Closing the BPF map permission loophole
Roberto Sassu
roberto.sassu at huaweicloud.com
Mon Dec 12 16:10:37 UTC 2022
On Mon, 2022-11-07 at 13:11 +0100, Roberto Sassu wrote:
[...]
> > > > P.S. We can extend this to BPF-side BPF_F_RDONLY_PROG |
> > > > BPF_F_WRONLY_PROG as well, it's just that we'll need to define how
> > > > user will control that. E.g., FS read-only permission, does it
> > > > restrict both user-space and BPF-view, or just user-space view? We can
> > > > certainly extend file_flags to allow users to get BPF-side read-only
> > > > and user-space-side read-write BPF map FD, for example. Obviously, BPF
> > > > verifier would need to know about struct bpf_map_view when accepting
> > > > BPF map FD in ldimm64 and such.
> > >
> > > I guess, this patch could be used:
> > >
> > > https://lore.kernel.org/bpf/20220926154430.1552800-3-roberto.sassu@huaweicloud.com/
> > >
> > > When passing a fd to an eBPF program, the permissions of the user space
> > > side cannot exceed those defined from eBPF program side.
> >
> > Don't know, maybe. But I can see how BPF-side can be declared r/w for
> > BPF programs, while user-space should be restricted to read-only. I'm
> > a bit hesitant to artificially couple both together.
>
> Ok. At least what I would do is to forbid write, if you provide a read-
> only fd.
Ok, we didn't do too much progress for a while. I would like to resume
the discussion.
Can we start from the first point Lorenz mentioned? Given a read-only
map fd, it is not possible to write to the map. Can we make sure that
this properly work?
In my opinion, to achieve this particular goal, the map view
abstraction Andrii suggested, should not be necessary. For pinning too,
I think incremental changes on top of the ones suggested below would be
sufficient, so I would rather discuss them separately.
As far as I know, there are two open issues that prevent Lorenz's
assertion on read-only map fds from being true. They are:
- map iterator
- map fd injected to eBPF programs
In both cases, a read-only map fd is sufficient to cause a map update.
I have proposed two patches to address the issues above:
https://lore.kernel.org/bpf/20220906170301.256206-2-roberto.sassu@huaweicloud.com/
If an iterator allows the key or value to be modified by an eBPF
program, ensure that the map fd passed to it is read-write. Otherwise,
read-only is sufficient if both cannot be modified.
https://lore.kernel.org/bpf/20220926154430.1552800-3-roberto.sassu@huaweicloud.com/
Let the verifier allow the minimum operations granted by eBPF-side
permissions and by fd modes. The intersection needs to be applied
because the map can be modified by the eBPF program through map
helpers, so it is eBPF-side, but at the same time whoever granted the
requestor a map fd expects that the permissions included in that fd are
enforced by any function using it.
I believe that with these patches Lorenz's assertion of a read-only map
fd would be true. I'm not aware of other ways which would make the
assertion false.
Thanks
Roberto
More information about the Linux-security-module-archive
mailing list