lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 6 Apr 2019 09:43:50 -0700
From:   Kees Cook <>
To:     Andrey Ignatov <>
Cc:     Network Development <>,
        Alexei Starovoitov <>,
        Daniel Borkmann <>,
        Roman Gushchin <>, kernel-team <>,
        Luis Chamberlain <>,
        Alexey Dobriyan <>,
        LKML <>,
        "" <>,
        linux-security-module <>,
        Jann Horn <>
Subject: Re: [PATCH v3 bpf-next 00/21] bpf: Sysctl hook

On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov <> wrote:
> v2->v3:
> - simplify C based selftests by relying on variable offset stack access.
> v1->v2:
> - add fs/proc/proc_sysctl.c mainteners to Cc:.
> The patch set introduces new BPF hook for sysctl.
> It adds new program type BPF_PROG_TYPE_CGROUP_SYSCTL and attach type
> BPF_CGROUP_SYSCTL hook is placed before calling to sysctl's proc_handler so
> that accesses (read/write) to sysctl can be controlled for specific cgroup
> and either allowed or denied, or traced.
> The hook has access to sysctl name, current sysctl value and (on write
> only) to new sysctl value via corresponding helpers. New sysctl value can
> be overridden by program. Both name and values (current/new) are
> represented as strings same way they're visible in /proc/sys/. It is up to
> program to parse these strings.
> To help with parsing the most common kind of sysctl value, vector of
> integers, two new helpers are provided: bpf_strtol and bpf_strtoul with
> semantic similar to user space strtol(3) and strtoul(3).
> The hook also provides bpf_sysctl context with two fields:
> * @write indicates whether sysctl is being read (= 0) or written (= 1);
> * @file_pos is sysctl file position to read from or write to, can be
>   overridden.
> The hook allows to make better isolation for containerized applications
> that are run as root so that one container can't change a sysctl and affect
> all other containers on a host, make changes to allowed sysctl in a safer
> way and simplify sysctl tracing for cgroups.

This sounds more like an LSM than BPF. So sysctls can get blocked when
new BPF is added to a cgroup? Can the BPF be removed (or rather,
what's the lifetime of such BPF?)

Kees Cook

Powered by blists - more mailing lists