• Daniel Borkmann's avatar
    bpf: Add lockdown check for probe_write_user helper · 51e1bb9e
    Daniel Borkmann authored
    Back then, commit 96ae5227 ("bpf: Add bpf_probe_write_user BPF helper
    to be called in tracers") added the bpf_probe_write_user() helper in order
    to allow to override user space memory. Its original goal was to have a
    facility to "debug, divert, and manipulate execution of semi-cooperative
    processes" under CAP_SYS_ADMIN. Write to kernel was explicitly disallowed
    since it would otherwise tamper with its integrity.
    
    One use case was shown in cf9b1199 ("samples/bpf: Add test/example of
    using bpf_probe_write_user bpf helper") where the program DNATs traffic
    at the time of connect(2) syscall, meaning, it rewrites the arguments to
    a syscall while they're still in userspace, and before the syscall has a
    chance to copy the argument into kernel space. These days we have better
    mechanisms in BPF for achieving the same (e.g. for load-balancers), but
    without having to write to userspace memory.
    
    Of course the bpf_probe_write_user() helper can also be used to abuse
    many other things for both good or bad purpose. Outside of BPF, there is
    a similar mechanism for ptrace(2) such as PTRACE_PEEK{TEXT,DATA} and
    PTRACE_POKE{TEXT,DATA}, but would likely require some more effort.
    Commit 96ae5227 explicitly dedicated the helper for experimentation
    purpose only. Thus, move the helper's availability behind a newly added
    LOCKDOWN_BPF_WRITE_USER lockdown knob so that the helper is disabled under
    the "integrity" mode. More fine-grained control can be implemented also
    from LSM side with this change.
    
    Fixes: 96ae5227 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers")
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
    51e1bb9e
security.c 65.7 KB