Re: [PATCH v2 bpf-next 1/4] bpf: unprivileged BPF access via /dev/bpf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Andy, 

>>>> 
>>> 
>>> Well, yes. sys_bpf() is pretty powerful. 
>>> 
>>> The goal of /dev/bpf is to enable special users to call sys_bpf(). In 
>>> the meanwhile, such users should not take down the whole system easily
>>> by accident, e.g., with rm -rf /.
>> 
>> That’s easy, though — bpftool could learn to read /etc/bpfusers before allowing ruid != 0.
> 
> This is a great idea! fscaps + /etc/bpfusers should do the trick. 

After some discussions and more thinking on this, I have some concerns 
with the user space only approach.  

IIUC, your proposal for user space only approach is like: 

1. bpftool (and other tools) check /etc/bpfusers and only do 
   setuid for allowed users:

	int main()
	{
		if (/* uid in /etc/bpfusers */)
			setuid(0);
		sys_bpf(...);
	}

2. bpftool (and other tools) is installed with CAP_SETUID:

	setcap cap_setuid=e+p /bin/bpftool

3. sys admin maintains proper /etc/bpfusers. 

This approach is not ideal, because we need to trust the tool to give 
it CAP_SETUID. A hacked tool could easily bypass /etc/bpfusers check
or use other root only sys calls after setuid(0). 

Does this make sense? (Or did I misunderstand anything?)

Thanks,
Song





[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux