45 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42078 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229701AbjERALn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 May 2023 20:11:43 -0400
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF1064ED9;
        Wed, 17 May 2023 17:11:13 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2ac831bb762so14973551fa.3;
        Wed, 17 May 2023 17:11:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1684368659; x=1686960659;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6K4d5YK+mpRfL2+wKbjuMm+AaFZH6AIR6I+UPmGqU/Y=;
        b=q4FcSYo0ZVvY8woxbEUXMbEneDH5IZ7xRida17Z0dgBFWqQKcvWinPASeeQ7nhKl1x
         gQhTr+a6CuwSaboe37hkoCHHZLqUGuohxaDUuk2yXaJ23HWZB2W+x8+fz3p+si/D3fkL
         3KlplqqvFx6qAW0kVj87EweMSU6TGVZgRpD7vpG6WlO5a+BOfNseXCWn1kFl3Tg9aRoT
         DyBHQ4Kh7LnF+rEtPhz1jAVCIm9qk8fti4eTFI7JXai8a22AZWtR59DCY8D8jxOatv08
         ngifggnQ0c2xw7X9TwD4H6UNfY1iRNXFQym8hZmwz2sHFM2xAYyuZlHyRi+c9cLdfNoT
         0wsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684368659; x=1686960659;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=6K4d5YK+mpRfL2+wKbjuMm+AaFZH6AIR6I+UPmGqU/Y=;
        b=D7ThptEyZxAWhM6jDGppzLh1O8j1XWyhqqTgroq6DL0Q/SeyMQxqSuwrF0W/N6N3Q8
         Zj6CvSthYy9Prl0YjW9t/vn4cNQIYe3gBVExYxmSaP/VtZLEscGaTsKiSainAl7opsoN
         fYeMVzOX67LKsuObNtf8EPMGvRIusjC92LzzEeKKdQzPU3BRjKDXKaLxDYwfAT98/hW4
         8zOijgoWzS84J4uyX0thXMfQ2ADQHydJfwcOweIagA42S99UQ0bbXM7aVUWKYBl+nXgv
         /If5u6ghtdPf5AQOVy2N0cnwVRVUc/5SoKV9ehyHLw8+RVNKueBdUaxAyvx/Y+ELnOsT
         TN3A==
X-Gm-Message-State: AC+VfDz13fzDEK4zAwp8Qdqpt5CtbDkULGxEoLHv/Z5SV/pD9ZH8aXL7
        M70JchlTF0URhZ7+0jJJ/5olqoQJsbI1a3E3rio=
X-Received: by 2002:a05:651c:208:b0:2ae:f2ab:c632 with SMTP id
 y8-20020a05651c020800b002aef2abc632mr3312954ljn.7.1684368658470; Wed, 17 May
 2023 17:10:58 -0700 (PDT)
MIME-Version: 1.0
References: <20230508163751.841-1-beaub@linux.microsoft.com>
 <CAADnVQLYL-ZaP_2vViaktw0G4UKkmpOK2q4ZXBa+f=M7cC25Rg@mail.gmail.com>
 <20230509130111.62d587f1@rorschach.local.home> <20230509163050.127d5123@rorschach.local.home>
 <20230515165707.hv65ekwp2djkjj5i@MacBook-Pro-8.local> <20230515192407.GA85@W11-BEAU-MD.localdomain>
 <20230517003628.aqqlvmzffj7fzzoj@MacBook-Pro-8.local> <20230516212658.2f5cc2c6@gandalf.local.home>
 <20230517165028.GA71@W11-BEAU-MD.localdomain>
In-Reply-To: <20230517165028.GA71@W11-BEAU-MD.localdomain>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Wed, 17 May 2023 17:10:47 -0700
Message-ID: <CAADnVQK3-NBLSVRVsgArUEjqsuY2S_8mWsWmLEAtTzo+U49CKQ@mail.gmail.com>
Subject: Re: [PATCH] tracing/user_events: Run BPF program if attached
To:     Beau Belgrave <beaub@linux.microsoft.com>
Cc:     Steven Rostedt <rostedt@goodmis.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-trace-kernel@vger.kernel.org,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>, bpf <bpf@vger.kernel.org>,
        David Vernet <void@manifault.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Dave Thaler <dthaler@microsoft.com>,
        Christian Brauner <brauner@kernel.org>,
        Christoph Hellwig <hch@infradead.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 17, 2023 at 9:50=E2=80=AFAM Beau Belgrave <beaub@linux.microsof=
t.com> wrote:
> >
> > >
> > > Looks like user events were designed with intention to be unprivilege=
d.
> > > When I looked at kernel/trace/trace_events_user.c I assumed root.
> > > I doubt other people reviewed it from security perspective.
> > >
> > > Recommending "chmod a+rw /sys/kernel/tracing/user_events_data" doesn'=
t sound like a good idea.
> > >
> > > For example, I think the following is possible:
> > > fd =3D open("/sys/kernel/tracing/user_events_data")
> > > ioclt(fd, DIAG_IOCSDEL)
> > >   user_events_ioctl_del
> > >      delete_user_event(info->group, name);
> > >
> > > 'info' is different for every FD, but info->group is the same for all=
 users/processes/fds,
> > > because only one global init_group is created.
> > > So one user can unregister other user event by knowing 'name'.
> > > A security hole, no?

...

> Regarding deleting events, only users that are given access can delete
> events. They must know the event name, just like users with access to
> delete files must know a path (and have access to it). Since the
> write_index and other details are per-process, unless the user has
> access to either /sys/kernel/tracing/events/user_events/* or
> /sys/kernel/tracing/user_events_status, they do not know which names are
> being used.
>
> If that is not enough, we could require CAP_SYSADMIN to be able to
> delete events even when they have access to the file. Users can also
> apply SELinux policies per-file to achieve further isolation, if
> required.

Whether /sys/kernel/tracing/user_events_status gets g+rw
or it gets a+rw (as your documentation recommends)
it is still a security issue.
The "event name" is trivial to find out by looking at the source code
of the target process or just "string target_binary".
Restricting to cap_sysadmin is not the answer, since you want unpriv.
SElinux is not the answer either.
Since it's unpriv, different processes should not be able to mess with
user events of other processes.
It's a fundamental requirement of any kernel api.
This has to be fixed before any bpf discussion.
If it means that you need to redesign user_events do it now and
excuses like "it's uapi now, so we cannot fix it" are not going to fly.