[PATCH bpf-next v1 00/13] MAC and Audit policy using eBPF (KRSI)
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 9 18:58:58 UTC 2020
On 1/9/20 1:11 PM, James Morris wrote:
> On Wed, 8 Jan 2020, Stephen Smalley wrote:
>
>> The cover letter subject line and the Kconfig help text refer to it as a
>> BPF-based "MAC and Audit policy". It has an enforce config option that
>> enables the bpf programs to deny access, providing access control. IIRC, in
>> the earlier discussion threads, the BPF maintainers suggested that Smack and
>> other LSMs could be entirely re-implemented via it in the future, and that
>> such an implementation would be more optimal.
>
> In this case, the eBPF code is similar to a kernel module, rather than a
> loadable policy file. It's a loadable mechanism, rather than a policy, in
> my view.
I thought you frowned on dynamically loadable LSMs for both security and
correctness reasons? And a traditional security module would necessarily
fall under GPL; is the eBPF code required to be likewise? If not, KRSI
is a gateway for proprietary LSMs...
> This would be similar to the difference between iptables rules and
> loadable eBPF networking code. I'd be interested to know how the
> eBPF networking scenarios are handled wrt kernel ABI.
>
>
>> Again, not arguing for or against, but wondering if people fully understand
>> the implications. If it ends up being useful, people will build access
>> control systems with it, and it directly exposes a lot of kernel internals to
>> userspace. There was a lot of concern originally about the LSM hook interface
>> becoming a stable ABI and/or about it being misused. Exposing that interface
>> along with every kernel data structure exposed through it to userspace seems
>> like a major leap.
>
> Agreed this is a leap, although I'm not sure I'd characterize it as
> exposure to userspace -- it allows dynamic extension of the LSM API from
> userland, but the code is executed in the kernel.
>
> KP: One thing I'd like to understand better is the attack surface
> introduced by this. IIUC, the BTF fields are read only, so the eBPF code
> should not be able to modify any LSM parameters, correct?
>
>
>> Even if the mainline kernel doesn't worry about any kind
>> of stable interface guarantees for it, the distros might be forced to provide
>> some kABI guarantees for it to appease ISVs and users...
>
> How is this handled currently for other eBPF use-cases?
>
More information about the Linux-security-module-archive
mailing list