diff mbox series

bpf: make unprivileged BPF a compile time choice

Message ID 20220404220314.112912-1-mcroce@linux.microsoft.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series bpf: make unprivileged BPF a compile time choice | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/tree_selection success Not a local patch

Commit Message

Matteo Croce April 4, 2022, 10:03 p.m. UTC
From: Matteo Croce <mcroce@microsoft.com>

Add a compile time option to permanently disable unprivileged BPF and
the corresponding sysctl handler so that there's absolutely no
concern about unprivileged BPF being enabled from userspace during
runtime. Special purpose kernels can benefit from the build-time
assurance that unprivileged eBPF is disabled in all of their kernel
builds rather than having to rely on userspace to permanently disable
it at boot time.
The default behaviour is left unchanged, which is: unprivileged BPF
compiled in but disabled at boot.

Signed-off-by: Matteo Croce <mcroce@microsoft.com>
---
 kernel/bpf/Kconfig   | 10 +++++++++-
 kernel/bpf/syscall.c |  4 +++-
 kernel/sysctl.c      |  4 ++++
 3 files changed, 16 insertions(+), 2 deletions(-)

Comments

Alexei Starovoitov April 4, 2022, 10:45 p.m. UTC | #1
On Mon, Apr 4, 2022 at 3:03 PM Matteo Croce <mcroce@linux.microsoft.com> wrote:
>
> From: Matteo Croce <mcroce@microsoft.com>
>
> Add a compile time option to permanently disable unprivileged BPF and
> the corresponding sysctl handler so that there's absolutely no
> concern about unprivileged BPF being enabled from userspace during
> runtime. Special purpose kernels can benefit from the build-time
> assurance that unprivileged eBPF is disabled in all of their kernel
> builds rather than having to rely on userspace to permanently disable
> it at boot time.
> The default behaviour is left unchanged, which is: unprivileged BPF
> compiled in but disabled at boot.

That is an insane level of "security" paranoia.
If you're so concerned about bpf do CONFIG_BPF_SYSCALL=n
diff mbox series

Patch

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index d56ee177d5f8..dfaef1ac1516 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -67,10 +67,18 @@  config BPF_JIT_DEFAULT_ON
 	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
 	depends on HAVE_EBPF_JIT && BPF_JIT
 
+config BPF_UNPRIV
+	bool "Unprivileged BPF"
+	default y
+	depends on BPF_SYSCALL
+	help
+	  Enables unprivileged BPF and the corresponding
+	  /proc/sys/kernel/unprivileged_bpf_disabled knob.
+
 config BPF_UNPRIV_DEFAULT_OFF
 	bool "Disable unprivileged BPF by default"
 	default y
-	depends on BPF_SYSCALL
+	depends on BPF_UNPRIV
 	help
 	  Disables unprivileged BPF by default by setting the corresponding
 	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index cdaa1152436a..b7e6aca87a18 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -53,7 +53,9 @@  static DEFINE_IDR(link_idr);
 static DEFINE_SPINLOCK(link_idr_lock);
 
 int sysctl_unprivileged_bpf_disabled __read_mostly =
-	IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+	IS_BUILTIN(CONFIG_BPF_UNPRIV) ?
+		(IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0)
+		: 1;
 
 static const struct bpf_map_ops * const bpf_map_types[] = {
 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 830aaf8ca08e..a5b6e960ca58 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -184,6 +184,7 @@  void __weak unpriv_ebpf_notify(int new_state)
 {
 }
 
+#ifdef CONFIG_BPF_UNPRIV
 static int bpf_unpriv_handler(struct ctl_table *table, int write,
 			      void *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -206,6 +207,7 @@  static int bpf_unpriv_handler(struct ctl_table *table, int write,
 
 	return ret;
 }
+#endif /* CONFIG_BPF_UNPRIV */
 #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */
 
 /*
@@ -2300,6 +2302,7 @@  static struct ctl_table kern_table[] = {
 	},
 #endif
 #ifdef CONFIG_BPF_SYSCALL
+#ifdef CONFIG_BPF_UNPRIV
 	{
 		.procname	= "unprivileged_bpf_disabled",
 		.data		= &sysctl_unprivileged_bpf_disabled,
@@ -2309,6 +2312,7 @@  static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_TWO,
 	},
+#endif
 	{
 		.procname	= "bpf_stats_enabled",
 		.data		= &bpf_stats_enabled_key.key,