[0/1] libbpf: Convert ELF notes into read-only maps

Message ID	20250205190918.2288389-1-bboscaccy@linux.microsoft.com (mailing list archive)
Headers	show Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E7A841DB34C for <bpf@vger.kernel.org>; Wed, 5 Feb 2025 19:09:35 +0000 (UTC) From: Blaise Boscaccy <bboscaccy@linux.microsoft.com> To: bpf@vger.kernel.org, kapron@google.com, teknoraver@meta.com, roberto.sassu@huawei.com, paul@paul-moore.com, code@tyhicks.com, xiyou.wangcong@gmail.com, bboscaccy@linux.microsoft.com, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org Subject: [PATCH 0/1] libbpf: Convert ELF notes into read-only maps Date: Wed, 5 Feb 2025 11:06:32 -0800 Message-ID: <20250205190918.2288389-1-bboscaccy@linux.microsoft.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	libbpf: Convert ELF notes into read-only maps \| expand [0/1] libbpf: Convert ELF notes into read-only maps [1/1] libbpf: Convert ELF notes into read-only maps

Message ID

20250205190918.2288389-1-bboscaccy@linux.microsoft.com (mailing list archive)

Headers

From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: bpf@vger.kernel.org,
	kapron@google.com,
	teknoraver@meta.com,
	roberto.sassu@huawei.com,
	paul@paul-moore.com,
	code@tyhicks.com,
	xiyou.wangcong@gmail.com,
	bboscaccy@linux.microsoft.com,
	ast@kernel.org,
	daniel@iogearbox.net,
	andrii@kernel.org,
	martin.lau@linux.dev,
	eddyz87@gmail.com,
	song@kernel.org,
	yonghong.song@linux.dev,
	john.fastabend@gmail.com,
	kpsingh@kernel.org,
	sdf@fomichev.me,
	haoluo@google.com,
	jolsa@kernel.org
Subject: [PATCH 0/1] libbpf: Convert ELF notes into read-only maps
Date: Wed,  5 Feb 2025 11:06:32 -0800
Message-ID: <20250205190918.2288389-1-bboscaccy@linux.microsoft.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

libbpf: Convert ELF notes into read-only maps | expand

Message

Blaise Boscaccy Feb. 5, 2025, 7:06 p.m. UTC

While attempting to implement a bpf-based gatekeeper program as was
described
https://lore.kernel.org/all/20250109214617.485144-1-bboscaccy@linux.microsoft.com/T/#mb10f3112df1a66c725df9d6035c5a68c72a0eb8d
we noticed that relying on IMA and fs-verity signatures alone was
insufficient. A user with sufficient privileges could ptrace, ld
preload or poke at memory in some other way while using a signed
lskel, leaving the signature intact, allowing them to load whatever
they wished into the kernel effectively circumventing the
gatekeeper. That may be considered insecure in some scenarios.

Here we propose a very simple method of allowing metadata to be stored
in skeletons or dynamic libbpf-based loaders, by simply treating note
sections as read-only maps that are visible to the gatekeeper
program. Gatekeeper programs can then iterate the fd_array and see if
there are any relevant maps that they wish to consult. No changes to
the kernel-proper are required for this, and this should help
facilitate the implementation and design of secure bpf-based
gatekeepers, while keeping with the overall philosophy of bpf and not
enforcing any obtusive abstractions upon anyone.

Blaise Boscaccy (1):
  libbpf: Convert ELF notes into read-only maps

 tools/bpf/bpftool/gen.c | 4 ++--
 tools/lib/bpf/libbpf.c  | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)