1. 22 Oct, 2017 4 commits
  2. 21 Oct, 2017 32 commits
  3. 20 Oct, 2017 4 commits
    • David S. Miller's avatar
      Merge branch 'bpf-lsm-hooks' · 7f9ad2ac
      David S. Miller authored
      Chenbo Feng says:
      
      ====================
      bpf: security: New file mode and LSM hooks for eBPF object permission control
      
      Much like files and sockets, eBPF objects are accessed, controlled, and
      shared via a file descriptor (FD). Unlike files and sockets, the
      existing mechanism for eBPF object access control is very limited.
      Currently there are two options for granting accessing to eBPF
      operations: grant access to all processes, or only CAP_SYS_ADMIN
      processes. The CAP_SYS_ADMIN-only mode is not ideal because most users
      do not have this capability and granting a user CAP_SYS_ADMIN grants too
      many other security-sensitive permissions. It also unnecessarily allows
      all CAP_SYS_ADMIN processes access to eBPF functionality. Allowing all
      processes to access to eBPF objects is also undesirable since it has
      potential to allow unprivileged processes to consume kernel memory, and
      opens up attack surface to the kernel.
      
      Adding LSM hooks maintains the status quo for systems which do not use
      an LSM, preserving compatibility with userspace, while allowing security
      modules to choose how best to handle permissions on eBPF objects. Here
      is a possible use case for the lsm hooks with selinux module:
      
      The network-control daemon (netd) creates and loads an eBPF object for
      network packet filtering and analysis. It passes the object FD to an
      unprivileged network monitor app (netmonitor), which is not allowed to
      create, modify or load eBPF objects, but is allowed to read the traffic
      stats from the map.
      
      Selinux could use these hooks to grant the following permissions:
      allow netd self:bpf_map { create read write};
      allow netmonitor netd:fd use;
      allow netmonitor netd:bpf_map read;
      
      In this patch series, A file mode is added to bpf map to store the
      accessing mode. With this file mode flags, the map can be obtained read
      only, write only or read and write. With the help of this file mode,
      several security hooks can be added to the eBPF syscall implementations
      to do permissions checks. These LSM hooks are mainly focused on checking
      the process privileges before it obtains the fd for a specific bpf
      object. No matter from a file location or from a eBPF id. Besides that,
      a general check hook is also implemented at the start of bpf syscalls so
      that each security module can have their own implementation on the reset
      of bpf object related functionalities.
      
      In order to store the ownership and security information about eBPF
      maps, a security field pointer is added to the struct bpf_map. And the
      last two patch set are implementation of selinux check on these hooks
      introduced, plus an additional check when eBPF object is passed between
      processes using unix socket as well as binder IPC.
      
      Change since V1:
      
       - Whitelist the new bpf flags in the map allocate check.
       - Added bpf selftest for the new flags.
       - Added two new security hooks for copying the security information from
         the bpf object security struct to file security struct
       - Simplified the checking action when bpf fd is passed between processes.
      
       Change since V2:
      
       - Fixed the line break problem for map flags check
       - Fixed the typo in selinux check of file mode.
       - Merge bpf_map and bpf_prog into one selinux class
       - Added bpf_type and bpf_sid into file security struct to store the
         security information when generate fd.
       - Add the hook to bpf_map_new_fd and bpf_prog_new_fd.
      
       Change since V3:
      
       - Return the actual error from security check instead of -EPERM
       - Move the hooks into anon_inode_getfd() to avoid get file again after
         bpf object file is installed with fd.
       - Removed the bpf_sid field inside file_scerity_struct to reduce the
         cache size.
      
       Change since V4:
      
       - Rename bpf av prog_use to prog_run to distinguish from fd_use.
       - Remove the bpf_type field inside file_scerity_struct and use bpf fops
         to indentify bpf object instead.
      
       Change since v5:
      
       - Fixed the incorrect selinux class name for SECCLASS_BPF
      
       Change since v7:
      
       - Fixed the build error caused by xt_bpf module.
       - Add flags check for bpf_obj_get() and bpf_map_get_fd_by_id() to make it
         uapi-wise.
       - Add the flags field to the bpf_obj_get_user function when BPF_SYSCALL
         is not configured.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7f9ad2ac
    • Chenbo Feng's avatar
      selinux: bpf: Add addtional check for bpf object file receive · f66e448c
      Chenbo Feng authored
      Introduce a bpf object related check when sending and receiving files
      through unix domain socket as well as binder. It checks if the receiving
      process have privilege to read/write the bpf map or use the bpf program.
      This check is necessary because the bpf maps and programs are using a
      anonymous inode as their shared inode so the normal way of checking the
      files and sockets when passing between processes cannot work properly on
      eBPF object. This check only works when the BPF_SYSCALL is configured.
      Signed-off-by: default avatarChenbo Feng <fengc@google.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f66e448c
    • Chenbo Feng's avatar
      selinux: bpf: Add selinux check for eBPF syscall operations · ec27c356
      Chenbo Feng authored
      Implement the actual checks introduced to eBPF related syscalls. This
      implementation use the security field inside bpf object to store a sid that
      identify the bpf object. And when processes try to access the object,
      selinux will check if processes have the right privileges. The creation
      of eBPF object are also checked at the general bpf check hook and new
      cmd introduced to eBPF domain can also be checked there.
      Signed-off-by: default avatarChenbo Feng <fengc@google.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ec27c356
    • Chenbo Feng's avatar
      security: bpf: Add LSM hooks for bpf object related syscall · afdb09c7
      Chenbo Feng authored
      Introduce several LSM hooks for the syscalls that will allow the
      userspace to access to eBPF object such as eBPF programs and eBPF maps.
      The security check is aimed to enforce a per object security protection
      for eBPF object so only processes with the right priviliges can
      read/write to a specific map or use a specific eBPF program. Besides
      that, a general security hook is added before the multiplexer of bpf
      syscall to check the cmd and the attribute used for the command. The
      actual security module can decide which command need to be checked and
      how the cmd should be checked.
      Signed-off-by: default avatarChenbo Feng <fengc@google.com>
      Acked-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      afdb09c7