Re: [PATCH bpf-next v2 0/3] bpf: add boot parameters for sysctl knobs
From: Eugene Syromiatnikov <hidden>
Date: 2018-05-25 16:49:22
Also in:
linux-doc, lkml
On Thu, May 24, 2018 at 04:34:51PM -0700, Alexei Starovoitov wrote:
On Thu, May 24, 2018 at 09:41:08AM +0200, Jesper Dangaard Brouer wrote:quoted
On Wed, 23 May 2018 15:02:45 -0700 Alexei Starovoitov [off-list ref] wrote:quoted
On Wed, May 23, 2018 at 02:18:19PM +0200, Eugene Syromiatnikov wrote:quoted
Some BPF sysctl knobs affect the loading of BPF programs, and during system boot/init stages these sysctls are not yet configured. A concrete example is systemd, that has implemented loading of BPF programs. Thus, to allow controlling these setting at early boot, this patch set adds the ability to change the default setting of these sysctl knobs as well as option to override them via a boot-time kernel parameter (in order to avoid rebuilding kernel each time a need of changing these defaults arises). The sysctl knobs in question are kernel.unprivileged_bpf_disable, net.core.bpf_jit_harden, and net.core.bpf_jit_kallsyms.- systemd is root. today it only uses cgroup-bpf progs which require root, so disabling unpriv during boot time makes no difference to systemd. what is the actual reason to present time?
systemd also runs a lot of code, some of which is unprivileged.
quoted
quoted
- say in the future systemd wants to use so_reuseport+bpf for faster networking. With unpriv disable during boot, it will force systemd to do such networking from root, which will lower its security barrier.
No, it will force systemd not to use SO_REUSEPORT BPF.
quoted
quoted
- bpf_jit_kallsyms sysctl has immediate effect on loaded programs. Flipping it during the boot or right after or any time after is the same thing. Why add such boot flag then?
Well, that one was for completeness.
quoted
quoted
- jit_harden can be turned on by systemd. so turning it during the boot will make systemd progs to be constant blinded. Constant blinding protects kernel from unprivileged JIT spraying. Are you worried that systemd will attack the kernel with JIT spraying?
I'm worried that systemd can be exploited for a JIT spraying attack. Another thing I'm concerned with is that the generated code is different, which introduces additional complication during debugging.
quoted
I think you are missing that, we want the ability to change these defaults in-order to avoid depending on /etc/sysctl.conf settings, and that the these sysctl.conf setting happen too late.What does it mean 'happens too late' ? Too late for what? sysctl.conf has plenty of system critical knobs like kernel.perf_event_paranoid, kernel.core_pattern, etc The behavior of the host is drastically different after sysctl config is applied.quoted
For example with jit_harden, there will be a difference between the loaded BPF program that got loaded at boot-time with systemd (no constant blinding) and when someone reloads that systemd service after /etc/sysctl.conf have been evaluated and setting bpf_jit_harden (now slower due to constant blinding). This is inconsistent behavior.net.core.bpf_jit_harden can be flipped back and forth at run-time, so bpf progs before and after will be either blinded or not. I don't see any inconsistency.
That can't be the reason to maintain that inconsistency.