[RFC,bpf-next,0/2] bpf: allow unprivileged map access to some map types

Message ID	1652275168-18630-1-git-send-email-alan.maguire@oracle.com (mailing list archive)
Headers	show Return-Path: <bpf-owner@kernel.org> From: Alan Maguire <alan.maguire@oracle.com> To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org Cc: kafai@fb.com, songliubraving@fb.com, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, keescook@chromium.org, bpf@vger.kernel.org Subject: [RFC bpf-next 0/2] bpf: allow unprivileged map access to some map types Date: Wed, 11 May 2022 14:19:26 +0100 Message-Id: <1652275168-18630-1-git-send-email-alan.maguire@oracle.com> Content-Type: text/plain MIME-Version: 1.0 Precedence: bulk
Series	bpf: allow unprivileged map access to some map types \| expand [RFC,bpf-next,0/2] bpf: allow unprivileged map access to some map types [RFC,bpf-next,1/2] bpf: with CONFIG_BPF_UNPRIV_MAP_ACCESS=y, allow unprivileged access to BPF maps [RFC,bpf-next,2/2] selftests/bpf: add tests verifying unpriv bpf map access

Message ID

1652275168-18630-1-git-send-email-alan.maguire@oracle.com (mailing list archive)

Headers

From: Alan Maguire <alan.maguire@oracle.com>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org
Cc: kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
        john.fastabend@gmail.com, kpsingh@kernel.org,
        keescook@chromium.org, bpf@vger.kernel.org
Subject: [RFC bpf-next 0/2] bpf: allow unprivileged map access to some map
 types
Date: Wed, 11 May 2022 14:19:26 +0100
Message-Id: <1652275168-18630-1-git-send-email-alan.maguire@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 fn7+ltoKq+XJ12wT3Opnq4WqF/eL8gaX5ZUDku85C0Ztk81h8w4PXosGdPTT+PIWrA+H+L7kKYaH480H4IBZETz/KKCoVQrJLWH6URxntQLGW/CxJXf44aBDn68Ib+B6U1mJA5VD9UXMxsQQD8XNfspviZaD3FP0YVwE6Xg5mr58AAr5S9DqYb7RyjwCzVxKvw6JQY8v7u6+vxQS+YYCyjG/ukkJRz49CiZm2g2vl9hBawfYKARtexaEgbC/ukSJZIAKtuAgCkPPCGnVS+WeZsrM0q3T5ayjS4TwZRg5IfjG+4tKTup59GPYgst5Knczsmz4i6kFUWmmVOmY6K3HlMYls9EFwX33u5q7SGgd9URnxtrwaCdML9ulaQjPvyF4z6xqWpIsl4d6nYpUtXW/xXVQ3VzL0J7sfIE60vbhKL7C/gubzPXiUfqbJIWFvTXP0jyvf7Dk3eMNixhGbJiTeVpGRR4BAKAAPfmsyuXZgWXBSghD6opwtFPIgFpcnjXmN5c+z2EcE6iWMExdWQnON3/gueQLuk+u41TqETT25RWDh4vA9c6I1T1+iFaDiZAEVi47WVYgVpEchXY5Kikm+nnqSN4JY4myPQWPobiQrj19cMnssahfLG2bC+TW4CK0O3CAtg6XQl3num4CuXxUeLXSoAlqhYyMaGA4qdCJgRD7G5eK7u858RIFawzOI2kW8eVtvB1GXWZu8jEEgyg2Z4V0IhrTWiQ4L7xx63ssMflJLp6LTH8+F/BdDPmhKxrpHhiiVzUhrx7GwbfJWbji5TfNcoVz1KoBZJzRbcsmsOAmhgrvguuyAboadf+UNmXkhe7dbjUsUaOT3dil8IUTQ5kdqE+gnOpW9/Fm4BfgJfKd6fmLcQI0S5l2CF0kCbI589BJez0JaCfd37iUJE79sYyHwusYCE2M5RHUo0WoDiTj1AmP9OmuOajnYpygC1Lxks1FlFId/iaVmUXlMw78nMMx+nVcbNNdalvQPNh6JxwUGhhO5ZgdJq1zFihThkvJIxiqDGSz7w0YUOLagnNkTCTJKj8rLI36DzCoHlmvHoQW2B6VAU3FDlYm7sh6rD39p17GDTu0Y672gBghjbTwTOMPEjb5gGh6rssu42BCX74L/Kmb4dw/yrWCH0scmrx6/jB13nx3XolbX7Fp8eDQ2QNUycTiMSff3+LPDLH5UO7DjmQOsPE15vDRkNUianBBWwY3UcxsGred/UxmsrFqOd5uqzNAupRm5IuHKqUGFo2MS2b/QHeA7R/249T217abKh5xeLazskNMU5kz1tWnT9Vb6mj6y/hEmyT4TiWnG6PTFJoVmQDcb9eZKaHVGVc+EnRj3LSfGCB0orZmGF4C6OJP1bB0I8uZl/QvxTpKe2319tBhn+VwtBmmwGnSJ5g6h9uqul2MRkIeMafudyIwUaQM5NiT6ZeQflcISoi7fbYwyfjUKl4rcK8RQDAx65ZKMF3VIJPoG2QpMX7qBNhu0ZJ8f2n0JogQLqJ8A3XFF0TSN3x1FR3tFbGUBtij7KMXN30BCcYo4aZIyUuCYpa9vkA78ASbSgoYj5Bqi9VRQfrm0LZ6Jlb9YwoyFFj7pcdNTGXqKf26KZzTwgU20AJ9lTIiFG7rLuJGUzSLJsBnwKEV/I6tLSDzCgyr1CLIz958DCrGeba93QjZMR/4uoM1t2MRfzt6ZwxYYiOyH1Kc/7DZG7ihKcIc3Fpr9N+jVLSotOD0NuDrckIO1ld7R8eCumF09wQ/P51cInBohPXse54=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9fe3a656-f06c-4bb2-e5fd-08da3350e2a2
X-MS-Exchange-CrossTenant-AuthSource: BLAPR10MB5267.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 May 2022 13:19:32.1416
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 x1AHbRIBtpGzyK3WRCCJMYhnl6UboLD6EkFgUaMUNSetF1Tf+z+bNnEVhmVEeSz7K27SWMbpHHXon1pVD56aVg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR10MB5154
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.486,18.0.858
 definitions=2022-05-11_03:2022-05-11,2022-05-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999
 adultscore=0
 spamscore=0 phishscore=0 suspectscore=0 mlxscore=0 bulkscore=0
 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2202240000 definitions=main-2205110063
X-Proofpoint-ORIG-GUID: x9my6H9xfN6kkZvADu0YxQjrwQ6ZoKtC
X-Proofpoint-GUID: x9my6H9xfN6kkZvADu0YxQjrwQ6ZoKtC
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org
X-Patchwork-Delegate: bpf@iogearbox.net
X-Patchwork-State: RFC

Series

bpf: allow unprivileged map access to some map types | expand

Message

Alan Maguire May 11, 2022, 1:19 p.m. UTC

Unprivileged BPF disabled (kernel.unprivileged_bpf_disabled >= 1)
is the default in most cases now; when set, the BPF system call is
blocked for users without CAP_BPF/CAP_SYS_ADMIN.  In some use cases
prior to having unpriviliged_bpf_disabled set to >= 1 however,
it made sense to split activities between capability-requiring
ones - such as program load+attach - and those that might not require
capabilities such as reading perf/ringbuf events, reading or
updating BPF map configuration etc.  One example of this sort of
approach is a service that loads a BPF program, and a user-space
program that, after it has been loaded, interacts with it via
pinned maps.

Such a split model is not possible with unprivileged BPF disabled,
since even those activities such as map interactions, retrieving
map information from pinned paths etc are blocked to
unprivileged users.  However, granting CAP_BPF to such unprivileged
users is quite a big hammer, allowing them to do pretty much
anything with BPF.

This very rough RFC explores the idea - with
CONFIG_BPF_UNPRIV_MAP_ACCESS=y - of allowing unprivileged processes
to retrieve and work with a restricted set of BPF maps.  See
patch 1 for the restrictions on BPF cmd and map type. Note that
permission checks on maps are still enforced, so it's still
possible to prevent unwanted interference by unprivileged users
by pinning a map and setting permissions to prevent access.
CONFIG_BPF_UNPRIV_MAP_ACCESS defaults to n, preserving current
behaviour of blocking all BPF syscall commands.

Discussion on the bpf mailing list already alluded to this idea [1],
though it's possible I misinterpreted it.

There are other ways to achieve this goal I suspect; for example
a BPF LSM program attached to security_bpf() could weed out the
disallowed commands, so setting unprivileged_bpf_disabled=0 + BPF
LSM could support a wider range of policies (not sure if we
could easily determine map types in that case though).
However, as a starting point I just wanted to see if others see
this as an issue, and if so how best to solve it in the general
case. Thanks!

[1] https://lore.kernel.org/bpf/CAADnVQLTBhCTAx1a_nev7CgMZxv1Bb7ecz1AFRin8tHmjPREJA@mail.gmail.com/

Alan Maguire (2):
  bpf: with CONFIG_BPF_UNPRIV_MAP_ACCESS=y, allow unprivileged access to
    BPF maps
  selftests/bpf: add tests verifying unpriv bpf map access

 kernel/bpf/Kconfig                            |  15 ++
 kernel/bpf/syscall.c                          |  57 ++++-
 tools/testing/selftests/bpf/config            |   1 +
 .../bpf/prog_tests/unpriv_map_access.c        | 194 ++++++++++++++++++
 .../bpf/progs/test_unpriv_map_access.c        |  81 ++++++++
 5 files changed, 347 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/unpriv_map_access.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_unpriv_map_access.c

Comments

Alexei Starovoitov May 11, 2022, 4:36 p.m. UTC | #1

On Wed, May 11, 2022 at 02:19:26PM +0100, Alan Maguire wrote:
> Unprivileged BPF disabled (kernel.unprivileged_bpf_disabled >= 1)
> is the default in most cases now; when set, the BPF system call is
> blocked for users without CAP_BPF/CAP_SYS_ADMIN.  In some use cases
> prior to having unpriviliged_bpf_disabled set to >= 1 however,
> it made sense to split activities between capability-requiring
> ones - such as program load+attach - and those that might not require
> capabilities such as reading perf/ringbuf events, reading or
> updating BPF map configuration etc.  One example of this sort of
> approach is a service that loads a BPF program, and a user-space
> program that, after it has been loaded, interacts with it via
> pinned maps.
> 
> Such a split model is not possible with unprivileged BPF disabled,
> since even those activities such as map interactions, retrieving
> map information from pinned paths etc are blocked to
> unprivileged users.  However, granting CAP_BPF to such unprivileged
> users is quite a big hammer, allowing them to do pretty much
> anything with BPF.
> 
> This very rough RFC explores the idea - with
> CONFIG_BPF_UNPRIV_MAP_ACCESS=y - of allowing unprivileged processes
> to retrieve and work with a restricted set of BPF maps.  See
> patch 1 for the restrictions on BPF cmd and map type. Note that
> permission checks on maps are still enforced, so it's still
> possible to prevent unwanted interference by unprivileged users
> by pinning a map and setting permissions to prevent access.
> CONFIG_BPF_UNPRIV_MAP_ACCESS defaults to n, preserving current
> behaviour of blocking all BPF syscall commands.
> 
> Discussion on the bpf mailing list already alluded to this idea [1],
> though it's possible I misinterpreted it.

Thanks for the follow up. We had a long discussion about this during lsfmmbpf.
In short a bunch of folks wants to address this problem.
Your summary of the problem is accurate.
The patch though is overly cautious in fixing the issue.
The bpf ACL model is the same as traditional file's ACL.
The creds and ACLs are checked at open().  Then during file's write/read
additional checks might be performed. BPF has such functionality already. 
Different map_creates have capability checks while map_lookup has:
map_get_sys_perms(map, f) & FMODE_CAN_READ.
In other words it's enough to gate FD-receiving parts of bpf
with unprivileged_bpf_disabled sysctl.
The rest is handled by availability of FD and access to files in bpffs.
Additional kconfig is unnecessary. Also no need to filter
different map types. Only array/hash/ringbuf are ok for unpriv
when that sysctl is off. The rest of maps have their own cap_bpf checks
at creation time which is enough.
The patch 1 should probably be something like:
  if (!capable &&
      (cmd == BPF_MAP_CREATE || cmd == BPF_PROG_LOAD))
    return -EPERM;
For all other commands the user has to have a valid map/btf/prog FD to proceed.
There are few special commands that don't need to be in the above 'if':
. BPF_[PROG|MAP|BTF]_GET_NEXT_ID have explicit cap_sys_admin check.
. BPF_OBJ_GET is using traditional file ACLs to access.
. BPF_BTF_LOAD has its own cap_bpf check.

Of course there could be bugs in any of unpriv code paths, but they were
enabled with sysctl off for long time. When/if new bugs are found they will be fixed.
The unprivileged_bpf_disabled's default was flipped only because of HW bugs.
In all HW spectre exploits BPF_PROG_LOAD was the mandatory command.
Just disabling that command is enough. The BPF_MAP_CREATE alone
cannot be used in spectre-like attack. But map_create without prog_load
is a useless combination for unrpiv. So having sysctl affecting them
both makes sense from symmetry pov. libbpf and other loaders typically
create a map first, so with sysctl off the unpriv users will see those eperms first.
I hope it's mostly accurate summary of the discussion.