| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Jan 2019 22:32:36 -0800
From: Y Song <ys114321@...il.com>
To: Quentin Monnet <quentin.monnet@...ronome.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
netdev <netdev@...r.kernel.org>, oss-drivers@...ronome.com,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Jesper Dangaard Brouer <brouer@...hat.com>,
Stanislav Fomichev <sdf@...gle.com>
Subject: Re: [RFC bpf-next v3 2/9] tools: bpftool: add probes for /proc/ eBPF parameters
On Thu, Jan 3, 2019 at 9:26 AM Quentin Monnet
<quentin.monnet@...ronome.com> wrote:
>
> Add a set of probes to dump the eBPF-related parameters available from
> /proc/: availability of bpf() syscall for unprivileged users,
> JIT compiler status and hardening status, kallsyms exports status.
>
> Sample output:
>
> # bpftool feature probe kernel
> Scanning system configuration...
> bpf() syscall for unprivileged users is enabled
> JIT compiler is disabled
> JIT compiler hardening is disabled
> JIT compiler kallsyms exports are disabled
> ...
>
> # bpftool --json --pretty feature probe kernel
> {
> "system_config": {
> "unprivileged_bpf_disabled": 0,
> "bpf_jit_enable": 0,
> "bpf_jit_harden": 0,
> "bpf_jit_kallsyms": 0
We have bpf_jit_limit as well to prevent excessive memory for
unprivileged users.
Do we want to add it here?
> },
> ...
> }
>
> These probes are skipped if procfs is not mounted.
>
> v2:
> - Remove C-style macros output from this patch.
>
> Signed-off-by: Quentin Monnet <quentin.monnet@...ronome.com>
> Reviewed-by: Jakub Kicinski <jakub.kicinski@...ronome.com>
> ---
> tools/bpf/bpftool/feature.c | 168 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 168 insertions(+)
>
> diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c
> index 954fb12a5228..37fe79f59015 100644
> --- a/tools/bpf/bpftool/feature.c
> +++ b/tools/bpf/bpftool/feature.c
> @@ -5,6 +5,7 @@
> #include <string.h>
> #include <unistd.h>
> #include <sys/utsname.h>
> +#include <sys/vfs.h>
>
> #include <linux/filter.h>
> #include <linux/limits.h>
> @@ -13,11 +14,29 @@
>
> #include "main.h"
>
> +#ifndef PROC_SUPER_MAGIC
> +# define PROC_SUPER_MAGIC 0x9fa0
> +#endif
> +
> enum probe_component {
> COMPONENT_UNSPEC,
> COMPONENT_KERNEL,
> };
>
> +/* Miscellaneous utility functions */
> +
> +static bool check_procfs(void)
> +{
> + struct statfs st_fs;
> +
> + if (statfs("/proc", &st_fs) < 0)
> + return false;
> + if ((unsigned long)st_fs.f_type != PROC_SUPER_MAGIC)
> + return false;
> +
> + return true;
> +}
> +
> /* Printing utility functions */
>
> static void
> @@ -42,6 +61,135 @@ print_start_section(const char *json_title, const char *plain_title)
>
> /* Probing functions */
>
> +static int read_procfs(const char *path)
> +{
> + char *endptr, *line = NULL;
> + size_t len = 0;
> + FILE *fd;
> + int res;
> +
> + fd = fopen(path, "r");
> + if (!fd)
> + return -1;
> +
> + res = getline(&line, &len, fd);
> + fclose(fd);
> + if (res < 0)
> + return -1;
> +
> + errno = 0;
> + res = strtol(line, &endptr, 10);
> + if (errno || *line == '\0' || *endptr != '\n')
> + res = -1;
> + free(line);
> +
> + return res;
> +}
> +
> +static void probe_unprivileged_disabled(void)
> +{
> + int res;
> +
> + res = read_procfs("/proc/sys/kernel/unprivileged_bpf_disabled");
> + if (json_output) {
> + jsonw_int_field(json_wtr, "unprivileged_bpf_disabled", res);
> + } else {
> + switch (res) {
> + case 0:
> + printf("bpf() syscall for unprivileged users is enabled\n");
> + break;
> + case 1:
> + printf("bpf() syscall restricted to privileged users\n");
> + break;
> + case -1:
> + printf("Unable to retrieve required privileges for bpf() syscall\n");
> + break;
> + default:
> + printf("bpf() syscall restriction has unknown value %d\n", res);
> + }
> + }
> +}
> +
> +static void probe_jit_enable(void)
> +{
> + int res;
> +
> + res = read_procfs("/proc/sys/net/core/bpf_jit_enable");
> + if (json_output) {
> + jsonw_int_field(json_wtr, "bpf_jit_enable", res);
> + } else {
> + switch (res) {
> + case 0:
> + printf("JIT compiler is disabled\n");
> + break;
> + case 1:
> + printf("JIT compiler is enabled\n");
> + break;
> + case 2:
> + printf("JIT compiler is enabled with debugging traces in kernel logs\n");
> + break;
> + case -1:
> + printf("Unable to retrieve JIT-compiler status\n");
> + break;
> + default:
> + printf("JIT-compiler status has unknown value %d\n",
> + res);
> + }
> + }
> +}
> +
> +static void probe_jit_harden(void)
> +{
> + int res;
> +
> + res = read_procfs("/proc/sys/net/core/bpf_jit_harden");
> + if (json_output) {
> + jsonw_int_field(json_wtr, "bpf_jit_harden", res);
> + } else {
> + switch (res) {
> + case 0:
> + printf("JIT compiler hardening is disabled\n");
> + break;
> + case 1:
> + printf("JIT compiler hardening is enabled for unprivileged users\n");
> + break;
> + case 2:
> + printf("JIT compiler hardening is enabled for all users\n");
> + break;
> + case -1:
> + printf("Unable to retrieve JIT hardening status\n");
> + break;
> + default:
> + printf("JIT hardening status has unknown value %d\n",
> + res);
> + }
> + }
> +}
> +
> +static void probe_jit_kallsyms(void)
> +{
> + int res;
> +
> + res = read_procfs("/proc/sys/net/core/bpf_jit_kallsyms");
> + if (json_output) {
> + jsonw_int_field(json_wtr, "bpf_jit_kallsyms", res);
> + } else {
> + switch (res) {
> + case 0:
> + printf("JIT compiler kallsyms exports are disabled\n");
> + break;
> + case 1:
> + printf("JIT compiler kallsyms exports are enabled for root\n");
> + break;
> + case -1:
> + printf("Unable to retrieve JIT kallsyms export status\n");
> + break;
> + default:
> + printf("JIT kallsyms exports status has unknown value %d\n", res);
> + }
> + }
> +}
> +
> static bool probe_bpf_syscall(void)
> {
> bool res;
> @@ -88,6 +236,26 @@ static int do_probe(int argc, char **argv)
> if (json_output)
> jsonw_start_object(json_wtr);
>
> + switch (target) {
> + case COMPONENT_KERNEL:
> + case COMPONENT_UNSPEC:
> + print_start_section("system_config",
> + "Scanning system configuration...");
> + if (check_procfs()) {
> + probe_unprivileged_disabled();
> + probe_jit_enable();
> + probe_jit_harden();
> + probe_jit_kallsyms();
> + } else {
> + p_info("/* procfs not mounted, skipping related probes */");
> + }
> + if (json_output)
> + jsonw_end_object(json_wtr);
> + else
> + printf("\n");
> + break;
> + }
> +
> print_start_section("syscall_config",
> "Scanning system call availability...");
>
> --
> 2.17.1
>
Powered by blists - more mailing lists