[RFC v1 07/14] krsi: Check for premissions on eBPF attachment

[RFC v1 00/14] Kernel Runtime Security Instrumentation · KP Singh <hidden> · 2019-09-10
[RFC v1 01/14] krsi: Add a skeleton and config options for the KRSI LSM · KP Singh <hidden> · 2019-09-10
[RFC v1 02/14] krsi: Introduce types for KRSI eBPF · KP Singh <hidden> · 2019-09-10
[RFC v1 05/14] krsi: Initialize KRSI hooks and create files in securityfs · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 05/14] krsi: Initialize KRSI hooks and create files in securityfs · Yonghong Song <hidden> · 2019-09-14
[RFC v1 07/14] krsi: Check for premissions on eBPF attachment · KP Singh <hidden> · 2019-09-10
[RFC v1 09/14] krsi: Add a helper function for bpf_perf_event_output · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 09/14] krsi: Add a helper function for bpf_perf_event_output · Yonghong Song <hidden> · 2019-09-14
[RFC v1 10/14] krsi: Handle attachment of the same program · KP Singh <hidden> · 2019-09-10
[RFC v1 11/14] krsi: Pin argument pages in bprm_check_security hook · KP Singh <hidden> · 2019-09-10
[RFC v1 14/14] krsi: Pin arg pages only when needed · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 14/14] krsi: Pin arg pages only when needed · Yonghong Song <hidden> · 2019-09-15
Re: [RFC v1 14/14] krsi: Pin arg pages only when needed · KP Singh <hidden> · 2019-09-15
Re: [RFC v1 14/14] krsi: Pin arg pages only when needed · Yonghong Song <hidden> · 2019-09-15
[RFC v1 13/14] krsi: Provide an example to read and log environment variables · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 13/14] krsi: Provide an example to read and log environment variables · Yonghong Song <hidden> · 2019-09-15
[RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable · Yonghong Song <hidden> · 2019-09-15
Re: [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable · KP Singh <hidden> · 2019-09-16
Re: [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable · Yonghong Song <hidden> · 2019-09-17
Re: [RFC v1 12/14] krsi: Add an eBPF helper function to get the value of an env variable · KP Singh <hidden> · 2019-09-17
[RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution · Yonghong Song <hidden> · 2019-09-14
Re: Re: [RFC v1 06/14] krsi: Implement eBPF operations, attachment and execution · Yonghong Song <hidden> · 2019-09-15
[RFC v1 08/14] krsi: Show attached program names in hook read handler. · KP Singh <hidden> · 2019-09-10
[RFC v1 04/14] krsi: Add support in libbpf for BPF_PROG_TYPE_KRSI · KP Singh <hidden> · 2019-09-10
Re: [RFC v1 04/14] krsi: Add support in libbpf for BPF_PROG_TYPE_KRSI · Yonghong Song <hidden> · 2019-09-14
[RFC v1 03/14] bpf: krsi: sync BPF UAPI header with tools · KP Singh <hidden> · 2019-09-10

From: KP Singh <hidden>
Date: 2019-09-10 11:56:40
Also in: bpf, lkml
Subsystem: security subsystem, the rest · Maintainers: Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

From: KP Singh <redacted>

Add validation checks for the attachment of eBPF programs.

The following permissions are required:

- CAP_SYS_ADMIN to load eBPF programs
- CAP_MAC_ADMIN (to update the policy of an LSM)
- The securityfs file being a KRSI hook and writable (O_RDWR)

Signed-off-by: KP Singh <redacted>
---
 security/krsi/ops.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/security/krsi/ops.c b/security/krsi/ops.c
index cf4d06189aa1..a61508b7018f 100644
--- a/security/krsi/ops.c
+++ b/security/krsi/ops.c

@@ -23,11 +23,31 @@ static struct krsi_hook *get_hook_from_fd(int fd)
 		goto error;
 	}
 
+	/*
+	 * Only CAP_MAC_ADMIN users are allowed to make
+	 * changes to LSM hooks
+	 */
+	if (!capable(CAP_MAC_ADMIN)) {
+		ret = -EPERM;
+		goto error;
+	}
+
 	if (!is_krsi_hook_file(f.file)) {
 		ret = -EINVAL;
 		goto error;
 	}
 
+	/*
+	 * It's wrong to attach the program to the hook
+	 * if the file is not opened for a write. Note that,
+	 * this is an EBADF and not an EPERM because the file
+	 * has been opened with an incorrect mode.
+	 */
+	if (!(f.file->f_mode & FMODE_WRITE)) {
+		ret = -EBADF;
+		goto error;
+	}
+
 	/*
 	 * The securityfs dentry never disappears, so we don't need to take a
 	 * reference to it.

-- 
2.20.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help