From patchwork Wed Sep 14 07:24:13 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 9330555 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BB72C6089F for ; Wed, 14 Sep 2016 07:27:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AFDE029A67 for ; Wed, 14 Sep 2016 07:27:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A099029A5D; Wed, 14 Sep 2016 07:27:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 327042968C for ; Wed, 14 Sep 2016 07:27:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759039AbcINH0O (ORCPT ); Wed, 14 Sep 2016 03:26:14 -0400 Received: from smtp-sh.infomaniak.ch ([128.65.195.4]:59304 "EHLO smtp-sh.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759045AbcINH0L (ORCPT ); Wed, 14 Sep 2016 03:26:11 -0400 Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id u8E7PACf011408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 14 Sep 2016 09:25:10 +0200 Received: from localhost (ns3096276.ip-94-23-54.eu [94.23.54.103]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id u8E7PA8R008417; Wed, 14 Sep 2016 09:25:10 +0200 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: linux-kernel@vger.kernel.org Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Alexei Starovoitov , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Daniel Borkmann , Daniel Mack , David Drysdale , "David S . Miller" , Elena Reshetova , "Eric W . Biederman" , James Morris , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Tejun Heo , Will Drewry , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, cgroups@vger.kernel.org Subject: [RFC v3 20/22] landlock: Add update and debug access flags Date: Wed, 14 Sep 2016 09:24:13 +0200 Message-Id: <20160914072415.26021-21-mic@digikod.net> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20160914072415.26021-1-mic@digikod.net> References: <20160914072415.26021-1-mic@digikod.net> MIME-Version: 1.0 X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP For now, the update and debug accesses are only accessible to a process with CAP_SYS_ADMIN. This could change in the future. The capability check is statically done when loading an eBPF program, according to the current process. If the process has enough rights and set the appropriate access flags, then the dedicated functions or data will be accessible. With the update access, the following functions are available: * bpf_map_lookup_elem * bpf_map_update_elem * bpf_map_delete_elem * bpf_tail_call With the debug access, the following functions are available: * bpf_trace_printk * bpf_get_prandom_u32 * bpf_get_current_pid_tgid * bpf_get_current_uid_gid * bpf_get_current_comm Signed-off-by: Mickaël Salaün Cc: Alexei Starovoitov Cc: Andy Lutomirski Cc: Daniel Borkmann Cc: David S. Miller Cc: Kees Cook Cc: Sargun Dhillon --- include/uapi/linux/bpf.h | 4 +++- security/landlock/lsm.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 3cc52e51357f..8cfc2de2ab76 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -584,7 +584,9 @@ enum landlock_hook_id { #define _LANDLOCK_FLAG_ORIGIN_MASK ((1 << 3) - 1) /* context of function access flags */ -#define _LANDLOCK_FLAG_ACCESS_MASK ((1ULL << 0) - 1) +#define LANDLOCK_FLAG_ACCESS_UPDATE (1 << 0) +#define LANDLOCK_FLAG_ACCESS_DEBUG (1 << 1) +#define _LANDLOCK_FLAG_ACCESS_MASK ((1ULL << 2) - 1) /* Handle check flags */ #define LANDLOCK_FLAG_FS_DENTRY (1 << 0) diff --git a/security/landlock/lsm.c b/security/landlock/lsm.c index 2a15839a08c8..56c45abe979c 100644 --- a/security/landlock/lsm.c +++ b/security/landlock/lsm.c @@ -202,11 +202,57 @@ static int landlock_run_prog(enum landlock_hook_id hook_id, __u64 args[6]) static const struct bpf_func_proto *bpf_landlock_func_proto( enum bpf_func_id func_id, union bpf_prog_subtype *prog_subtype) { + bool access_update = !!(prog_subtype->landlock_hook.access & + LANDLOCK_FLAG_ACCESS_UPDATE); + bool access_debug = !!(prog_subtype->landlock_hook.access & + LANDLOCK_FLAG_ACCESS_DEBUG); + switch (func_id) { case BPF_FUNC_landlock_cmp_fs_prop_with_struct_file: return &bpf_landlock_cmp_fs_prop_with_struct_file_proto; case BPF_FUNC_landlock_cmp_fs_beneath_with_struct_file: return &bpf_landlock_cmp_fs_beneath_with_struct_file_proto; + + /* access_update */ + case BPF_FUNC_map_lookup_elem: + if (access_update) + return &bpf_map_lookup_elem_proto; + return NULL; + case BPF_FUNC_map_update_elem: + if (access_update) + return &bpf_map_update_elem_proto; + return NULL; + case BPF_FUNC_map_delete_elem: + if (access_update) + return &bpf_map_delete_elem_proto; + return NULL; + case BPF_FUNC_tail_call: + if (access_update) + return &bpf_tail_call_proto; + return NULL; + + /* access_debug */ + case BPF_FUNC_trace_printk: + if (access_debug) + return bpf_get_trace_printk_proto(); + return NULL; + case BPF_FUNC_get_prandom_u32: + if (access_debug) + return &bpf_get_prandom_u32_proto; + return NULL; + case BPF_FUNC_get_current_pid_tgid: + if (access_debug) + return &bpf_get_current_pid_tgid_proto; + return NULL; + case BPF_FUNC_get_current_uid_gid: + if (access_debug) + return &bpf_get_current_uid_gid_proto; + return NULL; + case BPF_FUNC_get_current_comm: + if (access_debug) + return &bpf_get_current_comm_proto; + return NULL; + default: return NULL; } @@ -348,6 +394,14 @@ static inline bool bpf_landlock_is_valid_subtype( if (prog_subtype->landlock_hook.access & ~_LANDLOCK_FLAG_ACCESS_MASK) return false; + /* check access flags */ + if (prog_subtype->landlock_hook.access & LANDLOCK_FLAG_ACCESS_UPDATE && + !capable(CAP_SYS_ADMIN)) + return false; + if (prog_subtype->landlock_hook.access & LANDLOCK_FLAG_ACCESS_DEBUG && + !capable(CAP_SYS_ADMIN)) + return false; + return true; }