On Thu, 2022-09-29 at 08:27 -0700, Casey Schaufler wrote:

On 9/29/2022 12:54 AM, Roberto Sassu wrote:

quoted

On Wed, 2022-09-28 at 20:24 -0400, Paul Moore wrote:

quoted

On Wed, Sep 28, 2022 at 7:24 AM Roberto Sassu
[off-list ref] wrote

quoted

On Wed, 2022-09-28 at 12:33 +0200, Toke Høiland-Jørgensen
wrote:

quoted

Roberto Sassu [off-list ref] writes:

quoted

On Wed, 2022-09-28 at 09:52 +0100, Lorenz Bauer wrote:

quoted

On Mon, 26 Sep 2022, at 17:18, Roberto Sassu wrote:

quoted

Uhm, if I get what you mean, you would like to add DAC
controls
to
the
pinned map to decide if you can get a fd and with which
modes.

The problem I see is that a map exists regardless of
the
pinned
path
(just by ID).

Can you spell this out for me? I imagine you're talking
about
MAP_GET_FD_BY_ID, but that is CAP_SYS_ADMIN only, right?
Not
great
maybe, but no gaping hole IMO.

+linux-security-module ML (they could be interested in this
topic
as
well)

Good to know! I didn't realize it before.

I figured out better what you mean by escalating
privileges.

Pin a read-only fd, get a read-write fd from the pinned
path.

What you want to do is, if I pin a read-only fd, I should
get
read-
only
fds too, right?

I think here there could be different views. From my
perspective,
pinning is just creating a new link to an existing object.
Accessing
the link does not imply being able to access the object
itself
(the
same happens for files).

I understand what you want to achieve. If I have to choose
a
solution,
that would be doing something similar to files, i.e. add
owner
and
mode
information to the bpf_map structure (m_uid, m_gid,
m_mode). We
could
add the MAP_CHMOD and MAP_CHOWN operations to the bpf()
system
call
to
modify the new fields.

When you pin the map, the inode will get the owner and mode
from
bpf_map. bpf_obj_get() will then do DAC-style verification
similar
to
MAC-style verification (with security_bpf_map()).

As someone pointed out during the discussing at LPC, this
will
effectively allow a user to create files owned by someone
else,
which
is
probably not a good idea either from a security PoV. (I.e.,
user
A
pins
map owned by user B, so A creates a file owned by B).

Uhm, I see what you mean. Right, it is not a good idea, the
owner
of
the file should the one that pinned the map.

Other than that, DAC verification on the map would be still
correct, as
it would be independent from the DAC verification of the file.

I only became aware of this when the LSM list was CC'd so I'm a
little
behind on what is going on here ... looking quickly through the
mailing list archive it looks like there is an issue with BPF map
permissions not matching well with their associated fd
permissions,
yes?  From a LSM perspective, there are a couple of hooks that
currently use the fd's permissions (read/write) to determine the
appropriate access control check.
From what I understood, access control on maps is done in two
steps.

First, whenever someone attempts to get a fd to a map
security_bpf_map() is called. LSM implementations could check
access if
the current process has the right to access the map (whose label
can be
assigned at map creation time with security_bpf_map_alloc()).

Second, whenever the holder of the obtained fd wants to do an
operation
on the map (lookup, update, delete, ...), eBPF checks if the fd
modes
are compatible with the operation to perform (e.g. lookup requires
FMODE_CAN_READ).

One problem is that the second part is missing for some operations
dealing with the map fd:

Map iterators:
https://lore.kernel.org/bpf/20220906170301.256206-1-roberto.sassu@huaweicloud.com/ (local)

Map fd directly used by eBPF programs without system call:
https://lore.kernel.org/bpf/20220926154430.1552800-1-roberto.sassu@huaweicloud.com/ (local)

Another problem is that there is no DAC, only MAC (work in
progress). I
don't know exactly the status of enabling unprivileged eBPF.

Apart from this, now the discussion is focusing on the following
problem. A map (kernel object) can be referenced in two ways: by ID
or
by path. By ID requires CAP_ADMIN, so we can consider by path for
now.

Given a map fd, the holder of that fd can create a new reference
(pinning) to the map in the bpf filesystem (a new file whose
private
data contains the address of the kernel object).

Pinning a map does not have a corresponding permission. Any fd mode
is
sufficient to do the operation. Furthermore, subsequent requests to
obtain a map fd by path could result in receiving a read-write fd,
while at the time of pinning the fd was read-only.

While this does not seem to me a concern from MAC perspective, as
attempts to get a map fd still have to pass through
security_bpf_map(),
in general this should be fixed without relying on LSMs.

quoted

Is the plan to ensure that the map and fd permissions are correct
at
the core BPF level, or do we need to do some additional checks in
the
LSMs (currently only SELinux)?

Should we add a new map_pin permission in SELinux?

Should we have DAC to restrict pinnning without LSMs?

As you've hinted above, DAC hasn't been an issue because there isn't
unprivileged eBPF. Even with privileged eBPF I expect that there are
going to be cases where not having DAC controls will surprise
someone.
The less BPF looks like low level kernel internals and the more it
looks
like general userspace code, the more likely this is to be an issue.

Or ...

If you are treating maps as kernel internal data structures you don't
need DAC. If you are treating them as user accessible named objects
you
do need DAC. Security modules that implement MAC may chose to control
kernel internal data access (e.g. SElinux) in addition to named
objects,
so you may want to accommodate that as well. If you do decide that
maps
are named objects Smack (and possibly AppArmor) needs significant
work.
Probably audit and IMA, too.

To me a map seems more than just a kernel object. User space gets a
reference to it through a fd, similarly to files. It seems a named
object because a map can be accessed by user space through a path
(pinned map) or by ID (user space can provide the ID to get a map fd
through a system call).

I'm more familiar with SELinux and Smack. But following what has been
done for SELinux, doing the same for Smack seems straightforward (even
easier, as you have more simple permissions).

Roberto