| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Oct 2015 10:42:15 -0700 From: Kees Cook <keescook@...omium.org> To: Alexei Starovoitov <ast@...mgrid.com> Cc: Daniel Borkmann <daniel@...earbox.net>, "David S. Miller" <davem@...emloft.net>, Andy Lutomirski <luto@...capital.net>, Ingo Molnar <mingo@...nel.org>, Hannes Frederic Sowa <hannes@...essinduktion.org>, Eric Dumazet <edumazet@...gle.com>, Linux API <linux-api@...r.kernel.org>, Network Development <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: [PATCH net-next 1/2] bpf: enable non-root eBPF programs On Wed, Oct 7, 2015 at 4:49 PM, Alexei Starovoitov <ast@...mgrid.com> wrote: > On 10/7/15 3:22 PM, Kees Cook wrote: >>> >>> Yes, I agree with you that there would be a CVE regardless. I still >>> >like the option of configurable access, not a big fan of the sysctl >>> >either. Thinking out loudly, what about a Kconfig option? We started >>> >out like this on bpf(2) itself (initially under expert settings, now >>> >afaik not anymore), and depending on usage scenarios, a requirement >>> >could be to have immutable cap_sys_admin-only, for other use-cases a >>> >requirement on the kernel might instead be to have unprivileged users >>> >as well. >> >> It'd be nice to have it just be a Kconfig, but this shoots >> distro-users in the foot if a distro decides to include unpriv bpf and >> the user doesn't want it. I think it's probably a good idea to keep >> the sysctl. > > > I don't like introducing Kconfig for no clear reason. It only adds > to the testing matrix and makes it harder to hack around. > Paranoid distros can disable bpf via single config already, > there is no reason to go more fine grained here. > Unpriv checks add minimal amount of code, so even for tinification > purpose there is no need to chop of few bytes. tiny kernels would > disable bpf all together. > > As far as sysctl we can look at two with similar purpose: > sysctl_perf_event_paranoid and modules_disabled. > First one is indeed multi level, but not because of the fear of bugs, > but because of real security implications. Like raw events on > hyperthreaded cpu or uncore events can extract data from other > user processes. So it controls these extra privileges. > For bpf there are no hw implications to deal with. > If we make seccomp+bpf in the future it shouldn't need another knob > or extra bit. There are no extra privileges to grant, so not needed. > > modules_disabled is off by default and can be toggled on once. > I think for paranoid distro users that "don't want bpf" that is > the better model. > So I'm thinking to do sysctl_unprivileged_bpf_disabled that will be > 0=off by default (meaning that users can load unpriv socket filter > programs and seccomp in the future) and that can be switched > to 1=on once and stay that way until reboot. > I think that's the best balance that avoids adding checks to all > apps that want to use bpf and admins can still act on it. > From app point of view it's no different than bpf syscall > was not compiled in. So single feature test for bpf syscall will > be enough. I think this would be great. :) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists