[PATCH bpf-next v5 4/7] bpf: lsm: Implement attach, detach and execution
Kees Cook
keescook at chromium.org
Tue Mar 24 18:34:52 UTC 2020
On Tue, Mar 24, 2020 at 07:31:30PM +0100, KP Singh wrote:
> On 24-Mär 19:27, KP Singh wrote:
> > We do not have a specific capable check for BPF_PROG_TYPE_LSM programs
> > now. There is a general check which requires CAP_SYS_ADMIN when
> > unprivileged BPF is disabled:
> >
> > in kernel/bpf/sycall.c:
> >
> > if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
> > return -EPERM;
> >
> > AFAIK, Most distros disable unprivileged eBPF.
> >
> > Now that I look at this, I think we might need a CAP_MAC_ADMIN check
> > though as unprivileged BPF being enabled will result in an
> > unprivileged user being able to load MAC policies.
>
> Actually we do have an extra check for loading BPF programs:
>
>
> in kernel/bpf/syscall.c:bpf_prog_load
>
> if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
> type != BPF_PROG_TYPE_CGROUP_SKB &&
> !capable(CAP_SYS_ADMIN))
> return -EPERM;
>
> Do you think we still need a CAP_MAC_ADMIN check for LSM programs?
IMO, these are distinct privileges on the non-SELinux system. I think
your patch is fine as-is.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list