From patchwork Mon May 10 17:22:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248897 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9485AC433B4 for ; Mon, 10 May 2021 17:22:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7942061480 for ; Mon, 10 May 2021 17:22:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232755AbhEJRYA (ORCPT ); Mon, 10 May 2021 13:24:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232733AbhEJRYA (ORCPT ); Mon, 10 May 2021 13:24:00 -0400 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30458C061574; Mon, 10 May 2021 10:22:55 -0700 (PDT) Received: by mail-qt1-x82f.google.com with SMTP id f8so8334429qth.6; Mon, 10 May 2021 10:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FxC8T+rJG0U6XdX85ee7SQmwf4kbHHeX6/rEu4K2jD0=; b=SxedVWZHDaPTpbUyYsCp/n/pHksJPKMM1g7XZ8JwTJ/mfLsfZmIBnS+Se8lBRR0UMF 1mfH+Kw/ZpjgQSlE+m3yZe2k+dySKsP3I3N8uiibnWf4yy5qq3t89J3mXKn1WDAzvJuJ MdDOYPs+1KnmaQOoW6zy3Hrh6YfbPvvGJiaee2MmesFrQ5wHCjIrMNW5N8exqXBARQ+3 vY8Xb15EQ62KR4RJnLvV5GioHdAPkgDRr9EQIfXup1L+CxNsp/ir/ogWNIzQ0QYPuzmV yr728pJfDvWNO5g5RWoWi8zaXQQvyJUjTfTr8hLjc3yz9v+eMvA0pPMsMnq8eXnJXd7H dfSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FxC8T+rJG0U6XdX85ee7SQmwf4kbHHeX6/rEu4K2jD0=; b=IKI3ecU4GnIpdTm4JqtXDGiodmJjH3UjRYOh5ygDqdCptjPiYa9eGfdf0KkGH79bvS o5MIjllKBVbdKhKlzUdxe3fiegy+M91HwnzbA9t6JmJF5PG7y/RuOFAvODpJ1nxhksRn mw4oPIpUepFvJuOS32k8mfrOSzLCZR3orkfgQfKE9CkkQJe6Nems6SC2tlx4OALw4ZcW TKiXD5YOI0zZ8C+2eF7Zoss2cYwAt5I9/BBP71a86dJ5PeBIzv985XRTmfmoybCvRPaT avNna+LUklraTaifND7s4/VkcRa0N8guD2LopvIoieeKvlppZryUSzFUe2VWjlyjWdRZ BuAg== X-Gm-Message-State: AOAM531F5O5PZ4D+TVGtftkXmoKSseyyUFlOXmkKWKSPe/42xMfcp9BG DsxMkL72HAA85fXADRG7MW2pkoVM2PeEZZaI X-Google-Smtp-Source: ABdhPJyok2Q0sLHaOx49Q1pv4EBKBzf1u1Y3McLpEUlNJFFkoyj7UAfmO/oIHBDkgCh+Bxo4XMoQCw== X-Received: by 2002:a05:622a:130a:: with SMTP id v10mr10280864qtk.113.1620667374449; Mon, 10 May 2021 10:22:54 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:22:54 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 01/12] seccomp: Move no_new_privs check to after prepare_filter Date: Mon, 10 May 2021 12:22:38 -0500 Message-Id: <19c5ca314e69c7c3668370bcd624a2a475162cb2.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu This is to make way for eBPF, so that this part of the code can be shared by both cBPF and eBPF code paths. Doing the privilege check after prepare_filter means that any filter issues the caller would get -EINVAL, even when it does not set no_new_privs or CAP_SYS_ADMIN. Signed-off-by: YiFei Zhu --- kernel/seccomp.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 1e63db4dbd9a..6e5ac0d686a1 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -642,16 +642,6 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter)); - /* - * Installing a seccomp filter requires that the task has - * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. - * This avoids scenarios where unprivileged tasks can affect the - * behavior of privileged children. - */ - if (!task_no_new_privs(current) && - !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) - return ERR_PTR(-EACCES); - /* Allocate a new seccomp_filter */ sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); if (!sfilter) @@ -1805,6 +1795,22 @@ static long seccomp_set_mode_filter(unsigned int flags, if (IS_ERR(prepared)) return PTR_ERR(prepared); + /* + * Installing a seccomp filter requires that the task has + * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. + * This avoids scenarios where unprivileged tasks can affect the + * behavior of privileged children. + * + * This is checked after filter preparation because the user + * will get an EINVAL if their filter is invalid prior to the + * EACCES. + */ + if (!task_no_new_privs(current) && + !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) { + ret = -EACCES; + goto out_free; + } + if (flags & SECCOMP_FILTER_FLAG_NEW_LISTENER) { listener = get_unused_fd_flags(O_CLOEXEC); if (listener < 0) { From patchwork Mon May 10 17:22:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248899 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_RED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1012C433B4 for ; Mon, 10 May 2021 17:23:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9225E61480 for ; Mon, 10 May 2021 17:23:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232764AbhEJRYE (ORCPT ); Mon, 10 May 2021 13:24:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46516 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232733AbhEJRYB (ORCPT ); Mon, 10 May 2021 13:24:01 -0400 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C45EC061574; Mon, 10 May 2021 10:22:56 -0700 (PDT) Received: by mail-qt1-x829.google.com with SMTP id n22so12481464qtk.9; Mon, 10 May 2021 10:22:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=S3H1MKatlWs/RWUFpqfMQpbLnuBmCuiGE/4Hzpw7XHo=; b=LSvm4JmenlTgTqXPivcVDQxRFrWcVsDIBT5fITjJ5v2H4oPLAbuD1f9KghUbKjMPYO lS+8au7eN3yGeR62565CG4dnYF36JPcywd7fexpNiUlTrnUO554KGZaGlQLhtQVprS4H dhf3sq5ftMnur2FZtj3XEiTZ3GlaqeWtj37AwxOZPNo0KL7BCdkcbuwETG6LocKwNnix vysKVZwaEIcUXnuaO5YDZNt2MOlmwKkBWH0X1/0heO7jdsHu/Hgjybra4CWWiFFPB/zf C0Tj7pBa6WO4YUJ9g01KJt4s4rfnDQuY1rdIGezbZV0iEPufUeYq+1tIFC/uEwRMxRe8 38xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=S3H1MKatlWs/RWUFpqfMQpbLnuBmCuiGE/4Hzpw7XHo=; b=pU2cVOig4e/644MW/E1DRrp9wy5r8Guh0SPyYQO+qSZxa/3VvVcl8vOFFBDklOEK41 VbSCUdn+kT9LhIrNl6BoGCI1HZCCAPAMQlIrHN+G3UKST62vRlWW7SRIkOPnd+4cAoxj J7dh63VbB5ESHxfQqv40aPrjyU2ydWVY+i7Gzmrl3xyEfWLM72NsBvflRDdS+HSK3KPq ziQaa7UwGCBO3xoBHSftoEWFQNfUAicA9QNJwkGKE1MMEVgmTFrK3te83ldjS8PyeeT9 eGTTEB7heiWUyUA+Bu6pIo6DbXGvtZBkz9mr+0wiLqDhbUqtWPnkhYq051LJz1KZ4IkC 88MA== X-Gm-Message-State: AOAM531w5wEDQmlMdFdphgoMHMhLaNZ/3BL+BohCgp17AZZI3IFlIZRc wnn+af5B8utsOj8SM2quHMGVxBc0F3nFPf1Q X-Google-Smtp-Source: ABdhPJycRWcjUpuZ52KTXSXhdNZY6mWVEQgFvlDgy0LEsr2K9B4p7cnaCspU40G/sQgjpjmbnTxiKA== X-Received: by 2002:ac8:118d:: with SMTP id d13mr22835807qtj.294.1620667375667; Mon, 10 May 2021 10:22:55 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:22:55 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 02/12] bpf, seccomp: Add eBPF filter capabilities Date: Mon, 10 May 2021 12:22:39 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: Sargun Dhillon This introduces the BPF_PROG_TYPE_SECCOMP bpf program type. It is meant to be used for seccomp filters as an alternative to cBPF filters. The program type has relatively limited capabilities in terms of helpers, but that can be extended later on. The eBPF code loading is separated from attachment of the filter, so a privileged user can load the filter, and pass it back to an unprivileged user who can attach it and use it at a later time. In order to attach the filter itself, you need to supply a flag to the seccomp syscall indicating that a eBPF filter is being attached, as opposed to a cBPF one. Verification occurs at program load time, so the user should only receive errors related to attachment. The behavior of eBPF filters with bitmap cache is that they will totally negate the bitmap acceleration. Static analysis of eBPF to create a bitmap could be a potential future work. [YiFei Zhu] All standard BPF helper calls are supported. If the loader has CAP_BPF and CAP_PERFMON, all tracing BPF helper calls are also supported. The reason for this is that, this adds no new attack vectors I (YiFei) can tell. Standard helpers are already accessible via BPF_PROG_TYPE_SOCKET_FILTER from an unprivileged loader. Any policies that can be set through seccomp-eBPF can already be set via seccomp user notifier, if the user uses this feature to implement a policy. If a user okay with such advanced features, they may implement an LSM policy to restrict this. This LSM hook is added in a later patch. [YiFei Zhu] rcu_read_lock is also held because maps like BPF_MAP_TYPE_LRU_HASH requires them. For simplicity, this also affects cBPF filters. [YiFei Zhu] Signed-off-by: Sargun Dhillon Link: https://lists.linux-foundation.org/pipermail/containers/2018-February/038572.html Co-developed-by: Jinghao Jia Signed-off-by: Jinghao Jia Co-developed-by: YiFei Zhu Signed-off-by: YiFei Zhu --- arch/Kconfig | 7 ++ include/linux/bpf_types.h | 4 + include/linux/seccomp.h | 3 +- include/uapi/linux/bpf.h | 1 + include/uapi/linux/seccomp.h | 1 + kernel/bpf/syscall.c | 1 + kernel/seccomp.c | 151 +++++++++++++++++++++++++++++---- tools/include/uapi/linux/bpf.h | 1 + 8 files changed, 153 insertions(+), 16 deletions(-) diff --git a/arch/Kconfig b/arch/Kconfig index 5bc98d28a6e0..d1180fedcfea 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -519,6 +519,13 @@ config SECCOMP_CACHE_DEBUG If unsure, say N. +config SECCOMP_FILTER_EXTENDED + bool "Extended BPF seccomp filters" + depends on SECCOMP_FILTER && BPF_SYSCALL + help + Enables seccomp filters to be written in eBPF, as opposed + to just cBPF filters. + config HAVE_ARCH_STACKLEAK bool help diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h index f883f01a5061..92d2126c72a6 100644 --- a/include/linux/bpf_types.h +++ b/include/linux/bpf_types.h @@ -78,6 +78,10 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_LSM, lsm, #endif /* CONFIG_BPF_LSM */ #endif +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +BPF_PROG_TYPE(BPF_PROG_TYPE_SECCOMP, seccomp, void *, void *) +#endif + BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY, array_map_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_PERCPU_ARRAY, percpu_array_map_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_PROG_ARRAY, prog_array_map_ops) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 0c564e5d40ff..c0750dc05de5 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -8,7 +8,8 @@ SECCOMP_FILTER_FLAG_LOG | \ SECCOMP_FILTER_FLAG_SPEC_ALLOW | \ SECCOMP_FILTER_FLAG_NEW_LISTENER | \ - SECCOMP_FILTER_FLAG_TSYNC_ESRCH) + SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \ + SECCOMP_FILTER_FLAG_EXTENDED) /* sizeof() the first published struct seccomp_notif_addfd */ #define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24 diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index ec6d85a81744..b78d5c9fbb4b 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -937,6 +937,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_EXT, BPF_PROG_TYPE_LSM, BPF_PROG_TYPE_SK_LOOKUP, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index 6ba18b82a02e..5f98cc44df56 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -23,6 +23,7 @@ #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3) #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4) +#define SECCOMP_FILTER_FLAG_EXTENDED (1UL << 5) /* * All BPF programs must return a 32-bit value. diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 941ca06d9dfa..f3007e7329aa 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2113,6 +2113,7 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr) return -E2BIG; if (type != BPF_PROG_TYPE_SOCKET_FILTER && type != BPF_PROG_TYPE_CGROUP_SKB && + type != BPF_PROG_TYPE_SECCOMP && !bpf_capable()) return -EPERM; diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 6e5ac0d686a1..1ef26a5bf93f 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -43,6 +43,7 @@ #include #include #include +#include /* * When SECCOMP_IOCTL_NOTIF_ID_VALID was first introduced, it had the @@ -408,7 +409,11 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd, * value always takes priority (ignoring the DATA). */ for (; f; f = f->prev) { - u32 cur_ret = bpf_prog_run_pin_on_cpu(f->prog, sd); + u32 cur_ret; + + rcu_read_lock(); + cur_ret = bpf_prog_run_pin_on_cpu(f->prog, sd); + rcu_read_unlock(); if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) { ret = cur_ret; @@ -508,7 +513,10 @@ static inline pid_t seccomp_can_sync_threads(void) static inline void seccomp_filter_free(struct seccomp_filter *filter) { if (filter) { - bpf_prog_destroy(filter->prog); + if (bpf_prog_was_classic(filter->prog)) + bpf_prog_destroy(filter->prog); + else + bpf_prog_put(filter->prog); kfree(filter); } } @@ -690,6 +698,52 @@ seccomp_prepare_user_filter(const char __user *user_filter) return filter; } +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +/** + * seccomp_prepare_extended_filter - prepares a user-supplied eBPF fd + * @user_filter: pointer to the user data containing an fd. + * + * Returns 0 on success and non-zero otherwise. + */ +static struct seccomp_filter * +seccomp_prepare_extended_filter(const int __user *user_fd) +{ + struct seccomp_filter *sfilter; + struct bpf_prog *fp; + int fd; + + /* Fetch the fd from userspace */ + if (get_user(fd, user_fd)) + return ERR_PTR(-EFAULT); + + /* Allocate a new seccomp_filter */ + sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); + if (!sfilter) + return ERR_PTR(-ENOMEM); + + mutex_init(&sfilter->notify_lock); + fp = bpf_prog_get_type(fd, BPF_PROG_TYPE_SECCOMP); + + if (IS_ERR(fp)) { + kfree(sfilter); + return ERR_CAST(fp); + } + + sfilter->prog = fp; + refcount_set(&sfilter->refs, 1); + refcount_set(&sfilter->users, 1); + init_waitqueue_head(&sfilter->wqh); + + return sfilter; +} +#else +static struct seccomp_filter * +seccomp_prepare_extended_filter(const int __user *filter_fd) +{ + return ERR_PTR(-EINVAL); +} +#endif + #ifdef SECCOMP_ARCH_NATIVE /** * seccomp_is_const_allow - check if filter is constant allow with given data @@ -778,7 +832,10 @@ static void seccomp_cache_prepare_bitmap(struct seccomp_filter *sfilter, struct seccomp_data sd; int nr; - if (bitmap_prev) { + if (!bpf_prog_was_classic(sfilter->prog)) { + /* eBPF program, no caching. */ + bitmap_zero(bitmap, bitmap_size); + } else if (bitmap_prev) { /* The new filter must be as restrictive as the last. */ bitmap_copy(bitmap, bitmap_prev, bitmap_size); } else { @@ -1766,9 +1823,10 @@ static bool has_duplicate_listener(struct seccomp_filter *new_child) * Returns 0 on success or -EINVAL on failure. */ static long seccomp_set_mode_filter(unsigned int flags, - const char __user *filter) + const void __user *filter) { - const unsigned long seccomp_mode = SECCOMP_MODE_FILTER; + /* We use SECCOMP_MODE_FILTER for both eBPF and cBPF filters */ + const unsigned long filter_mode = SECCOMP_MODE_FILTER; struct seccomp_filter *prepared = NULL; long ret = -EINVAL; int listener = -1; @@ -1791,7 +1849,11 @@ static long seccomp_set_mode_filter(unsigned int flags, return -EINVAL; /* Prepare the new filter before holding any locks. */ - prepared = seccomp_prepare_user_filter(filter); + if (flags & SECCOMP_FILTER_FLAG_EXTENDED) + prepared = seccomp_prepare_extended_filter(filter); + else + prepared = seccomp_prepare_user_filter(filter); + if (IS_ERR(prepared)) return PTR_ERR(prepared); @@ -1836,7 +1898,7 @@ static long seccomp_set_mode_filter(unsigned int flags, spin_lock_irq(¤t->sighand->siglock); - if (!seccomp_may_assign_mode(seccomp_mode)) + if (!seccomp_may_assign_mode(filter_mode)) goto out; if (has_duplicate_listener(prepared)) { @@ -1850,7 +1912,7 @@ static long seccomp_set_mode_filter(unsigned int flags, /* Do not free the successfully attached filter. */ prepared = NULL; - seccomp_assign_mode(current, seccomp_mode, flags); + seccomp_assign_mode(current, filter_mode, flags); out: spin_unlock_irq(¤t->sighand->siglock); if (flags & SECCOMP_FILTER_FLAG_TSYNC) @@ -2046,15 +2108,17 @@ long seccomp_get_filter(struct task_struct *task, unsigned long filter_off, if (IS_ERR(filter)) return PTR_ERR(filter); + /* This must be a new non-cBPF filter, since we save + * every cBPF filter's orig_prog above when + * CONFIG_CHECKPOINT_RESTORE is enabled. + */ + ret = -EMEDIUMTYPE; + fprog = filter->prog->orig_prog; - if (!fprog) { - /* This must be a new non-cBPF filter, since we save - * every cBPF filter's orig_prog above when - * CONFIG_CHECKPOINT_RESTORE is enabled. - */ - ret = -EMEDIUMTYPE; + if (!fprog) + goto out; + if (!bpf_prog_was_classic(filter->prog)) goto out; - } ret = fprog->len; if (!data) @@ -2307,6 +2371,63 @@ static int seccomp_actions_logged_handler(struct ctl_table *ro_table, int write, return ret; } +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +static bool seccomp_is_valid_access(int off, int size, + enum bpf_access_type type, + const struct bpf_prog *prog, + struct bpf_insn_access_aux *info) +{ + if (type != BPF_READ) + return false; + + if (off < 0 || off + size > sizeof(struct seccomp_data)) + return false; + + if (off % size != 0) + return false; + + switch (off) { + case bpf_ctx_range_till(struct seccomp_data, args[0], args[5]): + return (size == sizeof(__u64)); + case bpf_ctx_range(struct seccomp_data, nr): + return (size == sizeof_field(struct seccomp_data, nr)); + case bpf_ctx_range(struct seccomp_data, arch): + return (size == sizeof_field(struct seccomp_data, arch)); + case bpf_ctx_range(struct seccomp_data, instruction_pointer): + return (size == sizeof_field(struct seccomp_data, + instruction_pointer)); + default: + return false; + } +} + +static const struct bpf_func_proto * +seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) +{ + switch (func_id) { + case BPF_FUNC_get_current_uid_gid: + return &bpf_get_current_uid_gid_proto; + case BPF_FUNC_get_current_pid_tgid: + return &bpf_get_current_pid_tgid_proto; + default: + break; + } + + if (bpf_capable() && perfmon_capable()) + return bpf_tracing_func_proto(func_id, prog); + else + return bpf_base_func_proto(func_id); +} + +const struct bpf_prog_ops seccomp_prog_ops = { +}; + +const struct bpf_verifier_ops seccomp_verifier_ops = { + .get_func_proto = seccomp_func_proto, + .is_valid_access = seccomp_is_valid_access, +}; +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ + static struct ctl_path seccomp_sysctl_path[] = { { .procname = "kernel", }, { .procname = "seccomp", }, diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index ec6d85a81744..b78d5c9fbb4b 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -937,6 +937,7 @@ enum bpf_prog_type { BPF_PROG_TYPE_EXT, BPF_PROG_TYPE_LSM, BPF_PROG_TYPE_SK_LOOKUP, + BPF_PROG_TYPE_SECCOMP, }; enum bpf_attach_type { From patchwork Mon May 10 17:22:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248901 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_RED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0263C433B4 for ; Mon, 10 May 2021 17:23:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B7EBA6147F for ; Mon, 10 May 2021 17:23:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232801AbhEJRYJ (ORCPT ); Mon, 10 May 2021 13:24:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232762AbhEJRYD (ORCPT ); Mon, 10 May 2021 13:24:03 -0400 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C29A5C0613ED; Mon, 10 May 2021 10:22:57 -0700 (PDT) Received: by mail-qt1-x82d.google.com with SMTP id c10so2683687qtx.10; Mon, 10 May 2021 10:22:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Nm+KuM9ff9d7ka8+7ZtDl8pCOVV7hGgjqFXWjHyaY58=; b=fsjib6JFKB1SyB4TqRkLe0oWxCn6a1aMnr343ATb8KbJa7WNWCrgCvWk1DqdmUShU8 Pv+g+pQxTacxI3WgWyPQv1i2tcRvXE3tWDfxy5HSjnYmZ0y5123dlnOJajG4VXOX8LCm PkN3Fqn/x8pg1XHiARTjzmQiHC/tpRSU/6FD5fei9iutaoGdsZDfv4u/vwnIfSYqU4RB 8NnTOo52srAdZIPVCxkAddbaikyphzE4t5/DqDz2ofo1KgbPtGdDb6E2mHDFmaEwmiLF 1KFSRo8kBRB3sJOpmaqVnk917oZDw0zYIdOHhLZrQEbLe4NvSCJE4OVdXMJEhL/ZFQj7 HRlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Nm+KuM9ff9d7ka8+7ZtDl8pCOVV7hGgjqFXWjHyaY58=; b=NmWwjwc8yXlXCborf3JMO/02ZHo7FSoSt39Kqk2RwdUiflwoj/9W0woI31Mzdry9My yWYiUbiAOMIpH3gZdFyyNBkc25QuU/Ptz/p1aujLzlOEeL92gSXtBAxFrPE+4OcBbaJj 35PCn2VfewA5JV3gfEeXdRBO0dyu5I7H0pjG/YaJwvNeDg/fBULYHjyU9g0a6YNVvNaF GaIgjVhHqO0C7/uMjSd3E35N3znH2AlwsuqkWBHaklpfGqTujpLeFd+sxy8rNZmA78UF XjL4CSahJKzdMOAZFPQDzEiADOFZGT8I1T58G7CjfD6b69KFmTxWAdwhRtxll79CmfjO Chwg== X-Gm-Message-State: AOAM530r56kuxpUerHMlE0PdDp0JDrxhfKPXl4DnUeMCKtbSG4hhRdzx g0oe857jeK32WIk0TXRE3nc= X-Google-Smtp-Source: ABdhPJyrRbwmlmB0HmoAXEyUfIQvt7D/1NgpybbDMUmlcNeiDapwTWCT1jz6kOsYOgAoqNEcZWiGSQ== X-Received: by 2002:ac8:5806:: with SMTP id g6mr24084856qtg.152.1620667377051; Mon, 10 May 2021 10:22:57 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:22:56 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 03/12] seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp filters Date: Mon, 10 May 2021 12:22:40 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: Sargun Dhillon This extends the ptrace API to allow fetching eBPF seccomp filters attached to programs. This is to enable checkpoint / restore cases. The user will have to use the traditional PTRACE_SECCOMP_GET_FILTER API call, and if they get an invalid medium type error they can switch over to the eBPF variant of the API -- PTRACE_SECCOMP_GET_FILTER_EXTENDED. Signed-off-by: Sargun Dhillon Link: https://lists.linux-foundation.org/pipermail/containers/2018-February/038478.html [YiFei: increase ptrace number to 0x4210] Signed-off-by: YiFei Zhu --- include/linux/seccomp.h | 12 ++++++++++++ include/uapi/linux/ptrace.h | 2 ++ kernel/ptrace.c | 4 ++++ kernel/seccomp.c | 37 +++++++++++++++++++++++++++++++++++++ 4 files changed, 55 insertions(+) diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index c0750dc05de5..7ce9e3b3fa80 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -122,6 +122,18 @@ static inline long seccomp_get_metadata(struct task_struct *task, return -EINVAL; } #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */ +#if defined(CONFIG_SECCOMP_FILTER_EXTENDED) && defined(CONFIG_CHECKPOINT_RESTORE) +extern long seccomp_get_filter_extended(struct task_struct *task, + unsigned long n, + void __user *data); +#else +static inline long seccomp_get_filter_extended(struct task_struct *task, + unsigned long n, + void __user *data) +{ + return -EINVAL; +} +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED && CONFIG_CHECKPOINT_RESTORE */ #ifdef CONFIG_SECCOMP_CACHE_DEBUG struct seq_file; diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h index 3747bf816f9a..725a03614c28 100644 --- a/include/uapi/linux/ptrace.h +++ b/include/uapi/linux/ptrace.h @@ -112,6 +112,8 @@ struct ptrace_rseq_configuration { __u32 pad; }; +#define PTRACE_SECCOMP_GET_FILTER_EXTENDED 0x4210 + /* * These values are stored in task->ptrace_message * by tracehook_report_syscall_* to describe the current syscall-stop. diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 76f09456ec4b..1e8d2155231f 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -1247,6 +1247,10 @@ int ptrace_request(struct task_struct *child, long request, break; #endif + case PTRACE_SECCOMP_GET_FILTER_EXTENDED: + ret = seccomp_get_filter_extended(child, addr, datavp); + break; + default: break; } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 1ef26a5bf93f..8550ae885245 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2168,6 +2168,43 @@ long seccomp_get_metadata(struct task_struct *task, } #endif +#if defined(CONFIG_SECCOMP_FILTER_EXTENDED) && defined(CONFIG_CHECKPOINT_RESTORE) +long seccomp_get_filter_extended(struct task_struct *task, + unsigned long filter_off, + void __user *data) +{ + struct seccomp_filter *filter; + struct bpf_prog *prog; + long ret; + + if (!capable(CAP_SYS_ADMIN) || + current->seccomp.mode != SECCOMP_MODE_DISABLED) { + return -EACCES; + } + + filter = get_nth_filter(task, filter_off); + if (IS_ERR(filter)) + return PTR_ERR(filter); + + if (bpf_prog_was_classic(filter->prog)) { + ret = -EMEDIUMTYPE; + goto out; + } + prog = bpf_prog_inc_not_zero(filter->prog); + if (IS_ERR(prog)) { + ret = PTR_ERR(prog); + goto out; + } + + ret = bpf_prog_new_fd(filter->prog); + if (ret < 0) + bpf_prog_put(prog); +out: + __put_seccomp_filter(filter); + return ret; +} +#endif + #ifdef CONFIG_SYSCTL /* Human readable action names for friendly sysctl interaction */ From patchwork Mon May 10 17:22:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248903 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3855BC433ED for ; Mon, 10 May 2021 17:23:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 153F061481 for ; Mon, 10 May 2021 17:23:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232778AbhEJRYK (ORCPT ); Mon, 10 May 2021 13:24:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232733AbhEJRYE (ORCPT ); Mon, 10 May 2021 13:24:04 -0400 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1012DC06138A; Mon, 10 May 2021 10:22:59 -0700 (PDT) Received: by mail-qt1-x82a.google.com with SMTP id t7so12526255qtn.3; Mon, 10 May 2021 10:22:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rahaQaLyFPP9GGvK15BOl5iZ4PSYmD/vlR06dUAD7e0=; b=RJePQanVHTvnYJXjtq/LxIaIBOPhJjnoxA29/o8xMmHwkNv7CtioYcn32Jnr3SwqWQ almESooTi22DGCQjJhrwJtY+mrcCKsxmpiB0l4BKhdIscp06rl+ZJvphWiOYy07hRQBp +ET28ugKg6/csqDQ9YcfzO8JQYI3Z3AuIn8yxn8L5/HezfUh7pf/QDa/t6dC0uob7xAG EXIg+EXqE/ijLiYxCt4djfIa9vOAKQy0xK4dzteIwuNKEU1vmnxy9Gyzit3IxvXfeWJy cIQ+yt1Cp3SLgLxTpZdrKQNlDvAz6m3Y0UEkkeDGQ7pOZTX6Yi5qt48S2kirpaNRU30m gRsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rahaQaLyFPP9GGvK15BOl5iZ4PSYmD/vlR06dUAD7e0=; b=So3wzkKlQXBB1FVecaHqSwPys2AZ2cQ/CZh5IQgk3HnKfMxG80ji/qN6NbrXfToMoY 331Hi34gmQztattKBB0wdyITXvEvlbvXE5xRspeRzu+j0Oboa0g/pSd/J/zfot7Xp2nv rplvsH7t+bgZpTA6LmnBq3+JxmT7+EEATFVoGpfP3uuLC5twX32ttGBNxm19p6SsJil+ jDHuOVzInF5W6OC0YXqLOlIjq7P94UByEZIeXSuMZu1Y0Rk5fBZAKA2qRGBL67XBl/o6 EFKtIh8R1xD2HT5g6xSivBJbYciygjXlHU0Cs1zxYyyakmjxZoweWPQeLg4Sz84ebPHC ciGA== X-Gm-Message-State: AOAM532GyygZPgWqOU2Q6oOnouvXbIHMdZV301ktmnlHOUvzC8qFIcg8 My2WkE7eD5eJdQS5YTknXQWgaLusdWhQyF3f X-Google-Smtp-Source: ABdhPJz7dTCeaErW7vArw1fyKmZO4UJ0S1Q0/i4pR56D4pC8rE886IfEcheNNTd/YWEMMzCCas1NRg== X-Received: by 2002:ac8:7f83:: with SMTP id z3mr14353597qtj.239.1620667378335; Mon, 10 May 2021 10:22:58 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:22:58 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 04/12] libbpf: recognize section "seccomp" Date: Mon, 10 May 2021 12:22:41 -0500 Message-Id: <78401c1929394e999f154bcecd5aa00d2178d1c5.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu The section is set to program type BPF_PROG_TYPE_SECCOMP with no attach type. Signed-off-by: YiFei Zhu --- tools/lib/bpf/libbpf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index e2a3cf437814..42ce79b47378 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -8958,6 +8958,7 @@ static const struct bpf_sec_def section_defs[] = { BPF_PROG_SEC("struct_ops", BPF_PROG_TYPE_STRUCT_OPS), BPF_EAPROG_SEC("sk_lookup/", BPF_PROG_TYPE_SK_LOOKUP, BPF_SK_LOOKUP), + BPF_PROG_SEC("seccomp", BPF_PROG_TYPE_SECCOMP), }; #undef BPF_PROG_SEC_IMPL From patchwork Mon May 10 17:22:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248907 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_RED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE677C43461 for ; Mon, 10 May 2021 17:23:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8C11761480 for ; Mon, 10 May 2021 17:23:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232530AbhEJRYR (ORCPT ); Mon, 10 May 2021 13:24:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232786AbhEJRYG (ORCPT ); Mon, 10 May 2021 13:24:06 -0400 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61C52C061574; Mon, 10 May 2021 10:23:00 -0700 (PDT) Received: by mail-qt1-x832.google.com with SMTP id 1so12529782qtb.0; Mon, 10 May 2021 10:23:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YZ7jgh8n9Ewl7aTtjcfWvHPosfSycLeUWDUFaOitHlw=; b=gW8vw40vlqTZ2jCM73vqolZZWkLgjI6c84c2tdzyF63+bw928QLCYtR1cCbArh3pRd 7ovyWIfbukHuJpC8I7uocQczXzzhiM37478tup8wGcHa9YA6ProL07kpILxau+hPNc2Z XDp/teyLZrcVl4lsg+9NSwJqpwBAUX0gLRB6kbiNAO863Ay4jolZ1LpvwD876Jp4HEOD 31q0MFGgavZgCRlU9YO2QgQTRKL6A0uRlzJ5H/pklh1oGZrW6huBhC5bux0ofYfwvL30 Bgw/sm8wtwEFGGwfu06ZqEyz5XOu4GOGvDUi5Tt/UKSV84Ip3fEBKpELlDAhLuiORzgr 3A7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YZ7jgh8n9Ewl7aTtjcfWvHPosfSycLeUWDUFaOitHlw=; b=XhQzDKk8726Nh2RgoQPfLwPKxl4SPlO1Hil7wABIDy2Rq634bGXBDVe77bi7Cda6Ge ZU8ywIWn2rmUNPghSwBuD+zycf0h6rJbszoJeod8U/vbGJ8CEIqhXwkFa4uLFmuOWTZP koI9AMbo6tetqG97ev/M7C8VY84z3/Mx+2CGdE7VkUUb3uHoKBu1qxy+r2NNRJ/zu1by IjhAWQJamDkE6LIMl25z/PGLsy+2AdxOKLylPTmRoe1i2QEq2g7G/TBF+9WTfaWFEeQX WxdJtB/TK5Pp27k4XFwHKsuZbDLVAuzphDYrxMsU2ZCvltXU7U4YmXvS8fNfZD3ln4rs EOjw== X-Gm-Message-State: AOAM530WRflZvQ/vBtY5a+1+2CrpHeUv4IXwmOXwiIoMlt2WmolIA2ig Y2IL+eraMNkoukv9oDGMzCLA63NK8QjOwfxh X-Google-Smtp-Source: ABdhPJym19kE/RMpadgsTPFOwNJudsn2Uv/1tnLrQ9Li4RWoca5YsWzywFdeZDE6mOLLRD3fnk6emA== X-Received: by 2002:a05:622a:10e:: with SMTP id u14mr23252254qtw.229.1620667379628; Mon, 10 May 2021 10:22:59 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:22:59 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 05/12] samples/bpf: Add eBPF seccomp sample programs Date: Mon, 10 May 2021 12:22:42 -0500 Message-Id: <5f7c10074e10f994f3984a564531d5d9285d53eb.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: Sargun Dhillon This adds a sample program that uses seccomp-eBPF, called test_seccomp. It shows the simple ability to code seccomp filters in C. Signed-off-by: Sargun Dhillon Link: https://lists.linux-foundation.org/pipermail/containers/2018-February/038573.html Co-developed-by: Jinghao Jia Signed-off-by: Jinghao Jia [YiFei: change from bpf_load to libbpf] Co-developed-by: YiFei Zhu Signed-off-by: YiFei Zhu --- samples/bpf/Makefile | 3 ++ samples/bpf/test_seccomp_kern.c | 41 +++++++++++++++++++++++++++ samples/bpf/test_seccomp_user.c | 49 +++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 samples/bpf/test_seccomp_kern.c create mode 100644 samples/bpf/test_seccomp_user.c diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile index 45ceca4e2c70..d49e7f91eba6 100644 --- a/samples/bpf/Makefile +++ b/samples/bpf/Makefile @@ -55,6 +55,7 @@ tprogs-y += task_fd_query tprogs-y += xdp_sample_pkts tprogs-y += ibumad tprogs-y += hbm +tprogs-y += test_seccomp # Libbpf dependencies LIBBPF = $(TOOLS_PATH)/lib/bpf/libbpf.a @@ -113,6 +114,7 @@ task_fd_query-objs := task_fd_query_user.o $(TRACE_HELPERS) xdp_sample_pkts-objs := xdp_sample_pkts_user.o ibumad-objs := ibumad_user.o hbm-objs := hbm.o $(CGROUP_HELPERS) +test_seccomp-objs := test_seccomp_user.o # Tell kbuild to always build the programs always-y := $(tprogs-y) @@ -174,6 +176,7 @@ always-y += ibumad_kern.o always-y += hbm_out_kern.o always-y += hbm_edt_kern.o always-y += xdpsock_kern.o +always-y += test_seccomp_kern.o ifeq ($(ARCH), arm) # Strip all except -D__LINUX_ARM_ARCH__ option needed to handle linux diff --git a/samples/bpf/test_seccomp_kern.c b/samples/bpf/test_seccomp_kern.c new file mode 100644 index 000000000000..efd42f47d9c4 --- /dev/null +++ b/samples/bpf/test_seccomp_kern.c @@ -0,0 +1,41 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include + +#if defined(__x86_64__) +#define ARCH AUDIT_ARCH_X86_64 +#elif defined(__i386__) +#define ARCH AUDIT_ARCH_I386 +#else +#endif + +#ifdef ARCH +/* Returns EPERM when trying to close fd 999 */ +SEC("seccomp") +int bpf_prog1(struct seccomp_data *ctx) +{ + /* + * Make sure this BPF program is being run on the same architecture it + * was compiled on. + */ + if (ctx->arch != ARCH) + return SECCOMP_RET_ERRNO | EPERM; + if (ctx->nr == __NR_close && ctx->args[0] == 999) + return SECCOMP_RET_ERRNO | EPERM; + + return SECCOMP_RET_ALLOW; +} +#else +#warning Architecture not supported -- Blocking all syscalls +SEC("seccomp") +int bpf_prog1(struct seccomp_data *ctx) +{ + return SECCOMP_RET_ERRNO | EPERM; +} +#endif + +char _license[] SEC("license") = "GPL"; diff --git a/samples/bpf/test_seccomp_user.c b/samples/bpf/test_seccomp_user.c new file mode 100644 index 000000000000..ba17e18666b9 --- /dev/null +++ b/samples/bpf/test_seccomp_user.c @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + struct bpf_object *obj; + char filename[256]; + int prog_fd; + + snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]); + + if (bpf_prog_load(filename, BPF_PROG_TYPE_SECCOMP, &obj, &prog_fd)) + exit(EXIT_FAILURE); + if (prog_fd < 0) { + fprintf(stderr, "ERROR: no program found: %s\n", + strerror(prog_fd)); + exit(EXIT_FAILURE); + } + + /* set new_new_privs so non-privileged users can attach filters */ + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("prctl(NO_NEW_PRIVS)"); + exit(EXIT_FAILURE); + } + + if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_EXTENDED, &prog_fd)) { + perror("seccomp"); + exit(EXIT_FAILURE); + } + + close(111); + assert(errno == EBADF); + close(999); + assert(errno == EPERM); + + printf("close syscall successfully filtered\n"); + return 0; +} From patchwork Mon May 10 17:22:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248905 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 822CCC433B4 for ; Mon, 10 May 2021 17:23:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 54EF861480 for ; Mon, 10 May 2021 17:23:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232549AbhEJRYQ (ORCPT ); Mon, 10 May 2021 13:24:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46552 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232789AbhEJRYG (ORCPT ); Mon, 10 May 2021 13:24:06 -0400 Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com [IPv6:2607:f8b0:4864:20::f30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A0ADC06175F; Mon, 10 May 2021 10:23:01 -0700 (PDT) Received: by mail-qv1-xf30.google.com with SMTP id jm10so8749535qvb.5; Mon, 10 May 2021 10:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eKWNKjvr3PIJMbAHVnciIVF869iR5Tf3Vcd3i8yjR7k=; b=HPSFDpKwtpmI97BZ7OnEnwlJ7OuP8yE/VAmnjLJjS/naYUPkqSuhZgmTx/MyS2dJRa lTtgjMdq+j883FGfyq5Ddx/EzmsZX28SURajAkG7zoBAffmgLcLiiZVI4ZmqTjStSXPe c5auVjYHCI6/Zqk0WI6uyEHrglF2tMX5qfckEWKUtfESCHpkGA8Fmpt4fXiQwVFnQkcU vE9oVeoAjDcNT1GQXtRDa7aQfDBGD0GICi9rLDLMeUJl3CLnoyG3MI+tmYe613gAmgWU tJ6DGKEmlbW1JghfZciGQxHlFrIMJuxQ4N6d4DLi9kg9xFmMciPx/ZPo+vnnfC/e1PI2 ZYWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eKWNKjvr3PIJMbAHVnciIVF869iR5Tf3Vcd3i8yjR7k=; b=Dw6R9/J7rB73AF3JJv+jiCIgwEudi9q5zWu8njwDkZvok4rHTSXZmO+YmFO0PEcuML f8pofZnXazb3wQCjoB4rSerncwVeuqZ8598Hm6loHU5jBg1lg89EW3yqZ+51hI9Zp5Qs Dfj+k9qZQn4vNiXJMUc7muc2qzzJXG/yfyy6yBZWxELo7knWHP+HsPdT2wrkoIO1sExY xPAcVfhPpQCd88wPEhxvTZabyTdoO+CgcZX31/r9sE9TOfTJau6XZeydUTcK0l4CXahd FCzq8sV31JyQj/2RFeab7SnI5211lwXMYcrkpi8OSCEnoHytZI72xj3rsR71pxTT59qZ YKsQ== X-Gm-Message-State: AOAM532iXWJXU0dlsGjiXH97i/88Z0fpqRmLS4OmpgryWpXKUxyqKVr4 joNnxEZEkPATP9wYsIAOfEmQK35uwyApz498 X-Google-Smtp-Source: ABdhPJxHKiUOuiZgZMAXiPdZZ8hqDpsF0UZO35YHyOMtFSuBp7jsqZ6dvzUky2eQee+s+Ub8pszoBA== X-Received: by 2002:ad4:4b33:: with SMTP id s19mr24460456qvw.35.1620667380808; Mon, 10 May 2021 10:23:00 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.22.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:00 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 06/12] lsm: New hook seccomp_extended Date: Mon, 10 May 2021 12:22:43 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu This hooks takes no argument, and returns 0 if the current task is permitted to use extended seccomp-eBPF features, or -errno if it is not permitted. Signed-off-by: YiFei Zhu --- include/linux/lsm_hook_defs.h | 4 ++++ include/linux/security.h | 13 +++++++++++++ security/security.c | 8 ++++++++ 3 files changed, 25 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 61f04f7dc1a4..94e18d95e1cc 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -391,6 +391,10 @@ LSM_HOOK(int, 0, bpf_map_alloc_security, struct bpf_map *map) LSM_HOOK(void, LSM_RET_VOID, bpf_map_free_security, struct bpf_map *map) LSM_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux) LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) + +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +LSM_HOOK(int, 0, seccomp_extended, void) +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ #endif /* CONFIG_BPF_SYSCALL */ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) diff --git a/include/linux/security.h b/include/linux/security.h index 9aeda3f9e838..8e98dd98ac90 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1960,6 +1960,11 @@ extern int security_bpf_map_alloc(struct bpf_map *map); extern void security_bpf_map_free(struct bpf_map *map); extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux); extern void security_bpf_prog_free(struct bpf_prog_aux *aux); + +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +extern int security_seccomp_extended(void); +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ + #else static inline int security_bpf(int cmd, union bpf_attr *attr, unsigned int size) @@ -1992,6 +1997,14 @@ static inline int security_bpf_prog_alloc(struct bpf_prog_aux *aux) static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) { } + +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +static inline int security_seccomp_extended(void) +{ + return 0; +} +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ + #endif /* CONFIG_SECURITY */ #endif /* CONFIG_BPF_SYSCALL */ diff --git a/security/security.c b/security/security.c index 94383f83ba42..301afe76ffb2 100644 --- a/security/security.c +++ b/security/security.c @@ -2553,6 +2553,14 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) { call_void_hook(bpf_prog_free_security, aux); } + +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +int security_seccomp_extended(void) +{ + return call_int_hook(seccomp_extended, 0); +} +#endif + #endif /* CONFIG_BPF_SYSCALL */ int security_locked_down(enum lockdown_reason what) From patchwork Mon May 10 17:22:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248909 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C787C43600 for ; Mon, 10 May 2021 17:23:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E6DA56147F for ; Mon, 10 May 2021 17:23:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232774AbhEJRYT (ORCPT ); Mon, 10 May 2021 13:24:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232770AbhEJRYI (ORCPT ); Mon, 10 May 2021 13:24:08 -0400 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DB443C061760; Mon, 10 May 2021 10:23:02 -0700 (PDT) Received: by mail-qt1-x82e.google.com with SMTP id n22so12481762qtk.9; Mon, 10 May 2021 10:23:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=os+aNkIj11roEHDUU05sC6TNDVf0op+4DKUiI/YhlCI=; b=M5fRVYqrGRIo+zDt0ww9BZnPnThLcGUFnq1uBtyv9zZCFzq7kYM+ebANCjyQPR7JyW mojidBSveomAk3SZkuZyQQbm33GnzbuwSmiT7pRt5dreyQRnAiAGSLLIjdAkL3bXtXJW Kt/uQ0ZGpjx10L02Nyw2XJqcP6SjauIIlC6rOnlauWf0OQXsXChwyC2s3wUuAHjR+OBl 449/wDIHI8AY8vsyKGmxD4MQMG/lfaEFI0m2zRzxEkducKu0VsktQiFeN03xmZIiqgWq lzx6AAApP7SWNBNaW8VN5W5QrdTaJQYfZzWHM1ZZ8LY0g4pEyrOREnKw6c7bk3FvV3y6 4acQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=os+aNkIj11roEHDUU05sC6TNDVf0op+4DKUiI/YhlCI=; b=JPsUvG9zmpXYkpPF5pcSRPOAtJb15d4OAJZeF8RwmafOjcpqolSQXMCh6Ek/Pa7pe9 ZvlRJTYVMbPBv5jqagBiJVvc0DrB3GU00gZKH8EG/4vMBfICZwltfa8/vHqN5euGOrNI Wt0snOyRxZS7wYBn7SZhUZZilH/RoWUK88S6eQrsP13R/9U9XeLcDVnw/vMxoDceK/43 0i0EGPPzCz6JyCJCvU5NtospH+XuQqKC8liohpLuqoWn/BJEwU7DkPeGrqy08OewZtQg 8M0wcKCj5nbHoaG/1a91Y8Nli47/d4bdYYbswPoMFNNthty7P9iNtpqkgzBurwwg5OPh tKZw== X-Gm-Message-State: AOAM532fdVZfOL0ehB3GVCd+d0VNnw+wYUTa5wymccTcnxCekB9OnalG uSeC11XEv0pOOLNqjD1aplCFuYVmdDk2IeZ8 X-Google-Smtp-Source: ABdhPJzGzOZt96I0Zs7TdCghlnOJueKKaLB7JVqgkm1SC2dIxERLF1FLObKXXk8uUTGdiuh0MqkEEw== X-Received: by 2002:ac8:646:: with SMTP id e6mr22635080qth.285.1620667382103; Mon, 10 May 2021 10:23:02 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:01 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 07/12] bpf/verifier: allow restricting direct map access Date: Mon, 10 May 2021 12:22:44 -0500 Message-Id: <08b306f207cc6c516500a58ee0bc506f09859d26.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu Add a verifier hook that is able to reject direct map access that does not make use of eBPF helpers. These accesses mostly correspond to eBPF data section accesses. This allows a program type to disable maps altogether by resturing direct map accesses and not whitelisting helpers that perform map accesses. Signed-off-by: YiFei Zhu --- include/linux/bpf.h | 1 + kernel/bpf/verifier.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 02b02cb29ce2..86f3e8784e43 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -484,6 +484,7 @@ struct bpf_verifier_ops { enum bpf_access_type atype, u32 *next_btf_id); bool (*check_kfunc_call)(u32 kfunc_btf_id); + bool (*map_access)(enum bpf_access_type type); }; struct bpf_prog_offload_ops { diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 8fd552c16763..8eec1796caaa 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3100,6 +3100,9 @@ static int check_map_access_type(struct bpf_verifier_env *env, u32 regno, struct bpf_map *map = regs[regno].map_ptr; u32 cap = bpf_map_flags_to_cap(map); + if (env->ops->map_access && !env->ops->map_access(type)) + cap = 0; + if (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) { verbose(env, "write into map forbidden, value_size=%d off=%d size=%d\n", map->value_size, off, size); From patchwork Mon May 10 17:22:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248911 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16F6DC43603 for ; Mon, 10 May 2021 17:23:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E4A5F61352 for ; Mon, 10 May 2021 17:23:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232798AbhEJRYZ (ORCPT ); Mon, 10 May 2021 13:24:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46540 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232772AbhEJRYJ (ORCPT ); Mon, 10 May 2021 13:24:09 -0400 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13739C061761; Mon, 10 May 2021 10:23:04 -0700 (PDT) Received: by mail-qt1-x82a.google.com with SMTP id g13so12497808qts.4; Mon, 10 May 2021 10:23:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jxuzpoKujYtr2aHiM/kDtdSl1lSD9oNhumKLKx3WNhI=; b=cim2XGAYUsRYtj3qYEecXybCMYw3siy/whG1UYmVo9bCb0DP9dGn0X6vqnCsTnw3Qb oKHVXOYbDs0C3ZUfdElVbiFfHpdg/oDCfRhaW96kzakVZ4PNS0PM+eTJP3muffFNgsZ6 FD6/yxgNixLspgbzKtWqT1lPhMzCXIv+Lzg6rhVRL3rlx1xReAsmQjviAjs5Gh0GG9ot 5VtNsFrMIrx9sc3OEHv4px0SOwKM/J7SzyfUOZxm/woWxUj0q1XV8M1ivNFDlKj+60Qq KucQcDJG+XE3H04y4W4AbHWeJJ3i9EkQkr8o47xME/HoLufj/YWKXVf8w6zw/ufl8hDJ 8mKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jxuzpoKujYtr2aHiM/kDtdSl1lSD9oNhumKLKx3WNhI=; b=H14KBPZ4EMGhY9WI/Fw69ZuJlTlqKFxoSY+5ZQJWGPKb5xrALpTpxruzlzK/xec5pj Hz+zqZNtl4XYHIxAw7w2PP53RdCOlojScSXSHA66tEAwEhlBSxzeJumpSpgUOzn6isxi 9viE7MfP0qkS+sjDww3WqJleBuwPHoB/GzITsUa5mopfm9VrWa8VzGmVUtfvSLmImdGj W2N1vGqDzFOic2q4BSo0jMhpe+WytgQFl1z3Boeb5soKl4+PaJFkZDCk6ssq+I7piAuX zyzW8DOxavXdAOTR+gcBTxrMn4+ZnGzLIx+Qy/ctSMc0iaAvGZhAG4pwvpbIRbD61jRf qVKg== X-Gm-Message-State: AOAM531SVr8O62elgn3zQS1aKxHgbI4aSWOT3YZDoLuAMvZ1OzFj6+ej kxANZnvk6+NllgB0rn+P3+o= X-Google-Smtp-Source: ABdhPJxFkSB5mUmfRJ/kv+m/vRYxB1+SBmVTgvWXRofx/Tgdpz9dCSNx6diUsdagHlUsBhavhfieDA== X-Received: by 2002:a05:622a:13c6:: with SMTP id p6mr23882773qtk.288.1620667383346; Mon, 10 May 2021 10:23:03 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:03 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 08/12] seccomp-ebpf: restrict filter to almost cBPF if LSM request such Date: Mon, 10 May 2021 12:22:45 -0500 Message-Id: <25cc2777f0c1e5603fc8751bff0f36249b018388.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu If LSM hook security_seccomp_extended returns non-zero, seccomp-eBPF filters are not permitted to use eBPF maps or helpers. Signed-off-by: YiFei Zhu --- kernel/seccomp.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 8550ae885245..b9ed9951a05b 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2441,6 +2441,9 @@ static bool seccomp_is_valid_access(int off, int size, static const struct bpf_func_proto * seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { + if (security_seccomp_extended()) + return NULL; + switch (func_id) { case BPF_FUNC_get_current_uid_gid: return &bpf_get_current_uid_gid_proto; @@ -2459,9 +2462,15 @@ seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) const struct bpf_prog_ops seccomp_prog_ops = { }; +static bool seccomp_map_access(enum bpf_access_type type) +{ + return !security_seccomp_extended(); +} + const struct bpf_verifier_ops seccomp_verifier_ops = { .get_func_proto = seccomp_func_proto, .is_valid_access = seccomp_is_valid_access, + .map_access = seccomp_map_access, }; #endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ From patchwork Mon May 10 17:22:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248913 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4739EC43460 for ; Mon, 10 May 2021 17:23:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F11A61481 for ; Mon, 10 May 2021 17:23:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231908AbhEJRYf (ORCPT ); Mon, 10 May 2021 13:24:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232783AbhEJRYK (ORCPT ); Mon, 10 May 2021 13:24:10 -0400 Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73574C061763; Mon, 10 May 2021 10:23:05 -0700 (PDT) Received: by mail-qk1-x72a.google.com with SMTP id a22so15524839qkl.10; Mon, 10 May 2021 10:23:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cX52Zs/xDsiq7rE6ph9VA8cUYUpw0YB0S2ZUk1qpvmc=; b=vIeg2VmImJPDTqp/NxQuqgMD47fn10g6oqPN4/D23lmD83s5AbYtXiqT4xi3cxQWwQ kA7/Zm0j91GNbdpXxtRMZIgfh4wi8jLESXWJ6SS8JkSRdyMchgMK2+YFPNJJh0Igb4DD vr27WPQHkjmJJe+YV19pKplElTiGT9l3KJMAhikqFw6bHHCBBDq5x5yBCYq/2m4JwbLW HWWi4Vn3Mc2tQzkkxjxRTeo8rdsHxWX0E8VSFCsUsmpc1Xhctr0aHKjhI5ul3C5sGDrC yiUOQOXvBgp8WgfUfOk9VicYLRZaJOF9A5cw9mE37Ix6BrwUTGzDeifefvZ9C60DT4ZK N9CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cX52Zs/xDsiq7rE6ph9VA8cUYUpw0YB0S2ZUk1qpvmc=; b=k2qQdi8uUxbxc5nJUyB1t93kDJwwxy/15wWhjCAcyvuhplcSz1MqXRMRD1HKtyvsAn DkffxvhH3ar5yYdY7owKnXpm5jxQ+KLORwy4UXrzzZSQyBAumwd3QXpDZSY4FCxSk4JX l5jizbcF3VdyStSJdZP93JNHxrQv+JQygN1bAtmmdY7sX36c43KmApXaNUyq5oFsjci7 nHPZtBwCNP0V12F9O4cF7bKjoL7tfoTIvKcO0AQ0EmVRh3Wv1SICXV3Ze7hzwQioq/hc PfK4Maicfdspis+T1/zR8eVjwdf0Vxnfq5VzLnYckeiqJ0kFEbIga7uFOXTcPvb1LUxc kXrg== X-Gm-Message-State: AOAM531j7GefVKRfcdeSu241uZfwfqFZ0rWXQvAjAxRvgzGk2PgkBFLl wRGYhDnZqE8eSl8ET6tP/QR/ozNSNgLC3abk X-Google-Smtp-Source: ABdhPJzMd3Ycz3/4IwsWCcmCOykOGaViFf5Pq5ljtHvY21Ye4p7MT6H0wZPExMpUeToIk8ZkAuuyBw== X-Received: by 2002:a37:43d4:: with SMTP id q203mr24178322qka.124.1620667384566; Mon, 10 May 2021 10:23:04 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:04 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 09/12] yama: (concept) restrict seccomp-eBPF with ptrace_scope Date: Mon, 10 May 2021 12:22:46 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu LSM hook seccomp_extended is made to return -EPERM if the current process may not ptrace its children, depending on the value of ptrace_scope and CAP_SYS_PTRACE capability. I'm not sure if this is the right way to do it, since ptrace_scope is about ptrace and not seccomp. Is there a better policy that would make more sense? Signed-off-by: YiFei Zhu --- security/yama/yama_lsm.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 06e226166aab..3b7b408b47a3 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -421,9 +421,39 @@ static int yama_ptrace_traceme(struct task_struct *parent) return rc; } +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED +static int yama_seccomp_extended(void) +{ + int rc = 0; + + /* seccomp filter attach can only affect itself and children */ + switch (ptrace_scope) { + case YAMA_SCOPE_DISABLED: + case YAMA_SCOPE_RELATIONAL: + /* No additional restrictions. */ + break; + case YAMA_SCOPE_CAPABILITY: + rcu_read_lock(); + if (!ns_capable(current_user_ns(), CAP_SYS_PTRACE)) + rc = -EPERM; + rcu_read_unlock(); + break; + case YAMA_SCOPE_NO_ATTACH: + default: + rc = -EPERM; + break; + } + + return rc; +} +#endif /* CONFIG_SECCOMP_FILTER_EXTENDED */ + static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), +#ifdef CONFIG_SECCOMP_FILTER_EXTENDED + LSM_HOOK_INIT(seccomp_extended, yama_seccomp_extended), +#endif LSM_HOOK_INIT(task_prctl, yama_task_prctl), LSM_HOOK_INIT(task_free, yama_task_free), }; From patchwork Mon May 10 17:22:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248915 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1EB1BC433ED for ; Mon, 10 May 2021 17:23:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E431261481 for ; Mon, 10 May 2021 17:23:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232816AbhEJRYn (ORCPT ); Mon, 10 May 2021 13:24:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232799AbhEJRYL (ORCPT ); Mon, 10 May 2021 13:24:11 -0400 Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85D37C0613ED; Mon, 10 May 2021 10:23:06 -0700 (PDT) Received: by mail-qt1-x830.google.com with SMTP id j19so12495362qtp.7; Mon, 10 May 2021 10:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=K3otKcjGXfjWujyWqX/osHKgxcZ3uGxMRgh0AOnNm6I=; b=a0pr0Zp/V5LIkK7DZ5qYMqwhfxJTX4jV0thP237XqVBG921rrjNLIlYZu1JzlNGddL qQIMee2LaKlyuOu5NDCGgwH50E7uyBA8GD0EbvfJIrGubDbHwFuF/p+T0+kVLIJ1EwvN swLjNOXUqLxRr9TiVhE6vjWZVih6Ks8jSu6IjVIukycta2XwAFtU96/m9UkHgMN7JJh4 2zKeZSgBjQLSlltoBwK6Mt7dQ+ifE3WtuswzKD9TqLRxKfJUtLYqEYxNLD+HgBRk3qUP DlO1RNCbwtovBleWnMF6HJeO64kWhIGNbN4nJ705M2nxpkJV0tuwIT+k/650fGikWVIA GP/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K3otKcjGXfjWujyWqX/osHKgxcZ3uGxMRgh0AOnNm6I=; b=b0Uf26iMndIrKgukB4YmYXL5rwGdCaH59t0CsWGaCdKmLrhHUIegrpWhYMNc+lXuqJ kL23pzHcVsr8y78wfudlZFAyaXkgElhUxWZoBJRfkxhgL7dUeWlRees2YPo+2Rt4d9sA vv0ijRWgh+D75obK/EhzXlwK+qlkWc6SMxosTdpfjlpxKzzYaISUsYlAcgal8un8QWIZ Y4p9Yr+o33VHexMQqk3y/478Ji8f5DtjsQUbJlKj+on80Yj8/KEQsOz8h+VjRpvMXo+K 74R8O9DqTm1YJSOSXmzcmjXqVl+ItZ9B9L2La0ybtNsn80I8mgQXmHL95KLzRUBz6YwI Jryg== X-Gm-Message-State: AOAM533V8jS6xKLvVT1PdK5ZbaPyz99xrcm9+SZqVWsfcZZp9ylraGV1 U19i5LqlPRGGWuo4lijwRhIdXrKPmSvsRLq/ X-Google-Smtp-Source: ABdhPJwsd4Zm2OVHC0R53PhH+5KNiVxBFUs2f4MCxN96ZtiOvVI6wTHsG/6npaoZbnprA9G3U09SNQ== X-Received: by 2002:a05:622a:10e:: with SMTP id u14mr23252719qtw.229.1620667385799; Mon, 10 May 2021 10:23:05 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:05 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory Date: Mon, 10 May 2021 12:22:47 -0500 Message-Id: <53db70ed544928d227df7e3f3a1f8c53e3665c65.1620499942.git.yifeifz2@illinois.edu> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu This uses helpers bpf_probe_read_user{,str}. To repect unprivileged users may also load filters, when the loader of the filter does not have CAP_SYS_PTRACE, attempting to read user memory when current mm is non-dumpable results in -EPERM. Right now this is not sleepable, -EFAULT may happen for valid memory addresses. Future work might be adding support to bpf_copy_from_user via sleepable filters. Use of memory data to implement policy is discouraged until there is a solution for time-of-check to time-of-use. Signed-off-by: YiFei Zhu --- include/linux/bpf.h | 4 ++++ kernel/seccomp.c | 8 ++++++++ kernel/trace/bpf_trace.c | 42 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 86f3e8784e43..2019c0893250 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1965,6 +1965,10 @@ extern const struct bpf_func_proto bpf_get_socket_ptr_cookie_proto; extern const struct bpf_func_proto bpf_task_storage_get_proto; extern const struct bpf_func_proto bpf_task_storage_delete_proto; extern const struct bpf_func_proto bpf_for_each_map_elem_proto; +extern const struct bpf_func_proto bpf_probe_read_user_proto; +extern const struct bpf_func_proto bpf_probe_read_user_dumpable_proto; +extern const struct bpf_func_proto bpf_probe_read_user_str_proto; +extern const struct bpf_func_proto bpf_probe_read_user_dumpable_str_proto; const struct bpf_func_proto *bpf_tracing_func_proto( enum bpf_func_id func_id, const struct bpf_prog *prog); diff --git a/kernel/seccomp.c b/kernel/seccomp.c index b9ed9951a05b..330e9c365cdc 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2449,6 +2449,14 @@ seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_get_current_uid_gid_proto; case BPF_FUNC_get_current_pid_tgid: return &bpf_get_current_pid_tgid_proto; + case BPF_FUNC_probe_read_user: + return ns_capable(current_user_ns(), CAP_SYS_PTRACE) ? + &bpf_probe_read_user_proto : + &bpf_probe_read_user_dumpable_proto; + case BPF_FUNC_probe_read_user_str: + return ns_capable(current_user_ns(), CAP_SYS_PTRACE) ? + &bpf_probe_read_user_str_proto : + &bpf_probe_read_user_dumpable_str_proto; default: break; } diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index d2d7cf6cfe83..a1d6d64bde08 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -175,6 +175,27 @@ const struct bpf_func_proto bpf_probe_read_user_proto = { .arg3_type = ARG_ANYTHING, }; +BPF_CALL_3(bpf_probe_read_user_dumpable, void *, dst, u32, size, + const void __user *, unsafe_ptr) +{ + int ret = -EPERM; + + if (get_dumpable(current->mm)) + ret = copy_from_user_nofault(dst, unsafe_ptr, size); + if (unlikely(ret < 0)) + memset(dst, 0, size); + return ret; +} + +const struct bpf_func_proto bpf_probe_read_user_dumpable_proto = { + .func = bpf_probe_read_user_dumpable, + .gpl_only = true, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_UNINIT_MEM, + .arg2_type = ARG_CONST_SIZE_OR_ZERO, + .arg3_type = ARG_ANYTHING, +}; + static __always_inline int bpf_probe_read_user_str_common(void *dst, u32 size, const void __user *unsafe_ptr) @@ -212,6 +233,27 @@ const struct bpf_func_proto bpf_probe_read_user_str_proto = { .arg3_type = ARG_ANYTHING, }; +BPF_CALL_3(bpf_probe_read_user_dumpable_str, void *, dst, u32, size, + const void __user *, unsafe_ptr) +{ + int ret = -EPERM; + + if (get_dumpable(current->mm)) + ret = strncpy_from_user_nofault(dst, unsafe_ptr, size); + if (unlikely(ret < 0)) + memset(dst, 0, size); + return ret; +} + +const struct bpf_func_proto bpf_probe_read_user_dumpable_str_proto = { + .func = bpf_probe_read_user_dumpable_str, + .gpl_only = true, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_UNINIT_MEM, + .arg2_type = ARG_CONST_SIZE_OR_ZERO, + .arg3_type = ARG_ANYTHING, +}; + static __always_inline int bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr) { From patchwork Mon May 10 17:22:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248917 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F18B3C43461 for ; Mon, 10 May 2021 17:23:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D0FF161352 for ; Mon, 10 May 2021 17:23:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232825AbhEJRYp (ORCPT ); Mon, 10 May 2021 13:24:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232768AbhEJRYN (ORCPT ); Mon, 10 May 2021 13:24:13 -0400 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D72E0C061574; Mon, 10 May 2021 10:23:07 -0700 (PDT) Received: by mail-qt1-x82c.google.com with SMTP id t20so8220819qtx.8; Mon, 10 May 2021 10:23:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c2CF6wWxSeaRukQXS9D3kYC7ceIBWXkvfZuqNiEOj+o=; b=WqAWHZMm6eAK0zTUbLWe79O9z67IcrQBSPAWAl2vBkdQq207NC+4fQfMOWBWf+9vC6 NWiN+gAnCu62A63Na/yIhG3LvYNpt8VOQcRpLjEWAes1TcFBe7lmtWPjxyWIofsY0sl9 1lb4wdJ11FOoeiFttrxWzTrKdKzx6KJ3EceY8CP8X8phzDkbfLoHxHogv5USjEDr+KTg eOt2NJmwWLCLob252L+Yyxg4ScpxnKVNgjpNohvwmK4jeFlV3ciUN7rGxn8/HL4Zhqxz yCaf20VZo3K9d5IQTzK4aBp3Ot+SB5ia8xQy36GzAWrYskbxHTg2oT6S5t6MoFJgbP+Q K/7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c2CF6wWxSeaRukQXS9D3kYC7ceIBWXkvfZuqNiEOj+o=; b=m+wc0qWqVnuNL+/B8iTAp6yiFnEXyn6KX2ywFXNttox+rD3EHGrncONHhcQUhh1DFg HtQZSLbx6J0hOqAROX9ymR9/yK94ckZOe6civU03guReFFHPGXWu4vVI9rKpU/uqxMlM mxAMm33Oljh3TYFiPLbZSs/SgjOKgvbG2118eHN5v/VJ+jr9BtIJ+rEtbLdb/M8osn7I JZighGeG6aqS5RShtZw92VtvM5Wc+E44uC1/MAawa+Kgp6NN6026tz4eFi++6QMRHdjd x3keHCSA8g0IWd8p/FFFo7Deq6D1OV3SdgcTnZST5uPgBVXrLDGrJE9ieERRmBJ2YQIs o9tA== X-Gm-Message-State: AOAM533ctzbjsaovPwpA979vuN7GsQ/W3CxbQC2bd04uUTRrXnkMBd+h 4SBTChlrk09I1CCfmQPufWo= X-Google-Smtp-Source: ABdhPJxRUeU5QumnSTZa/U9nbnrewiDGajrInXlBLwfuKZzvyJZ9ZIJGVPH4dJM4ssLBN7m0dy2cEw== X-Received: by 2002:a05:622a:486:: with SMTP id p6mr23934227qtx.98.1620667387145; Mon, 10 May 2021 10:23:07 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:06 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 11/12] bpf/verifier: support NULL-able ptr to BTF ID as helper argument Date: Mon, 10 May 2021 12:22:48 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu This is to allow progs with no access to ptr to BPF ID still be able to call some helpers, with these arguments set as NULL, so the helper implementation may set a fallback when NULL is passed in. Signed-off-by: YiFei Zhu --- include/linux/bpf.h | 1 + kernel/bpf/verifier.c | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 2019c0893250..efa6444b88d3 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -303,6 +303,7 @@ enum bpf_arg_type { ARG_PTR_TO_SOCKET, /* pointer to bpf_sock (fullsock) */ ARG_PTR_TO_SOCKET_OR_NULL, /* pointer to bpf_sock (fullsock) or NULL */ ARG_PTR_TO_BTF_ID, /* pointer to in-kernel struct */ + ARG_PTR_TO_BTF_ID_OR_NULL, /* pointer to in-kernel struct or NULL */ ARG_PTR_TO_ALLOC_MEM, /* pointer to dynamically allocated memory */ ARG_PTR_TO_ALLOC_MEM_OR_NULL, /* pointer to dynamically allocated memory or NULL */ ARG_CONST_ALLOC_SIZE_OR_ZERO, /* number of allocated bytes requested */ diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 8eec1796caaa..8a08a27e0abc 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -484,7 +484,8 @@ static bool arg_type_may_be_null(enum bpf_arg_type type) type == ARG_PTR_TO_CTX_OR_NULL || type == ARG_PTR_TO_SOCKET_OR_NULL || type == ARG_PTR_TO_ALLOC_MEM_OR_NULL || - type == ARG_PTR_TO_STACK_OR_NULL; + type == ARG_PTR_TO_STACK_OR_NULL || + type == ARG_PTR_TO_BTF_ID_OR_NULL; } /* Determine whether the function releases some resources allocated by another @@ -4808,6 +4809,7 @@ static const struct bpf_reg_types *compatible_reg_types[__BPF_ARG_TYPE_MAX] = { [ARG_PTR_TO_SOCKET] = &fullsock_types, [ARG_PTR_TO_SOCKET_OR_NULL] = &fullsock_types, [ARG_PTR_TO_BTF_ID] = &btf_ptr_types, + [ARG_PTR_TO_BTF_ID_OR_NULL] = &btf_ptr_types, [ARG_PTR_TO_SPIN_LOCK] = &spin_lock_types, [ARG_PTR_TO_MEM] = &mem_types, [ARG_PTR_TO_MEM_OR_NULL] = &mem_types, @@ -5436,10 +5438,14 @@ static bool check_btf_id_ok(const struct bpf_func_proto *fn) int i; for (i = 0; i < ARRAY_SIZE(fn->arg_type); i++) { - if (fn->arg_type[i] == ARG_PTR_TO_BTF_ID && !fn->arg_btf_id[i]) + if ((fn->arg_type[i] == ARG_PTR_TO_BTF_ID || + fn->arg_type[i] == ARG_PTR_TO_BTF_ID_OR_NULL) && + !fn->arg_btf_id[i]) return false; - if (fn->arg_type[i] != ARG_PTR_TO_BTF_ID && fn->arg_btf_id[i]) + if ((fn->arg_type[i] != ARG_PTR_TO_BTF_ID && + fn->arg_type[i] != ARG_PTR_TO_BTF_ID_OR_NULL) && + fn->arg_btf_id[i]) return false; } From patchwork Mon May 10 17:22:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: YiFei Zhu X-Patchwork-Id: 12248919 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B27D5C43470 for ; Mon, 10 May 2021 17:23:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7FAD16147F for ; Mon, 10 May 2021 17:23:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232768AbhEJRYq (ORCPT ); Mon, 10 May 2021 13:24:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232822AbhEJRYP (ORCPT ); Mon, 10 May 2021 13:24:15 -0400 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 335FEC06175F; Mon, 10 May 2021 10:23:09 -0700 (PDT) Received: by mail-qt1-x82a.google.com with SMTP id c10so2684237qtx.10; Mon, 10 May 2021 10:23:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5/rwXY3Tz97DG7RI33m/7eYmkIHu/XikiymKc76hRuI=; b=Qoor7W8OoHJh8YFJwaDNYg1EhzPV+XmZZTxmIbK8xsOopphUxHRO+5slKwOBJQsxbB Ig1Em/YJCGj0gQIgKNbEvqsRN99g0dxRQP7xB1Nlb1l+talVrXYw83g7AoiJZndYjJWb RoauFxCt9kJiLqVvhi4ZPmj3J2HEYIWm3TAvEIR2YaFvOTGt+Da3DvynvW1VdZfLwRVL reXVfLFNd7Hs8jGhbbq8hZ5I53DE0OyVE9APlZR6pjJKWV0GLjIlBCWh6yj/YWyM7AYb BwqFa47yZICJI86OMu4z7Nt0B0UT91cZqaab6CLdOVLg/oHqXwW72BI543Lw/8JOgrbt ZZ9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5/rwXY3Tz97DG7RI33m/7eYmkIHu/XikiymKc76hRuI=; b=B1W7MwkdcMsaomcEcN5Mky+OcPLccLAHoa1FpgN0Qsz3ml3S7D+/ISk30RquqQgALj MqPUvctoOvIraFPxZnEIsi5M2DBsRvJC8kt7Cj5onYG0oM79Wa/t01Brx3Tri1JGdWpD 2/chLGi22pSOtxKvRC1kOnYik+mGr1O0ma/Li2q82wEIX5s2ecJoukYFxYt6k2wcTsqU +tzywtGYU/F16Rx+EybnPH/ksShEfZM44eSyX4iA/9kQfuqUy/zsHrs8B5rZsiNU/lVs vuK4B38OtLUvvzhhdHsN6CRda1gPM8Vj3mTE0HTzVCoGMLqnwrEYP8UyzHtt/GYh3GEp CEOQ== X-Gm-Message-State: AOAM530vTnMFZ4jhbMhk/MB7BF2zyE1wOn8ooQ+bQUl8pnH85fl5wmuV UGIM8/Reg0FDTzXZIrqj1PM= X-Google-Smtp-Source: ABdhPJzZxsGB9ozvYjpJmRg62FFX02uOjGCBLcBwlLpOtloL9dHrxHJL0pVdAzZwU8U1raciHQh7vg== X-Received: by 2002:a05:622a:15c9:: with SMTP id d9mr6841464qty.103.1620667388424; Mon, 10 May 2021 10:23:08 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id q7sm11924367qki.17.2021.05.10.10.23.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 May 2021 10:23:08 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux.dev, bpf@vger.kernel.org Cc: YiFei Zhu , linux-security-module@vger.kernel.org, Alexei Starovoitov , Andrea Arcangeli , Andy Lutomirski , Austin Kuo , Claudio Canella , Daniel Borkmann , Daniel Gruss , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jann Horn , Jinghao Jia , Josep Torrellas , Kees Cook , Sargun Dhillon , Tianyin Xu , Tobin Feldman-Fitzthum , Tom Hromatka , Will Drewry Subject: [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader Date: Mon, 10 May 2021 12:22:49 -0500 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net X-Patchwork-State: RFC From: YiFei Zhu This enables seccomp-eBPF filters to have per-process state even when the filter is loaded by an unprivileged process. Without CAP_BPF && CAP_PERFMON no access to ptr to BTF ID is possible, so the only valid task the verifier will accept is NULL, and the helper implementation fallbacks to the group leader to have a per-process storage. Filters loaded by privileged processes may still access the storage of arbitrary tasks via a valid task_struct ptr to BTF ID. Since task storage require rcu being locked. We lock and unlock rcu before every seccomp-eBPF filter execution. I'm not sure if this is the best way to do this. One, this introduces a dependency on BPF-LSM. Two, per-thread storage is not accessible to unprivileged filter loaders; it has to be per-process. Signed-off-by: YiFei Zhu --- include/linux/bpf.h | 2 ++ kernel/bpf/bpf_task_storage.c | 64 ++++++++++++++++++++++++++++++----- kernel/seccomp.c | 4 +++ 3 files changed, 61 insertions(+), 9 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index efa6444b88d3..7c9755802275 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1964,7 +1964,9 @@ extern const struct bpf_func_proto bpf_ktime_get_coarse_ns_proto; extern const struct bpf_func_proto bpf_sock_from_file_proto; extern const struct bpf_func_proto bpf_get_socket_ptr_cookie_proto; extern const struct bpf_func_proto bpf_task_storage_get_proto; +extern const struct bpf_func_proto bpf_task_storage_get_default_leader_proto; extern const struct bpf_func_proto bpf_task_storage_delete_proto; +extern const struct bpf_func_proto bpf_task_storage_delete_default_leader_proto; extern const struct bpf_func_proto bpf_for_each_map_elem_proto; extern const struct bpf_func_proto bpf_probe_read_user_proto; extern const struct bpf_func_proto bpf_probe_read_user_dumpable_proto; diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c index 3ce75758d394..5ddf3a92d359 100644 --- a/kernel/bpf/bpf_task_storage.c +++ b/kernel/bpf/bpf_task_storage.c @@ -224,19 +224,19 @@ static int bpf_pid_task_storage_delete_elem(struct bpf_map *map, void *key) return err; } -BPF_CALL_4(bpf_task_storage_get, struct bpf_map *, map, struct task_struct *, - task, void *, value, u64, flags) +static void *_bpf_task_storage_get(struct bpf_map *map, struct task_struct *task, + void *value, u64 flags) { struct bpf_local_storage_data *sdata; if (flags & ~(BPF_LOCAL_STORAGE_GET_F_CREATE)) - return (unsigned long)NULL; + return NULL; if (!task) - return (unsigned long)NULL; + return NULL; if (!bpf_task_storage_trylock()) - return (unsigned long)NULL; + return NULL; sdata = task_storage_lookup(task, map, true); if (sdata) @@ -251,12 +251,24 @@ BPF_CALL_4(bpf_task_storage_get, struct bpf_map *, map, struct task_struct *, unlock: bpf_task_storage_unlock(); - return IS_ERR_OR_NULL(sdata) ? (unsigned long)NULL : - (unsigned long)sdata->data; + return IS_ERR_OR_NULL(sdata) ? NULL : sdata->data; } -BPF_CALL_2(bpf_task_storage_delete, struct bpf_map *, map, struct task_struct *, - task) +BPF_CALL_4(bpf_task_storage_get, struct bpf_map *, map, struct task_struct *, + task, void *, value, u64, flags) +{ + return (unsigned long)_bpf_task_storage_get(map, task, value, flags); +} + +BPF_CALL_4(bpf_task_storage_get_default_leader, struct bpf_map *, map, + struct task_struct *, task, void *, value, u64, flags) +{ + if (!task) + task = current->group_leader; + return (unsigned long)_bpf_task_storage_get(map, task, value, flags); +} + +static int _bpf_task_storage_delete(struct bpf_map *map, struct task_struct *task) { int ret; @@ -275,6 +287,20 @@ BPF_CALL_2(bpf_task_storage_delete, struct bpf_map *, map, struct task_struct *, return ret; } +BPF_CALL_2(bpf_task_storage_delete, struct bpf_map *, map, struct task_struct *, + task) +{ + return _bpf_task_storage_delete(map, task); +} + +BPF_CALL_2(bpf_task_storage_delete_default_leader, struct bpf_map *, map, + struct task_struct *, task) +{ + if (!task) + task = current->group_leader; + return _bpf_task_storage_delete(map, task); +} + static int notsupp_get_next_key(struct bpf_map *map, void *key, void *next_key) { return -ENOTSUPP; @@ -330,6 +356,17 @@ const struct bpf_func_proto bpf_task_storage_get_proto = { .arg4_type = ARG_ANYTHING, }; +const struct bpf_func_proto bpf_task_storage_get_default_leader_proto = { + .func = bpf_task_storage_get_default_leader, + .gpl_only = false, + .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, + .arg1_type = ARG_CONST_MAP_PTR, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, + .arg2_btf_id = &bpf_task_storage_btf_ids[0], + .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL, + .arg4_type = ARG_ANYTHING, +}; + const struct bpf_func_proto bpf_task_storage_delete_proto = { .func = bpf_task_storage_delete, .gpl_only = false, @@ -338,3 +375,12 @@ const struct bpf_func_proto bpf_task_storage_delete_proto = { .arg2_type = ARG_PTR_TO_BTF_ID, .arg2_btf_id = &bpf_task_storage_btf_ids[0], }; + +const struct bpf_func_proto bpf_task_storage_delete_default_leader_proto = { + .func = bpf_task_storage_delete_default_leader, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_CONST_MAP_PTR, + .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL, + .arg2_btf_id = &bpf_task_storage_btf_ids[0], +}; diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 330e9c365cdc..5b41b2aee39c 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -2457,6 +2457,10 @@ seccomp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return ns_capable(current_user_ns(), CAP_SYS_PTRACE) ? &bpf_probe_read_user_str_proto : &bpf_probe_read_user_dumpable_str_proto; + case BPF_FUNC_task_storage_get: + return &bpf_task_storage_get_default_leader_proto; + case BPF_FUNC_task_storage_delete: + return &bpf_task_storage_delete_default_leader_proto; default: break; }