On 29/08/2017 03:44, Chenbo Feng wrote: > On Mon, Aug 28, 2017 at 6:15 PM, Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: >> On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote: >>> On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov >>> <alexei.starovoitov@xxxxxxxxx> wrote: >>>> On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote: >>>>> On 08/25/2017 09:52 PM, Chenbo Feng wrote: >>>>>> On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote: >>>>>>> On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>>>>>>> On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux >>>>>>>> wrote: >>>>>>>>> I’d like to get your thoughts on adding LSM permission checks on BPF >>>>>>>>> objects. >>>> >>>> before reinventing the wheel please take a look at landlock work. >>>> Everything that was discussed in this thread is covered by it. >>>> The patches have been in development for more than a year and most of the early >>>> issues have been resolved. >>>> It will be presented again during security summit in LA in September. >>>> >>> I am not very familiar with landlock lsm, isn't this module also >>> depend on the lsm hooks to do >>> the landlock check? If so then adding lsm hooks for eBPF object seems >>> not conflict with the >>> work on progress. >> >> I see. I got it the other way around. What lsm checks are you proposing? >> and why unprivileged_bpf_disabled is not enough? >> you want to allow unpriv only for specific user(s) ? >> > Exactly, the proposal patch I am currently working on will add checks > before map creation, > map read, and map modify, since all these functionalities will be > available to all users when > unprivileged_bpf_disabled is turned off. And eBPF prog_load may also > need a check as well > since loading some types of program is not restricted either. > It would be interesting to be able to check a wide range of actions performed with the BPF syscall: the command and the union bpf_attr argument. Because it is a multiplexer, that may be challenging, though.
Attachment:
signature.asc
Description: OpenPGP digital signature
