| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191219013534.125342-2-epeer@juniper.net>
Date: Thu, 19 Dec 2019 01:36:27 +0000
From: Edwin Peer <epeer@...iper.net>
To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: "ast@...nel.org" <ast@...nel.org>,
"daniel@...earbox.net" <daniel@...earbox.net>,
Edwin Peer <epeer@...iper.net>
Subject: [RFC PATCH bpf-next 1/2] bpf: defer capability checks until program
attach
The intent of this patch is not to change the effective permissions
required to run a BPF program of a given type in the kernel. The
actual check, however, is now deferred until attach time. For
example, an XDP program will fail to bind to a device with EPERM if
the program was not originally loaded under CAP_SYS_ADMIN.
This is achieved by remembering whether the program was loaded by a
privileged user within the BPF program's context. The upshot of this
is that BPF_PROG_LOAD is no longer a privileged operation, thereby
exposing access to the verifier to normal users for all program
types.
Signed-off-by: Edwin Peer <epeer@...iper.net>
---
include/linux/filter.h | 3 ++-
kernel/bpf/syscall.c | 11 +++++++----
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index a141cb07e76a..1957eea62bed 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -534,7 +534,8 @@ struct bpf_prog {
is_func:1, /* program is a bpf function */
kprobe_override:1, /* Do we override a kprobe? */
has_callchain_buf:1, /* callchain buffer allocated? */
- enforce_expected_attach_type:1; /* Enforce expected_attach_type checking at attach time */
+ enforce_expected_attach_type:1, /* Enforce expected_attach_type checking at attach time */
+ privileged_load:1; /* Loaded with CAP_SYS_ADMIN */
enum bpf_prog_type type; /* Type of BPF program */
enum bpf_attach_type expected_attach_type; /* For some prog types */
u32 len; /* Number of filter blocks */
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index e3461ec59570..8e56768ebc06 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1586,6 +1586,11 @@ static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *attach_type,
prog = ____bpf_prog_get(f);
if (IS_ERR(prog))
return prog;
+ if (prog->type != BPF_PROG_TYPE_SOCKET_FILTER &&
+ prog->type != BPF_PROG_TYPE_CGROUP_SKB && !prog->privileged_load) {
+ prog = ERR_PTR(-EPERM);
+ goto out;
+ }
if (!bpf_prog_get_ok(prog, attach_type, attach_drv)) {
prog = ERR_PTR(-EINVAL);
goto out;
@@ -1733,10 +1738,6 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
if (attr->insn_cnt == 0 ||
attr->insn_cnt > (capable(CAP_SYS_ADMIN) ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
return -E2BIG;
- if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
- type != BPF_PROG_TYPE_CGROUP_SKB &&
- !capable(CAP_SYS_ADMIN))
- return -EPERM;
bpf_prog_load_fixup_attach_type(attr);
if (bpf_prog_load_check_attach(type, attr->expected_attach_type,
@@ -1749,6 +1750,8 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
if (!prog)
return -ENOMEM;
+ prog->privileged_load = capable(CAP_SYS_ADMIN);
+
prog->expected_attach_type = attr->expected_attach_type;
prog->aux->attach_btf_id = attr->attach_btf_id;
if (attr->attach_prog_fd) {
--
2.24.1
Powered by blists - more mailing lists