| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Oct 2015 14:45:21 +0200 From: Daniel Borkmann <daniel@...earbox.net> To: Alexei Starovoitov <ast@...mgrid.com>, "David S. Miller" <davem@...emloft.net> CC: Andy Lutomirski <luto@...capital.net>, Ingo Molnar <mingo@...nel.org>, Hannes Frederic Sowa <hannes@...essinduktion.org>, Eric Dumazet <edumazet@...gle.com>, Kees Cook <keescook@...omium.org>, linux-api@...r.kernel.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs On 10/06/2015 02:51 AM, Alexei Starovoitov wrote: > On 10/5/15 3:14 PM, Daniel Borkmann wrote: >> One scenario that comes to mind ... what happens when there are kernel >> pointers stored in skb->cb[] (either from the current layer or an old >> one from a different layer that the skb went through previously, but >> which did not get overwritten)? >> >> Socket filters could read a portion of skb->cb[] also when unprived and >> leak that out through maps. I think the verifier doesn't catch that, >> right? ... > Please keep poking. ;) I'm still wondering whether sysctl_bpf_enable_unprivileged is a good way to go with regards to controlling capabilties of bpf(2), hmm, but don't really have a good idea at the moment. So, the rationale of this is to give it some soaking time before flipping the switch that then defaults to on, and later on to still have a possibility for an admin to turn it off (if not silently overwritten by some system application later on ;)). I think only having a Kconfig doesn't really make sense as distros will blindly turn lots of stuff on anyway. A hidden Kconfig entry that is not exposed into menuconfig might allow for sorting everything out first, but with the issue of getting only little testing exposure. If I see this correctly, perf_event_open(2) has a number of paranoia levels with some helpers wrapped around it, f.e.: /* * perf event paranoia level: * -1 - not paranoid at all * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv */ int sysctl_perf_event_paranoid __read_mostly = 1; Should instead something similar be adapted on bpf(2) as well? Or, would that even be more painful for application developers shipping their stuff through distros in the end (where they might then decide to just setup everything BPF-related and then drop privs)? I'm also wondering with regards to seccomp, which could adapt to eBPF at some point and be used by unprivileged programs. Perhaps then, a single paranoia alike setting might not suit to all eBPF subsystem users. Any ideas? Thanks, Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists