| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180524233449.ga664pzexrkzepfv@ast-mbp>
Date: Thu, 24 May 2018 16:34:51 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Jesper Dangaard Brouer <brouer@...hat.com>
Cc: Eugene Syromiatnikov <esyr@...hat.com>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
Kees Cook <keescook@...omium.org>,
Kai-Heng Feng <kai.heng.feng@...onical.com>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>,
Jonathan Corbet <corbet@....net>, Jiri Olsa <jolsa@...nel.org>
Subject: Re: [PATCH bpf-next v2 0/3] bpf: add boot parameters for sysctl knobs
On Thu, May 24, 2018 at 09:41:08AM +0200, Jesper Dangaard Brouer wrote:
> On Wed, 23 May 2018 15:02:45 -0700
> Alexei Starovoitov <alexei.starovoitov@...il.com> wrote:
>
> > On Wed, May 23, 2018 at 02:18:19PM +0200, Eugene Syromiatnikov wrote:
> > > Some BPF sysctl knobs affect the loading of BPF programs, and during
> > > system boot/init stages these sysctls are not yet configured.
> > > A concrete example is systemd, that has implemented loading of BPF
> > > programs.
> > >
> > > Thus, to allow controlling these setting at early boot, this patch set
> > > adds the ability to change the default setting of these sysctl knobs
> > > as well as option to override them via a boot-time kernel parameter
> > > (in order to avoid rebuilding kernel each time a need of changing these
> > > defaults arises).
> > >
> > > The sysctl knobs in question are kernel.unprivileged_bpf_disable,
> > > net.core.bpf_jit_harden, and net.core.bpf_jit_kallsyms.
> >
> > - systemd is root. today it only uses cgroup-bpf progs which require root,
> > so disabling unpriv during boot time makes no difference to systemd.
> > what is the actual reason to present time?
> >
> > - say in the future systemd wants to use so_reuseport+bpf for faster
> > networking. With unpriv disable during boot, it will force systemd
> > to do such networking from root, which will lower its security barrier.
> > How that make sense?
> >
> > - bpf_jit_kallsyms sysctl has immediate effect on loaded programs.
> > Flipping it during the boot or right after or any time after
> > is the same thing. Why add such boot flag then?
> >
> > - jit_harden can be turned on by systemd. so turning it during the boot
> > will make systemd progs to be constant blinded.
> > Constant blinding protects kernel from unprivileged JIT spraying.
> > Are you worried that systemd will attack the kernel with JIT spraying?
>
>
> I think you are missing that, we want the ability to change these
> defaults in-order to avoid depending on /etc/sysctl.conf settings, and
> that the these sysctl.conf setting happen too late.
What does it mean 'happens too late' ?
Too late for what?
sysctl.conf has plenty of system critical knobs like
kernel.perf_event_paranoid, kernel.core_pattern, etc
The behavior of the host is drastically different after sysctl config
is applied.
> For example with jit_harden, there will be a difference between the
> loaded BPF program that got loaded at boot-time with systemd (no
> constant blinding) and when someone reloads that systemd service after
> /etc/sysctl.conf have been evaluated and setting bpf_jit_harden (now
> slower due to constant blinding). This is inconsistent behavior.
net.core.bpf_jit_harden can be flipped back and forth at run-time,
so bpf progs before and after will be either blinded or not.
I don't see any inconsistency.
In general I think bootparams should be used only for things
like kpti=on/off that cannot be set by sysctl.
Powered by blists - more mailing lists