[PATCH v2 bpf-next 00/18] BPF token
Andy Lutomirski
luto at kernel.org
Sat Jun 24 15:28:04 UTC 2023
On Sat, Jun 24, 2023, at 6:59 AM, Andy Lutomirski wrote:
> On Fri, Jun 23, 2023, at 4:23 PM, Daniel Borkmann wrote:
>
> If this series was about passing a “may load kernel modules” token
> around, I think it would get an extremely chilly reception, even though
> we have module signatures. I don’t see anything about BPF that makes
> BPF tokens more reasonable unless a real security model is developed
> first.
>
To be clear, I'm not saying that there should not be a mechanism to use BPF from a user namespace. I'm saying the mechanism should have explicit access control. It wouldn't need to solve all problems right away, but it should allow incrementally more features to be enabled as the access control solution gets more powerful over time.
BPF, unlike kernel modules, has a verifier. While it would be a departure from current practice, permission to use BPF could come with an explicit list of allowed functions and allowed hooks.
(The hooks wouldn't just be a list, presumably -- premission to install an XDP program would be scoped to networks over which one has CAP_NET_ADMIN, presumably. Other hooks would have their own scoping. Attaching to a cgroup should (and maybe already does?) require some kind of permission on the cgroup. Etc.)
If new, more restrictive functions are needed, they could be added.
Alternatively, people could try a limited form of BPF proxying. It wouldn't need to be a full proxy -- an outside daemon really could approve the attachment of a BPF program, and it could parse the program, examine the list of function it uses and what the proposed attachment is to, and make an educated decision. This would need some API changes (maybe), but it seems eminently doable.
More information about the Linux-security-module-archive
mailing list