a17b53c4a4
Split BPF operations that are allowed under CAP_SYS_ADMIN into
combination of CAP_BPF, CAP_PERFMON, CAP_NET_ADMIN.
For backward compatibility include them in CAP_SYS_ADMIN as well.
The end result provides simple safety model for applications that use BPF:
- to load tracing program types
BPF_PROG_TYPE_{KPROBE, TRACEPOINT, PERF_EVENT, RAW_TRACEPOINT, etc}
use CAP_BPF and CAP_PERFMON
- to load networking program types
BPF_PROG_TYPE_{SCHED_CLS, XDP, SK_SKB, etc}
use CAP_BPF and CAP_NET_ADMIN
There are few exceptions from this rule:
- bpf_trace_printk() is allowed in networking programs, but it's using
tracing mechanism, hence this helper needs additional CAP_PERFMON
if networking program is using this helper.
- BPF_F_ZERO_SEED flag for hash/lru map is allowed under CAP_SYS_ADMIN only
to discourage production use.
- BPF HW offload is allowed under CAP_SYS_ADMIN.
- bpf_probe_write_user() is allowed under CAP_SYS_ADMIN only.
CAPs are not checked at attach/detach time with two exceptions:
- loading BPF_PROG_TYPE_CGROUP_SKB is allowed for unprivileged users,
hence CAP_NET_ADMIN is required at attach time.
- flow_dissector detach doesn't check prog FD at detach,
hence CAP_NET_ADMIN is required at detach time.
CAP_SYS_ADMIN is required to iterate BPF objects (progs, maps, links) via get_next_id
command and convert them to file descriptor via GET_FD_BY_ID command.
This restriction guarantees that mutliple tasks with CAP_BPF are not able to
affect each other. That leads to clean isolation of tasks. For example:
task A with CAP_BPF and CAP_NET_ADMIN loads and attaches a firewall via bpf_link.
task B with the same capabilities cannot detach that firewall unless
task A explicitly passed link FD to task B via scm_rights or bpffs.
CAP_SYS_ADMIN can still detach/unload everything.
Two networking user apps with CAP_SYS_ADMIN and CAP_NET_ADMIN can
accidentely mess with each other programs and maps.
Two networking user apps with CAP_NET_ADMIN and CAP_BPF cannot affect each other.
CAP_NET_ADMIN + CAP_BPF allows networking programs access only packet data.
Such networking progs cannot access arbitrary kernel memory or leak pointers.
bpftool, bpftrace, bcc tools binaries should NOT be installed with
CAP_BPF and CAP_PERFMON, since unpriv users will be able to read kernel secrets.
But users with these two permissions will be able to use these tracing tools.
CAP_PERFMON is least secure, since it allows kprobes and kernel memory access.
CAP_NET_ADMIN can stop network traffic via iproute2.
CAP_BPF is the safest from security point of view and harmless on its own.
Having CAP_BPF and/or CAP_NET_ADMIN is not enough to write into arbitrary map
and if that map is used by firewall-like bpf prog.
CAP_BPF allows many bpf prog_load commands in parallel. The verifier
may consume large amount of memory and significantly slow down the system.
Existing unprivileged BPF operations are not affected.
In particular unprivileged users are allowed to load socket_filter and cg_skb
program types and to create array, hash, prog_array, map-in-map map types.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20200513230355.7858-2-alexei.starovoitov@gmail.com
270 lines
8 KiB
C
270 lines
8 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* This is <linux/capability.h>
|
|
*
|
|
* Andrew G. Morgan <morgan@kernel.org>
|
|
* Alexander Kjeldaas <astor@guardian.no>
|
|
* with help from Aleph1, Roland Buresund and Andrew Main.
|
|
*
|
|
* See here for the libcap library ("POSIX draft" compliance):
|
|
*
|
|
* ftp://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/
|
|
*/
|
|
#ifndef _LINUX_CAPABILITY_H
|
|
#define _LINUX_CAPABILITY_H
|
|
|
|
#include <uapi/linux/capability.h>
|
|
#include <linux/uidgid.h>
|
|
|
|
#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
|
|
#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
|
|
|
|
extern int file_caps_enabled;
|
|
|
|
typedef struct kernel_cap_struct {
|
|
__u32 cap[_KERNEL_CAPABILITY_U32S];
|
|
} kernel_cap_t;
|
|
|
|
/* same as vfs_ns_cap_data but in cpu endian and always filled completely */
|
|
struct cpu_vfs_cap_data {
|
|
__u32 magic_etc;
|
|
kernel_cap_t permitted;
|
|
kernel_cap_t inheritable;
|
|
kuid_t rootid;
|
|
};
|
|
|
|
#define _USER_CAP_HEADER_SIZE (sizeof(struct __user_cap_header_struct))
|
|
#define _KERNEL_CAP_T_SIZE (sizeof(kernel_cap_t))
|
|
|
|
|
|
struct file;
|
|
struct inode;
|
|
struct dentry;
|
|
struct task_struct;
|
|
struct user_namespace;
|
|
|
|
extern const kernel_cap_t __cap_empty_set;
|
|
extern const kernel_cap_t __cap_init_eff_set;
|
|
|
|
/*
|
|
* Internal kernel functions only
|
|
*/
|
|
|
|
#define CAP_FOR_EACH_U32(__capi) \
|
|
for (__capi = 0; __capi < _KERNEL_CAPABILITY_U32S; ++__capi)
|
|
|
|
/*
|
|
* CAP_FS_MASK and CAP_NFSD_MASKS:
|
|
*
|
|
* The fs mask is all the privileges that fsuid==0 historically meant.
|
|
* At one time in the past, that included CAP_MKNOD and CAP_LINUX_IMMUTABLE.
|
|
*
|
|
* It has never meant setting security.* and trusted.* xattrs.
|
|
*
|
|
* We could also define fsmask as follows:
|
|
* 1. CAP_FS_MASK is the privilege to bypass all fs-related DAC permissions
|
|
* 2. The security.* and trusted.* xattrs are fs-related MAC permissions
|
|
*/
|
|
|
|
# define CAP_FS_MASK_B0 (CAP_TO_MASK(CAP_CHOWN) \
|
|
| CAP_TO_MASK(CAP_MKNOD) \
|
|
| CAP_TO_MASK(CAP_DAC_OVERRIDE) \
|
|
| CAP_TO_MASK(CAP_DAC_READ_SEARCH) \
|
|
| CAP_TO_MASK(CAP_FOWNER) \
|
|
| CAP_TO_MASK(CAP_FSETID))
|
|
|
|
# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE))
|
|
|
|
#if _KERNEL_CAPABILITY_U32S != 2
|
|
# error Fix up hand-coded capability macro initializers
|
|
#else /* HAND-CODED capability initializers */
|
|
|
|
#define CAP_LAST_U32 ((_KERNEL_CAPABILITY_U32S) - 1)
|
|
#define CAP_LAST_U32_VALID_MASK (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
|
|
|
|
# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
|
|
# define CAP_FULL_SET ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
|
|
# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
|
| CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
|
|
CAP_FS_MASK_B1 } })
|
|
# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
|
|
| CAP_TO_MASK(CAP_SYS_RESOURCE), \
|
|
CAP_FS_MASK_B1 } })
|
|
|
|
#endif /* _KERNEL_CAPABILITY_U32S != 2 */
|
|
|
|
# define cap_clear(c) do { (c) = __cap_empty_set; } while (0)
|
|
|
|
#define cap_raise(c, flag) ((c).cap[CAP_TO_INDEX(flag)] |= CAP_TO_MASK(flag))
|
|
#define cap_lower(c, flag) ((c).cap[CAP_TO_INDEX(flag)] &= ~CAP_TO_MASK(flag))
|
|
#define cap_raised(c, flag) ((c).cap[CAP_TO_INDEX(flag)] & CAP_TO_MASK(flag))
|
|
|
|
#define CAP_BOP_ALL(c, a, b, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = a.cap[__capi] OP b.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
#define CAP_UOP_ALL(c, a, OP) \
|
|
do { \
|
|
unsigned __capi; \
|
|
CAP_FOR_EACH_U32(__capi) { \
|
|
c.cap[__capi] = OP a.cap[__capi]; \
|
|
} \
|
|
} while (0)
|
|
|
|
static inline kernel_cap_t cap_combine(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, |);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_intersect(const kernel_cap_t a,
|
|
const kernel_cap_t b)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, b, &);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop(const kernel_cap_t a,
|
|
const kernel_cap_t drop)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_BOP_ALL(dest, a, drop, &~);
|
|
return dest;
|
|
}
|
|
|
|
static inline kernel_cap_t cap_invert(const kernel_cap_t c)
|
|
{
|
|
kernel_cap_t dest;
|
|
CAP_UOP_ALL(dest, c, ~);
|
|
return dest;
|
|
}
|
|
|
|
static inline bool cap_isclear(const kernel_cap_t a)
|
|
{
|
|
unsigned __capi;
|
|
CAP_FOR_EACH_U32(__capi) {
|
|
if (a.cap[__capi] != 0)
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/*
|
|
* Check if "a" is a subset of "set".
|
|
* return true if ALL of the capabilities in "a" are also in "set"
|
|
* cap_issubset(0101, 1111) will return true
|
|
* return false if ANY of the capabilities in "a" are not in "set"
|
|
* cap_issubset(1111, 0101) will return false
|
|
*/
|
|
static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
|
|
{
|
|
kernel_cap_t dest;
|
|
dest = cap_drop(a, set);
|
|
return cap_isclear(dest);
|
|
}
|
|
|
|
/* Used to decide between falling back on the old suser() or fsuser(). */
|
|
|
|
static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_fs_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_FS_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_fs_set));
|
|
}
|
|
|
|
static inline kernel_cap_t cap_drop_nfsd_set(const kernel_cap_t a)
|
|
{
|
|
const kernel_cap_t __cap_fs_set = CAP_NFSD_SET;
|
|
return cap_drop(a, __cap_fs_set);
|
|
}
|
|
|
|
static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
|
|
const kernel_cap_t permitted)
|
|
{
|
|
const kernel_cap_t __cap_nfsd_set = CAP_NFSD_SET;
|
|
return cap_combine(a,
|
|
cap_intersect(permitted, __cap_nfsd_set));
|
|
}
|
|
|
|
#ifdef CONFIG_MULTIUSER
|
|
extern bool has_capability(struct task_struct *t, int cap);
|
|
extern bool has_ns_capability(struct task_struct *t,
|
|
struct user_namespace *ns, int cap);
|
|
extern bool has_capability_noaudit(struct task_struct *t, int cap);
|
|
extern bool has_ns_capability_noaudit(struct task_struct *t,
|
|
struct user_namespace *ns, int cap);
|
|
extern bool capable(int cap);
|
|
extern bool ns_capable(struct user_namespace *ns, int cap);
|
|
extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
|
|
extern bool ns_capable_setid(struct user_namespace *ns, int cap);
|
|
#else
|
|
static inline bool has_capability(struct task_struct *t, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool has_ns_capability(struct task_struct *t,
|
|
struct user_namespace *ns, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool has_capability_noaudit(struct task_struct *t, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool has_ns_capability_noaudit(struct task_struct *t,
|
|
struct user_namespace *ns, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool capable(int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool ns_capable(struct user_namespace *ns, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
|
|
{
|
|
return true;
|
|
}
|
|
#endif /* CONFIG_MULTIUSER */
|
|
extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
|
|
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
|
|
extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
|
|
extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
|
|
static inline bool perfmon_capable(void)
|
|
{
|
|
return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
|
|
}
|
|
|
|
static inline bool bpf_capable(void)
|
|
{
|
|
return capable(CAP_BPF) || capable(CAP_SYS_ADMIN);
|
|
}
|
|
|
|
/* audit system wants to get cap info from files as well */
|
|
extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
|
|
|
|
extern int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size);
|
|
|
|
#endif /* !_LINUX_CAPABILITY_H */
|