On Sat, Jun 10, 2023 at 4:21 AM Yi He <clangllvm@xxxxxxx> wrote: > > Some eBPF helper functions have been long regarded as problematic[1]. > More than just used for powerful rootkit, these features can also be > exploited to harm the containers by perform various attacks to the > processes outside the container in the enrtire VM, such as process > DoS, information theft, and container escape. > > When a container is granted to run eBPF tracing programs (which > need CAP_SYS_ADMIN), it can use the eBPF KProbe programs to hijack the > process outside the contianer and to escape the containers. This kind > of risks is limited as privieleged containers are warned and can hardly > be accessed by the attackers. > > Even without CAP_SYS_ADMIN, since Linux 5.6, programs with with CAP_BPF + > CAP_PERFMON can use dangerous eBPF helpers such as bpf_read_user to steal > sensitive data (e.g., sshd/nginx private key) in other containers. You can do the same completely without BPF and with just CAP_PERFMON. I'm not going to share how, because you'll write a "security paper" about insecure linux just like last time: https://lore.kernel.org/bpf/20230117151256.605977-1-clangllvm@xxxxxxx/ Note, our answers didn't change. Look for security glory somewhere else.
