From patchwork Fri May 28 14:32:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1485262 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fs6bf1DWrz9sWB; Sat, 29 May 2021 00:32:46 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lmdXW-0003tv-Ol; Fri, 28 May 2021 14:32:42 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lmdXV-0003te-QL for kernel-team@lists.ubuntu.com; Fri, 28 May 2021 14:32:41 +0000 Received: from [177.198.111.192] (helo=mussarela..) by youngberry.canonical.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lmdXV-0002I6-1P for kernel-team@lists.ubuntu.com; Fri, 28 May 2021 14:32:41 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [Unstable v2 1/2] bpf: Add kconfig knob for disabling unpriv bpf by default Date: Fri, 28 May 2021 11:32:26 -0300 Message-Id: <20210528143227.182638-2-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210528143227.182638-1-cascardo@canonical.com> References: <20210528143227.182638-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Daniel Borkmann Add a kconfig knob which allows for unprivileged bpf to be disabled by default. If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2. This still allows a transition of 2 -> {0,1} through an admin. Similarly, this also still keeps 1 -> {1} behavior intact, so that once set to permanently disabled, it cannot be undone aside from a reboot. We've also added extra2 with max of 2 for the procfs handler, so that an admin still has a chance to toggle between 0 <-> 2. Either way, as an additional alternative, applications can make use of CAP_BPF that we added a while ago. Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net (backported from commit 08389d888287c3823f80b0216766b71e17f0aba5) [cascardo: move the Kconfig option on init/Kconfig] Signed-off-by: Thadeu Lima de Souza Cascardo --- init/Kconfig | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/init/Kconfig b/init/Kconfig index dc3b6e6e20c0..0ae51861aa62 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1760,6 +1760,16 @@ config BPF_JIT_DEFAULT_ON def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON depends on HAVE_EBPF_JIT && BPF_JIT +config BPF_UNPRIV_DEFAULT_OFF + bool "Disable unprivileged BPF by default" + depends on BPF_SYSCALL + help + Disables unprivileged BPF by default by setting the corresponding + /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can + still reenable it by setting it to 0 later on, or permanently + disable it by setting it to 1 (from which no other transition to + 0 is possible anymore). + source "kernel/bpf/preload/Kconfig" config USERFAULTFD From patchwork Fri May 28 14:32:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1485263 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fs6bh6PWMz9sW5; Sat, 29 May 2021 00:32:48 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lmdXZ-0003vU-Tb; Fri, 28 May 2021 14:32:45 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lmdXX-0003uU-JT for kernel-team@lists.ubuntu.com; Fri, 28 May 2021 14:32:43 +0000 Received: from [177.198.111.192] (helo=mussarela..) by youngberry.canonical.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lmdXW-0002I6-TB for kernel-team@lists.ubuntu.com; Fri, 28 May 2021 14:32:43 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [Unstable v2 2/2] UBUNTU: [Config]: set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y Date: Fri, 28 May 2021 11:32:27 -0300 Message-Id: <20210528143227.182638-3-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210528143227.182638-1-cascardo@canonical.com> References: <20210528143227.182638-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This option will disable uprivileged BPF by default. It can be reenabled, though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled sysctl. That value disables it, but allows the sysctl knob to be set back to 0. This allows sysadmins to enable unprivileged BPF back by using sysctl config files. Signed-off-by: Thadeu Lima de Souza Cascardo --- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 1 + 2 files changed, 2 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 03e3dacba02d..04e04783d7a6 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -11023,6 +11023,7 @@ CONFIG_LD_DEAD_CODE_DATA_ELIMINATION policy<{'ppc64el': 'n'}> CONFIG_BPF_LSM policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_BPF_SYSCALL policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_BPF_JIT_ALWAYS_ON policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +CONFIG_BPF_UNPRIV_DEFAULT_OFF policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_USERFAULTFD policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_EMBEDDED policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> CONFIG_COMPAT_BRK policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'ppc64el': 'n', 's390x': 'n'}> diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 1caa404e4a2f..eec9edb03aff 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -1258,6 +1258,7 @@ CONFIG_BPF_LSM=y # CONFIG_BPF_PRELOAD is not set CONFIG_BPF_STREAM_PARSER=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_UNPRIV_DEFAULT_OFF=y CONFIG_BPQETHER=m CONFIG_BQL=y CONFIG_BRANCH_PROFILE_NONE=y