[PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf
Andy Lutomirski
luto at kernel.org
Mon Aug 5 17:23:10 UTC 2019
On Mon, Aug 5, 2019 at 12:37 AM Song Liu <songliubraving at fb.com> wrote:
>
> Hi Andy,
>
> >
> > # mount -t bpf bpf /sys/fs/bpf
> > # cd /sys/fs/bpf
> > # mkdir luto
> > # chown luto: luto
> > # setpriv --euid=1000 --ruid=1000 bash
> > $ pwd
> > /sys/fs/bpf
> > bash-5.0$ ls -l
> > total 0
> > drwxr-xr-x 2 luto luto 0 Aug 4 22:41 luto
> > bash-5.0$ bpftool map create /sys/fs/bpf/luto/filename type hash key 8
> > value 8 entries 64 name mapname
> > bash-5.0$ bpftool map dump pinned /sys/fs/bpf/luto/filename
> > Found 0 elements
> >
> > # chown root: /sys/fs/bpf/luto/filename
> >
> > $ bpftool map dump pinned /sys/fs/bpf/luto/filename
> > Error: bpf obj get (/sys/fs/bpf/luto): Permission denied
> >
> > So I think it's possible to get a respectable subset of bpf()
> > functionality working without privilege in short order :)
>
> I think we have two key questions to answer:
> 1. What subset of bpf() functionality will the users need?
> 2. Who are the users?
>
> Different answers to these two questions lead to different directions.
>
>
> In our use case, the answers are
> 1) almost all bpf() functionality
> 2) highly trusted users (sudoers)
>
> So our initial approach of /dev/bpf allows all bpf() functionality
> in one bit in task_struct. (Yes, we can just sudo. But, we would
> rather not use sudo when possible.)
For this, I think some compelling evidence is needed that a new kernel
mechanism is actually better than sudo and better than making bpftool
privileged as previously discussed :)
>
>
> "cgroup management" use case may have answers like:
> 1) cgroup_bpf only
> 2) users in their own containers
>
> For this case, getting cgroup_bpf related features (cgroup_bpf progs;
> some map types, etc.) work with unprivileged users would be the right
> direction.
:)
>
>
> "USDT tracing" use case may have answers like:
> 1) uprobe, stockmap, histogram, etc.
> 2) unprivileged user, w/ or w/o containers
>
> For this case, the first step is likely hacking sys_perf_event_open().
>
This would be nice.
>
> I guess we will need more discussions to decide how to make bpf()
> work better for all these (and more) use cases.
>
I refreshed the branch again. I had a giant hole in my previous idea
that we could deprivilege program loading: some BPF functions need
privilege. Now I have a changelog comment to that effect and a patch
that sketches out a way to addressing this.
I don't think I'm going to have time soon to actually get any of this
stuff mergeable, and it would be fantastic if you or someone else who
likes working of bpf were to take this code and run with it. Feel
free to add my Signed-off-by, and I'd be happy to help review.
More information about the Linux-security-module-archive
mailing list