I’d like to get your thoughts on adding LSM permission checks on BPF objects.
By default, the ability to create and use eBPF maps/programs requires CAP_SYS_ADMIN [1]. Alternatively, all processes can be granted access to bpf() functions. This seems like poor granularity. [2]
Like files and sockets, eBPF maps and programs can be passed between processes by FD and have a number of functions that map cleanly to permissions.
Let me know what you think. Are there simpler alternative approaches that we haven’t considered?
Thanks!
Jeff
[1] http://man7.org/linux/man-pages/man2/bpf.2.html NOTES section
[2] We are considering eBPF for network filtering by netd. Giving netd CAP_SYS_ADMIN would considerably increase netd’s privileges. Alternatively allowing all processes permission to use bpf() goes against the principle of least privilege exposing a lot of kernel attack surface to processes that do not actually need it.
