On Mon, Aug 28, 2017 at 6:15 PM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote: >> On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov >> <alexei.starovoitov@xxxxxxxxx> wrote: >> > On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote: >> >> On 08/25/2017 09:52 PM, Chenbo Feng wrote: >> >> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote: >> >> > > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> >> > > > On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux >> >> > > > wrote: >> >> > > > > I’d like to get your thoughts on adding LSM permission checks on BPF >> >> > > > > objects. >> > >> > before reinventing the wheel please take a look at landlock work. >> > Everything that was discussed in this thread is covered by it. >> > The patches have been in development for more than a year and most of the early >> > issues have been resolved. >> > It will be presented again during security summit in LA in September. >> > >> I am not very familiar with landlock lsm, isn't this module also >> depend on the lsm hooks to do >> the landlock check? If so then adding lsm hooks for eBPF object seems >> not conflict with the >> work on progress. > > I see. I got it the other way around. What lsm checks are you proposing? > and why unprivileged_bpf_disabled is not enough? > you want to allow unpriv only for specific user(s) ? > Exactly, the proposal patch I am currently working on will add checks before map creation, map read, and map modify, since all these functionalities will be available to all users when unprivileged_bpf_disabled is turned off. And eBPF prog_load may also need a check as well since loading some types of program is not restricted either.
