lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAn3qOUMD81-vxLLfep0H6rRd74ho2VaekdL4HjKq+Y1t9KdXQ@mail.gmail.com>
Date: Mon, 4 Mar 2024 11:18:21 -0500
From: Nikola Grcevski <nikola.grcevski@...fana.com>
To: linux-kernel@...r.kernel.org
Subject: [BPF] Unlocking the bpf_probe_write_user helper in controlled scenarios?

Since this kernel commit
https://github.com/torvalds/linux/commit/51e1bb9eeaf7868db56e58f47848e364ab4c4129,
the bpf_probe_write_user helper is locked down and cannot be used when
the kernel is set in integrity or security mode. We have a use case
for this helper for BPF enabled automatic context propagation of
OpenTelemetry trace headers (OpenTelemetry Go Auto Instrumentation and
Grafana Beyla). We write the W3C Trace Context header in outgoing HTTP
requests, by using uprobes attached to language specific HTTP/gRPC
libraries.

Writing the headers might be possible sometimes with the use of
bpf_skb_store_bytes helper, however it's not possible to be done when
TLS is enabled and it becomes very hard when the data is hpack encoded
(e.g. gRPC/HTTP2).

I'm asking if it's possible to reconsider unlocking this helper and if
it's not possible to be fully unlocked, can we unlock it for more
limited use? For example, allowed only in uprobes or only if certain
things (like memory range or PIDs) are specified though a BPF LSM
policy?

Currently when this helper is loaded by the BPF verifier, the lockdown
is checked in this order, so it seems we can only further restrict the
use by a LSM policy:

security_locked_down() {
   lockdown_is_locked_down();
   bpf_lsm_locked_down();
 }

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ