Commit 2c78ee89 authored by Alexei Starovoitov's avatar Alexei Starovoitov Committed by Daniel Borkmann
Browse files

bpf: Implement CAP_BPF 



Implement permissions as stated in uapi/linux/capability.h
In order to do that the verifier allow_ptr_leaks flag is split
into four flags and they are set as:
  env->allow_ptr_leaks = bpf_allow_ptr_leaks();
  env->bypass_spec_v1 = bpf_bypass_spec_v1();
  env->bypass_spec_v4 = bpf_bypass_spec_v4();
  env->bpf_capable = bpf_capable();

The first three currently equivalent to perfmon_capable(), since leaking kernel
pointers and reading kernel memory via side channel attacks is roughly
equivalent to reading kernel memory with cap_perfmon.

'bpf_capable' enables bounded loops, precision tracking, bpf to bpf calls and
other verifier features. 'allow_ptr_leaks' enable ptr leaks, ptr conversions,
subtraction of pointers. 'bypass_spec_v1' disables speculative analysis in the
verifier, run time mitigations in bpf array, and enables indirect variable
access in bpf programs. 'bypass_spec_v4' disables emission of sanitation code
by the verifier.

That means that the networking BPF program loaded with CAP_BPF + CAP_NET_ADMIN
will have speculative checks done by the verifier and other spectre mitigation
applied. Such networking BPF program will not be able to leak kernel pointers
and will not be able to access arbitrary kernel memory.

Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20200513230355.7858-3-alexei.starovoitov@gmail.com
parent a17b53c4

drivers/media/rc/bpf-lirc.c

+1 −1
Original line number Diff line number Diff line
@@ -110,7 +110,7 @@ lirc_mode2_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 
	case BPF_FUNC_get_prandom_u32:

		return &bpf_get_prandom_u32_proto;

	case BPF_FUNC_trace_printk:

		if (capable(CAP_SYS_ADMIN))

		if (perfmon_capable())

			return bpf_get_trace_printk_proto();

		/* fall through */

	default:

include/linux/bpf.h

+17 −1
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ 
#include <linux/mutex.h>

#include <linux/module.h>

#include <linux/kallsyms.h>

#include <linux/capability.h>



struct bpf_verifier_env;

struct bpf_verifier_log;
@@ -119,7 +120,7 @@ struct bpf_map { 
	struct bpf_map_memory memory;

	char name[BPF_OBJ_NAME_LEN];

	u32 btf_vmlinux_value_type_id;

	bool unpriv_array;

	bool bypass_spec_v1;

	bool frozen; /* write-once; write-protected by freeze_mutex */

	/* 22 bytes hole */
@@ -1095,6 +1096,21 @@ struct bpf_map *bpf_map_get_curr_or_next(u32 *id); 


extern int sysctl_unprivileged_bpf_disabled;



static inline bool bpf_allow_ptr_leaks(void)

{

	return perfmon_capable();

}



static inline bool bpf_bypass_spec_v1(void)

{

	return perfmon_capable();

}



static inline bool bpf_bypass_spec_v4(void)

{

	return perfmon_capable();

}



int bpf_map_new_fd(struct bpf_map *map, int flags);

int bpf_prog_new_fd(struct bpf_prog *prog);

include/linux/bpf_verifier.h

+3 −0
Original line number Diff line number Diff line
@@ -375,6 +375,9 @@ struct bpf_verifier_env { 
	u32 used_map_cnt;		/* number of used maps */

	u32 id_gen;			/* used to generate unique reg IDs */

	bool allow_ptr_leaks;

	bool bpf_capable;

	bool bypass_spec_v1;

	bool bypass_spec_v4;

	bool seen_direct_write;

	struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */

	const struct bpf_line_info *prev_linfo;

kernel/bpf/arraymap.c

+5 −5
Original line number Diff line number Diff line
@@ -77,7 +77,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) 
	bool percpu = attr->map_type == BPF_MAP_TYPE_PERCPU_ARRAY;

	int ret, numa_node = bpf_map_attr_numa_node(attr);

	u32 elem_size, index_mask, max_entries;

	bool unpriv = !capable(CAP_SYS_ADMIN);

	bool bypass_spec_v1 = bpf_bypass_spec_v1();

	u64 cost, array_size, mask64;

	struct bpf_map_memory mem;

	struct bpf_array *array;
@@ -95,7 +95,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) 
	mask64 -= 1;



	index_mask = mask64;

	if (unpriv) {

	if (!bypass_spec_v1) {

		/* round up array size to nearest power of 2,

		 * since cpu will speculate within index_mask limits

		 */
@@ -149,7 +149,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) 
		return ERR_PTR(-ENOMEM);

	}

	array->index_mask = index_mask;

	array->map.unpriv_array = unpriv;

	array->map.bypass_spec_v1 = bypass_spec_v1;



	/* copy mandatory map attributes */

	bpf_map_init_from_attr(&array->map, attr);
@@ -219,7 +219,7 @@ static u32 array_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf) 


	*insn++ = BPF_ALU64_IMM(BPF_ADD, map_ptr, offsetof(struct bpf_array, value));

	*insn++ = BPF_LDX_MEM(BPF_W, ret, index, 0);

	if (map->unpriv_array) {

	if (!map->bypass_spec_v1) {

		*insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 4);

		*insn++ = BPF_ALU32_IMM(BPF_AND, ret, array->index_mask);

	} else {
@@ -1053,7 +1053,7 @@ static u32 array_of_map_gen_lookup(struct bpf_map *map, 


	*insn++ = BPF_ALU64_IMM(BPF_ADD, map_ptr, offsetof(struct bpf_array, value));

	*insn++ = BPF_LDX_MEM(BPF_W, ret, index, 0);

	if (map->unpriv_array) {

	if (!map->bypass_spec_v1) {

		*insn++ = BPF_JMP_IMM(BPF_JGE, ret, map->max_entries, 6);

		*insn++ = BPF_ALU32_IMM(BPF_AND, ret, array->index_mask);

	} else {

kernel/bpf/bpf_struct_ops.c

+1 −1
Original line number Diff line number Diff line
@@ -557,7 +557,7 @@ static struct bpf_map *bpf_struct_ops_map_alloc(union bpf_attr *attr) 
	struct bpf_map *map;

	int err;



	if (!capable(CAP_SYS_ADMIN))

	if (!bpf_capable())

		return ERR_PTR(-EPERM);



	st_ops = bpf_struct_ops_find_value(attr->btf_vmlinux_value_type_id);

CRA Git | Maintained and supported by SUSTech CRA and CCSE