lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH3MdRV491O-4-BtihefCJRD2pbZRmvom4VS0Tr9tLjSPS79yw@mail.gmail.com>
Date:   Thu, 3 Jan 2019 22:32:36 -0800
From:   Y Song <ys114321@...il.com>
To:     Quentin Monnet <quentin.monnet@...ronome.com>
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        netdev <netdev@...r.kernel.org>, oss-drivers@...ronome.com,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Jesper Dangaard Brouer <brouer@...hat.com>,
        Stanislav Fomichev <sdf@...gle.com>
Subject: Re: [RFC bpf-next v3 2/9] tools: bpftool: add probes for /proc/ eBPF parameters

On Thu, Jan 3, 2019 at 9:26 AM Quentin Monnet
<quentin.monnet@...ronome.com> wrote:
>
> Add a set of probes to dump the eBPF-related parameters available from
> /proc/: availability of bpf() syscall for unprivileged users,
> JIT compiler status and hardening status, kallsyms exports status.
>
> Sample output:
>
>     # bpftool feature probe kernel
>     Scanning system configuration...
>     bpf() syscall for unprivileged users is enabled
>     JIT compiler is disabled
>     JIT compiler hardening is disabled
>     JIT compiler kallsyms exports are disabled
>     ...
>
>     # bpftool --json --pretty feature probe kernel
>     {
>         "system_config": {
>             "unprivileged_bpf_disabled": 0,
>             "bpf_jit_enable": 0,
>             "bpf_jit_harden": 0,
>             "bpf_jit_kallsyms": 0

We have bpf_jit_limit as well to prevent excessive memory for
unprivileged users.
Do we want to add it here?

>         },
>         ...
>     }
>
> These probes are skipped if procfs is not mounted.
>
> v2:
> - Remove C-style macros output from this patch.
>
> Signed-off-by: Quentin Monnet <quentin.monnet@...ronome.com>
> Reviewed-by: Jakub Kicinski <jakub.kicinski@...ronome.com>
> ---
>  tools/bpf/bpftool/feature.c | 168 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 168 insertions(+)
>
> diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c
> index 954fb12a5228..37fe79f59015 100644
> --- a/tools/bpf/bpftool/feature.c
> +++ b/tools/bpf/bpftool/feature.c
> @@ -5,6 +5,7 @@
>  #include <string.h>
>  #include <unistd.h>
>  #include <sys/utsname.h>
> +#include <sys/vfs.h>
>
>  #include <linux/filter.h>
>  #include <linux/limits.h>
> @@ -13,11 +14,29 @@
>
>  #include "main.h"
>
> +#ifndef PROC_SUPER_MAGIC
> +# define PROC_SUPER_MAGIC      0x9fa0
> +#endif
> +
>  enum probe_component {
>         COMPONENT_UNSPEC,
>         COMPONENT_KERNEL,
>  };
>
> +/* Miscellaneous utility functions */
> +
> +static bool check_procfs(void)
> +{
> +       struct statfs st_fs;
> +
> +       if (statfs("/proc", &st_fs) < 0)
> +               return false;
> +       if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
> +               return false;
> +
> +       return true;
> +}
> +
>  /* Printing utility functions */
>
>  static void
> @@ -42,6 +61,135 @@ print_start_section(const char *json_title, const char *plain_title)
>
>  /* Probing functions */
>
> +static int read_procfs(const char *path)
> +{
> +       char *endptr, *line = NULL;
> +       size_t len = 0;
> +       FILE *fd;
> +       int res;
> +
> +       fd = fopen(path, "r");
> +       if (!fd)
> +               return -1;
> +
> +       res = getline(&line, &len, fd);
> +       fclose(fd);
> +       if (res < 0)
> +               return -1;
> +
> +       errno = 0;
> +       res = strtol(line, &endptr, 10);
> +       if (errno || *line == '\0' || *endptr != '\n')
> +               res = -1;
> +       free(line);
> +
> +       return res;
> +}
> +
> +static void probe_unprivileged_disabled(void)
> +{
> +       int res;
> +
> +       res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
> +       if (json_output) {
> +               jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
> +       } else {
> +               switch (res) {
> +               case 0:
> +                       printf("bpf() syscall for unprivileged users is enabled\n");
> +                       break;
> +               case 1:
> +                       printf("bpf() syscall restricted to privileged users\n");
> +                       break;
> +               case -1:
> +                       printf("Unable to retrieve required privileges for bpf() syscall\n");
> +                       break;
> +               default:
> +                       printf("bpf() syscall restriction has unknown value %d\n", res);
> +               }
> +       }
> +}
> +
> +static void probe_jit_enable(void)
> +{
> +       int res;
> +
> +       res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
> +       if (json_output) {
> +               jsonw_int_field(json_wtr, "bpf_jit_enable", res);
> +       } else {
> +               switch (res) {
> +               case 0:
> +                       printf("JIT compiler is disabled\n");
> +                       break;
> +               case 1:
> +                       printf("JIT compiler is enabled\n");
> +                       break;
> +               case 2:
> +                       printf("JIT compiler is enabled with debugging traces in kernel logs\n");
> +                       break;
> +               case -1:
> +                       printf("Unable to retrieve JIT-compiler status\n");
> +                       break;
> +               default:
> +                       printf("JIT-compiler status has unknown value %d\n",
> +                              res);
> +               }
> +       }
> +}
> +
> +static void probe_jit_harden(void)
> +{
> +       int res;
> +
> +       res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
> +       if (json_output) {
> +               jsonw_int_field(json_wtr, "bpf_jit_harden", res);
> +       } else {
> +               switch (res) {
> +               case 0:
> +                       printf("JIT compiler hardening is disabled\n");
> +                       break;
> +               case 1:
> +                       printf("JIT compiler hardening is enabled for unprivileged users\n");
> +                       break;
> +               case 2:
> +                       printf("JIT compiler hardening is enabled for all users\n");
> +                       break;
> +               case -1:
> +                       printf("Unable to retrieve JIT hardening status\n");
> +                       break;
> +               default:
> +                       printf("JIT hardening status has unknown value %d\n",
> +                              res);
> +               }
> +       }
> +}
> +
> +static void probe_jit_kallsyms(void)
> +{
> +       int res;
> +
> +       res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
> +       if (json_output) {
> +               jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
> +       } else {
> +               switch (res) {
> +               case 0:
> +                       printf("JIT compiler kallsyms exports are disabled\n");
> +                       break;
> +               case 1:
> +                       printf("JIT compiler kallsyms exports are enabled for root\n");
> +                       break;
> +               case -1:
> +                       printf("Unable to retrieve JIT kallsyms export status\n");
> +                       break;
> +               default:
> +                       printf("JIT kallsyms exports status has unknown value %d\n", res);
> +               }
> +       }
> +}
> +
>  static bool probe_bpf_syscall(void)
>  {
>         bool res;
> @@ -88,6 +236,26 @@ static int do_probe(int argc, char **argv)
>         if (json_output)
>                 jsonw_start_object(json_wtr);
>
> +       switch (target) {
> +       case COMPONENT_KERNEL:
> +       case COMPONENT_UNSPEC:
> +               print_start_section("system_config",
> +                                   "Scanning system configuration...");
> +               if (check_procfs()) {
> +                       probe_unprivileged_disabled();
> +                       probe_jit_enable();
> +                       probe_jit_harden();
> +                       probe_jit_kallsyms();
> +               } else {
> +                       p_info("/* procfs not mounted, skipping related probes */");
> +               }
> +               if (json_output)
> +                       jsonw_end_object(json_wtr);
> +               else
> +                       printf("\n");
> +               break;
> +       }
> +
>         print_start_section("syscall_config",
>                             "Scanning system call availability...");
>
> --
> 2.17.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ