Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution

[PATCH bpf-next v5 0/8] MAC and Audit policy using eBPF (KRSI) · KP Singh <hidden> · 2020-03-23
[PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 1/7] bpf: Introduce BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
[PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 2/7] security: Refactor declaration of LSM hooks · KP Singh <hidden> · 2020-03-24
[PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 6/7] tools/libbpf: Add support for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-24
[PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · Andrii Nakryiko <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 7/7] bpf: lsm: Add selftests for BPF_PROG_TYPE_LSM · KP Singh <hidden> · 2020-03-25
[PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-23
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-25
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 5/7] bpf: lsm: Initialize the BPF LSM hooks · Kees Cook <hidden> · 2020-03-24
[PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Casey Schaufler <casey@schaufler-ca.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution · Kees Cook <hidden> · 2020-03-24
[PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Yonghong Song <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Kees Cook <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Andrii Nakryiko <hidden> · 2020-03-23
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · Andrii Nakryiko <hidden> · 2020-03-24
Re: [PATCH bpf-next v5 3/7] bpf: lsm: provide attachment points for BPF LSM programs · KP Singh <hidden> · 2020-03-24

From: Kees Cook <hidden>
Date: 2020-03-24 18:34:58
Also in: bpf, lkml

On Tue, Mar 24, 2020 at 07:31:30PM +0100, KP Singh wrote:

On 24-Mär 19:27, KP Singh wrote:

quoted

We do not have a specific capable check for BPF_PROG_TYPE_LSM programs
now. There is a general check which requires CAP_SYS_ADMIN when
unprivileged BPF is disabled:

in kernel/bpf/sycall.c:

        if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
	        return -EPERM;

AFAIK, Most distros disable unprivileged eBPF.

Now that I look at this, I think we might need a CAP_MAC_ADMIN check
though as unprivileged BPF being enabled will result in an
unprivileged user being able to load MAC policies.

Actually we do have an extra check for loading BPF programs:


in kernel/bpf/syscall.c:bpf_prog_load

	if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
	    type != BPF_PROG_TYPE_CGROUP_SKB &&
	    !capable(CAP_SYS_ADMIN))
		return -EPERM;

Do you think we still need a CAP_MAC_ADMIN check for LSM programs?

IMO, these are distinct privileges on the non-SELinux system. I think
your patch is fine as-is.

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help