Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map

[PATCH 0/3] Security: add lsm hooks for checking permissions on eBPF objects · Chenbo Feng <hidden> · 2017-08-31
[PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module · Chenbo Feng <hidden> · 2017-08-31
Re: [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module · Stephen Smalley <hidden> · 2017-09-01
Re: [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module · Chenbo Feng <hidden> · 2017-09-05
Re: [PATCH 1/3] security: bpf: Add eBPF LSM hooks to security module · Stephen Smalley <hidden> · 2017-09-07
[PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Chenbo Feng <hidden> · 2017-08-31
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Mimi Zohar <hidden> · 2017-08-31
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Chenbo Feng <hidden> · 2017-08-31
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Daniel Borkmann <daniel@iogearbox.net> · 2017-08-31
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Chenbo Feng <hidden> · 2017-09-01
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Alexei Starovoitov <hidden> · 2017-09-01
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Jeffrey Vander Stoep <hidden> · 2017-09-01
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Chenbo Feng <hidden> · 2017-09-05
Re: [PATCH 2/3] security: bpf: Add eBPF LSM hooks and security field to eBPF map · Alexei Starovoitov <hidden> · 2017-09-06
[PATCH 3/3] selinux: bpf: Implement the selinux checks for eBPF object · Chenbo Feng <hidden> · 2017-08-31

From: Alexei Starovoitov <hidden>
Date: 2017-09-01 02:05:25
Also in: linux-security-module, selinux

On Thu, Aug 31, 2017 at 01:56:34PM -0700, Chenbo Feng wrote:

From: Chenbo Feng <redacted>

Introduce a pointer into struct bpf_map to hold the security information
about the map. The actual security struct varies based on the security
models implemented. Place the LSM hooks before each of the unrestricted
eBPF operations, the map_update_elem and map_delete_elem operations are
checked by security_map_modify. The map_lookup_elem and map_get_next_key
operations are checked by securtiy_map_read.

Signed-off-by: Chenbo Feng <redacted>

...

quoted hunk ↗ jump to hunk

@@ -410,6 +418,10 @@ static int map_lookup_elem(union bpf_attr *attr)
 	if (IS_ERR(map))
 		return PTR_ERR(map);
 
+	err = security_map_read(map);
+	if (err)
+		return -EACCES;
+
 	key = memdup_user(ukey, map->key_size);
 	if (IS_ERR(key)) {
 		err = PTR_ERR(key);
@@ -490,6 +502,10 @@ static int map_update_elem(union bpf_attr *attr)
 	if (IS_ERR(map))
 		return PTR_ERR(map);
 
+	err = security_map_modify(map);

I don't feel these extra hooks are really thought through.
With such hook you'll disallow map_update for given map. That's it.
The key/values etc won't be used in such security decision.
In such case you don't need such hooks in update/lookup at all.
Only in map_creation and object_get calls where FD can be received.
In other words I suggest to follow standard unix practices:
Do permissions checks in open() and allow read/write() if FD is valid.
Same here. Do permission checks in prog_load/map_create/obj_pin/get
and that will be enough to jail bpf subsystem.
bpf cmds that need to be fast (like lookup and update) should not
have security hooks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help