Message ID | 20171012014641.96818-1-chenbofeng.kernel@gmail.com |
---|---|
Headers | show
Return-Path: <netdev-owner@vger.kernel.org> X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="eaGk7zU5"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yCDJ9071bz9sBd for <patchwork-incoming@ozlabs.org>; Thu, 12 Oct 2017 12:47:53 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755258AbdJLBrv (ORCPT <rfc822;patchwork-incoming@ozlabs.org>); Wed, 11 Oct 2017 21:47:51 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:51011 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752840AbdJLBrJ (ORCPT <rfc822;netdev@vger.kernel.org>); Wed, 11 Oct 2017 21:47:09 -0400 Received: by mail-pf0-f194.google.com with SMTP id m63so2795406pfk.7 for <netdev@vger.kernel.org>; Wed, 11 Oct 2017 18:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=cqLcNcqPRPmQBdC2oVoo46aFsqH+1S3o19v0dnq/UcY=; b=eaGk7zU5GEAkWmYZy65fY+rL6D24f372+h/vvEk9PaaQ34F5BmWcaFTKO5WaW01/D9 HLaisqEoqvtc6wMN2BYgHwD9hXFMF9JJJEtqlhNpYe6nS8U3tUimv+w0EAwRGz30H6CI jB6KUQCw7hXgIZQjovyQqTyaHt1DyI0uFMep1MVrmns/WIfpxJ0SJBwtkptJNbT1O39S 6x6SrSdeHmf6eDH2E8/Ikb3ApX2r2MdblGF0AZK0C4Q/xB4wzkV0kxdYr9nm3oDduYmE nLg3Odcxarjiid/TaP6c9ufWYtMUYZgElhkwedsjv3AxY4Wkod4+JhxsP3wnJ0p2fK8W Da6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=cqLcNcqPRPmQBdC2oVoo46aFsqH+1S3o19v0dnq/UcY=; b=mDgVGJioXg4W+7jlF3DZNhVY24nX7U0fFq33L8aXllX5e6rSU+GXzYqJj9AD7ojiyi 3oTa/v8Aw0v9duvPvKNG6cPHK5Kr1MoBmPV8XZdX+oZxksyo7fB5UHsNWDfjtXEKlywH RD2xvO4H622/yNee1MhIfdFe8+VSiipuqCg/4taItWMgL+z5KDR0nhnL4nQULwTRL5oV a0MBEpkbRg0MbfMI93jiBQyfAqFnc49XQ+Vwe3ytI579cNdw+PQPGVryz8fW81wBwEQb 1sQovC3nL38saY6fB6K3T/jHUVqcy5M/2hsQc7ESEYwh1BI7z2M+g5CMhjJHXuUyFodt AyCA== X-Gm-Message-State: AMCzsaVJ8yn509gaQ+A3zRHs+OM0tvzL1BVs+VPBQ2nYgdzc/ZsBd8Yw Eyc43eveaCuGILxezHNkPAzI5yHS X-Google-Smtp-Source: AOwi7QBxaNV+j5eigDvWWHOyVlBWFZ4em6Dd7vNncuC6T0Gy+aPmxNxD5WxzPxu8WYLgtnXdowZE2w== X-Received: by 10.98.72.83 with SMTP id v80mr835315pfa.54.1507772828364; Wed, 11 Oct 2017 18:47:08 -0700 (PDT) Received: from fengc.mtv.corp.google.com ([100.98.121.64]) by smtp.gmail.com with ESMTPSA id b27sm22733720pfc.110.2017.10.11.18.47.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Oct 2017 18:47:07 -0700 (PDT) From: Chenbo Feng <chenbofeng.kernel@gmail.com> To: netdev@vger.kernel.org Cc: Jeffrey Vander Stoep <jeffv@google.com>, Alexei Starovoitov <alexei.starovoitov@gmail.com>, lorenzo@google.com, Daniel Borkmann <daniel@iogearbox.net>, Stephen Smalley <sds@tycho.nsa.gov>, viro@zeniv.linux.org.uk, James Morris <james.l.morris@oracle.com>, Paul Moore <paul@paul-moore.com>, Chenbo Feng <fengc@google.com> Subject: [PATCH net-next v4 0/5] bpf: security: New file mode and LSM hooks for eBPF object permission control Date: Wed, 11 Oct 2017 18:46:36 -0700 Message-Id: <20171012014641.96818-1-chenbofeng.kernel@gmail.com> X-Mailer: git-send-email 2.15.0.rc0.271.g36b669edcc-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: <netdev.vger.kernel.org> X-Mailing-List: netdev@vger.kernel.org |
Series |
bpf: security: New file mode and LSM hooks for eBPF object permission control
|
expand
|
From: Chenbo Feng <fengc@google.com> Much like files and sockets, eBPF objects are accessed, controlled, and shared via a file descriptor (FD). Unlike files and sockets, the existing mechanism for eBPF object access control is very limited. Currently there are two options for granting accessing to eBPF operations: grant access to all processes, or only CAP_SYS_ADMIN processes. The CAP_SYS_ADMIN-only mode is not ideal because most users do not have this capability and granting a user CAP_SYS_ADMIN grants too many other security-sensitive permissions. It also unnecessarily allows all CAP_SYS_ADMIN processes access to eBPF functionality. Allowing all processes to access to eBPF objects is also undesirable since it has potential to allow unprivileged processes to consume kernel memory, and opens up attack surface to the kernel. Adding LSM hooks maintains the status quo for systems which do not use an LSM, preserving compatibility with userspace, while allowing security modules to choose how best to handle permissions on eBPF objects. Here is a possible use case for the lsm hooks with selinux module: The network-control daemon (netd) creates and loads an eBPF object for network packet filtering and analysis. It passes the object FD to an unprivileged network monitor app (netmonitor), which is not allowed to create, modify or load eBPF objects, but is allowed to read the traffic stats from the map. Selinux could use these hooks to grant the following permissions: allow netd self:bpf_map { create read write}; allow netmonitor netd:fd use; allow netmonitor netd:bpf_map read; In this patch series, A file mode is added to bpf map to store the accessing mode. With this file mode flags, the map can be obtained read only, write only or read and write. With the help of this file mode, several security hooks can be added to the eBPF syscall implementations to do permissions checks. These LSM hooks are mainly focused on checking the process privileges before it obtains the fd for a specific bpf object. No matter from a file location or from a eBPF id. Besides that, a general check hook is also implemented at the start of bpf syscalls so that each security module can have their own implementation on the reset of bpf object related functionalities. In order to store the ownership and security information about eBPF maps, a security field pointer is added to the struct bpf_map. And the last two patch set are implementation of selinux check on these hooks introduced, plus an additional check when eBPF object is passed between processes using unix socket as well as binder IPC. Change since V1: - Whitelist the new bpf flags in the map allocate check. - Added bpf selftest for the new flags. - Added two new security hooks for copying the security information from the bpf object security struct to file security struct - Simplified the checking action when bpf fd is passed between processes. Change since V2: - Fixed the line break problem for map flags check - Fixed the typo in selinux check of file mode. - Merge bpf_map and bpf_prog into one selinux class - Added bpf_type and bpf_sid into file security struct to store the security information when generate fd. - Add the hook to bpf_map_new_fd and bpf_prog_new_fd. Change since V3: - Return the actual error from security check instead of -EPERM - Move the hooks into anon_inode_getfd() to avoid get file again after bpf object file is installed with fd. - Removed the bpf_sid field inside file_scerity_struct to reduce the cache size. Chenbo Feng (5): bpf: Add file mode configuration into bpf maps bpf: Add tests for eBPF file mode security: bpf: Add LSM hooks for bpf object related syscall selinux: bpf: Add selinux check for eBPF syscall operations selinux: bpf: Add addtional check for bpf object file receive fs/anon_inodes.c | 7 ++ include/linux/bpf.h | 12 ++- include/linux/lsm_hooks.h | 71 +++++++++++++ include/linux/security.h | 53 ++++++++++ include/uapi/linux/bpf.h | 6 ++ kernel/bpf/arraymap.c | 6 +- kernel/bpf/devmap.c | 5 +- kernel/bpf/hashtab.c | 5 +- kernel/bpf/inode.c | 15 ++- kernel/bpf/lpm_trie.c | 3 +- kernel/bpf/sockmap.c | 5 +- kernel/bpf/stackmap.c | 5 +- kernel/bpf/syscall.c | 108 +++++++++++++++++-- security/security.c | 40 +++++++ security/selinux/hooks.c | 182 ++++++++++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 + security/selinux/include/objsec.h | 12 +++ tools/testing/selftests/bpf/test_maps.c | 48 +++++++++ 18 files changed, 561 insertions(+), 24 deletions(-)