Thread (33 messages) 33 messages, 4 authors, 2019-04-12

Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook

From: Kees Cook <hidden>
Date: 2019-04-09 16:51:11
Also in: linux-fsdevel, linux-security-module, lkml

On Sat, Apr 6, 2019 at 10:03 AM Alexei Starovoitov
[off-list ref] wrote:
On Sat, Apr 06, 2019 at 09:43:50AM -0700, Kees Cook wrote:
quoted
On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov [off-list ref] wrote:
quoted
BPF_CGROUP_SYSCTL hook is placed before calling to sysctl's proc_handler so
that accesses (read/write) to sysctl can be controlled for specific cgroup
and either allowed or denied, or traced.
This sounds more like an LSM than BPF.
not at all. the key difference is being cgroup scoped.
essentially for different containers.
Okay, works for me. I was looking at it from the perspective of
something providing resource access control policy, which usually
falls into the LSM world.
bpf prog is attached to this hook in a particular cgroup
and executed for sysctls for tasks that belong to that cgroup.
So it's root limiting root-in-a-container? Nice to have some
boundaries there, for sure.
quoted
Can the BPF be removed (or rather,
what's the lifetime of such BPF?)
same as all other cgroup-bpf hooks.
Do you have a specific concern or just asking how life time of programs
is managed?
High level description of lifetime is here:
https://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html
I'm mostly curious about the access control stacking. i.e. can
in-container root add new eBPF to its own cgroup, and if so, can it
undo the restrictions already present? (I assume it can't, but figured
I'd ask...)

-- 
Kees Cook
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help