| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f539bfef-c098-5ff0-51ef-bfa8fd0c4661@meta.com>
Date: Tue, 17 Jan 2023 09:24:56 -0800
From: Yonghong Song <yhs@...a.com>
To: WritePaper <clangllvm@....com>, ast@...nel.org,
daniel@...earbox.net, andrii@...nel.org, martin.lau@...ux.dev,
song@...nel.org, yhs@...com
Cc: john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
haoluo@...gle.com, jolsa@...nel.org, rostedt@...dmis.org,
mhiramat@...nel.org, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH] bpf: security enhancement by limiting the offensive eBPF
helpers
On 1/17/23 7:12 AM, WritePaper wrote:
> The bpf_send_singal and bpf_override_return is similar to
> bpf_write_user and can affect userspace processes. Thus, these two
> helpers should also be constraint by security lockdown.
>
> Signed-off-by: WritePaper <clangllvm@....com>
> ---
> include/linux/security.h | 3 +++
> kernel/trace/bpf_trace.c | 6 ++++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 5b67f208f..cb90b2860 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -123,6 +123,9 @@ enum lockdown_reason {
> LOCKDOWN_DEBUGFS,
> LOCKDOWN_XMON_WR,
> LOCKDOWN_BPF_WRITE_USER,
> + LOCKDOWN_BPF_SEND_SIGNAL,
> + LOCKDOWN_BPF_OVERRIDE_RETURN,
> + LOCKDOWN_OFFENSIVE_BPF_MAX,
LOCKDOWN_OFFENSIVE_BPF_MAX is not used.
> LOCKDOWN_DBG_WRITE_KERNEL,
> LOCKDOWN_RTAS_ERROR_INJECTION,
> LOCKDOWN_INTEGRITY_MAX,
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 3bbd3f0c8..3a80f4b6f 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -1463,7 +1463,8 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> return &bpf_cgrp_storage_delete_proto;
> #endif
> case BPF_FUNC_send_signal:
> - return &bpf_send_signal_proto;
> + return security_locked_down(LOCKDOWN_BPF_SEND_SIGNAL) < 0 ?
> + NULL : &bpf_send_signal_proto;
You should add the same security_locked_down(LOCKDOWN_BPF_SEND_SIGNAL)
check with below bpf_send_signal_thread() helper.
> case BPF_FUNC_send_signal_thread:
> return &bpf_send_signal_thread_proto;
> case BPF_FUNC_perf_event_read_value:
> @@ -1531,7 +1532,8 @@ kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> return &bpf_get_stack_proto;
> #ifdef CONFIG_BPF_KPROBE_OVERRIDE
> case BPF_FUNC_override_return:
> - return &bpf_override_return_proto;
> + return security_locked_down(LOCKDOWN_BPF_OVERRIDE_RETURN) < 0 ?
> + NULL : &bpf_override_return_proto;
> #endif
> case BPF_FUNC_get_func_ip:
> return prog->expected_attach_type == BPF_TRACE_KPROBE_MULTI ?
Powered by blists - more mailing lists