BPF LSM prevent program unload

Song Liu song at kernel.org
Thu Dec 7 23:42:49 UTC 2023


Hi Frederick,

On Thu, Dec 7, 2023 at 3:30 PM Frederick Lawler <fred at cloudflare.com> wrote:
>
[...]
> > While, I think this may be doable with existing LSM hooks but we need
> > to probably have to cover multiple hook points needed to prevent one
> > action which makes a good case for another LSM hook, perhaps something
> > in the link->ops->detach path like
> > https://elixir.bootlin.com/linux/latest/source/kernel/bpf/syscall.c#L5074
> >
> > What do you think?
>
> That's what I was thinking for option (4) "introduce a
> security_bpf_prog_unload()". Anyway, I agree. Paul brought up a good
> point that he'd like to see more discussion around this idea [1].
> Mucking with the mounts (see below) is a bit of a mess, and there could
> still exist other methods for unloading I'm not aware of yet.
>
> Yesterday I whipped up a hack such that:
>
>         mkdir -p /run/fs/bpf-lsm
>         mount -t bpf none /run/fs/bpf-lsm
>         ./load-policies /run/fs/bpf-lsm

Trying to understand the solution here. Does load-policies add multiple
policies to stop different ways to unload the LSM BPF program (unpin,
umount, etc.)? So the only way to unload these policies is reboot. If this
is the case, could you please share the list of hooks needed to achieve a
secure result? If the list is really long, we should probably add an option to
permanently load and attach a program (until reboot).

Thanks,
Song



More information about the Linux-security-module-archive mailing list