While attempting to implement a bpf-based gatekeeper program as was described https://lore.kernel.org/all/20250109214617.485144-1-bboscaccy@xxxxxxxxxxxxxxxxxxx/T/#mb10f3112df1a66c725df9d6035c5a68c72a0eb8d we noticed that relying on IMA and fs-verity signatures alone was insufficient. A user with sufficient privileges could ptrace, ld preload or poke at memory in some other way while using a signed lskel, leaving the signature intact, allowing them to load whatever they wished into the kernel effectively circumventing the gatekeeper. That may be considered insecure in some scenarios. Here we propose a very simple method of allowing metadata to be stored in skeletons or dynamic libbpf-based loaders, by simply treating note sections as read-only maps that are visible to the gatekeeper program. Gatekeeper programs can then iterate the fd_array and see if there are any relevant maps that they wish to consult. No changes to the kernel-proper are required for this, and this should help facilitate the implementation and design of secure bpf-based gatekeepers, while keeping with the overall philosophy of bpf and not enforcing any obtusive abstractions upon anyone. Blaise Boscaccy (1): libbpf: Convert ELF notes into read-only maps tools/bpf/bpftool/gen.c | 4 ++-- tools/lib/bpf/libbpf.c | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) -- 2.48.1
