Message ID | 20241210220627.2800362-1-song@kernel.org (mailing list archive) |
---|---|
Headers | show |
Series | Enable writing xattr from BPF programs | expand |
On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote: > Add support to set and remove xattr from BPF program. Also add > security.bpf. xattr name prefix. If the system allows for the execution of unprivileged BPF programs (e.g., ones where a random user can load their own BPF programs), will they have hte ability to set and remove security.bpf.* xattrs? If the answer is yes, should this be disallowed? I note that one of the use cases seems to be BPF-based LSM's, so we may want to have something even more restrictive since otherwise any BPF program could potentially have the same power as the LSM? - Ted
Hi Ted, > On Dec 11, 2024, at 5:18 AM, Theodore Ts'o <tytso@mit.edu> wrote: > > On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote: >> Add support to set and remove xattr from BPF program. Also add >> security.bpf. xattr name prefix. > > If the system allows for the execution of unprivileged BPF programs > (e.g., ones where a random user can load their own BPF programs), will > they have hte ability to set and remove security.bpf.* xattrs? If the > answer is yes, should this be disallowed? > > I note that one of the use cases seems to be BPF-based LSM's, so we > may want to have something even more restrictive since otherwise any > BPF program could potentially have the same power as the LSM? These kfuncs are only allowed in BPF LSM programs. Therefore, other program types (tracing, XDP, etc.) cannot use these kfuncs. Thanks, Song
On Wed, Dec 11, 2024 at 5:18 AM Theodore Ts'o <tytso@mit.edu> wrote: > > On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote: > > Add support to set and remove xattr from BPF program. Also add > > security.bpf. xattr name prefix. > > If the system allows for the execution of unprivileged BPF programs > (e.g., ones where a random user can load their own BPF programs), will > they have hte ability to set and remove security.bpf.* xattrs? If the > answer is yes, should this be disallowed? It's not 100% clear from Song's reply, but the answer is "no". You can't use this from unprivileged BPF programs (BPF LSM is privileged and requires root, effectively). > > I note that one of the use cases seems to be BPF-based LSM's, so we > may want to have something even more restrictive since otherwise any > BPF program could potentially have the same power as the LSM? > > - Ted