Re: [PATCH bpf-next v2 0/3] bpf: add boot parameters for sysctl knobs
On Thu, May 24, 2018 at 04:34:51PM -0700, Alexei Starovoitov wrote: > On Thu, May 24, 2018 at 09:41:08AM +0200, Jesper Dangaard Brouer wrote: > > On Wed, 23 May 2018 15:02:45 -0700 > > Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > > > > > On Wed, May 23, 2018 at 02:18:19PM +0200, Eugene Syromiatnikov wrote: > > > > Some BPF sysctl knobs affect the loading of BPF programs, and during > > > > system boot/init stages these sysctls are not yet configured. > > > > A concrete example is systemd, that has implemented loading of BPF > > > > programs. > > > > > > > > Thus, to allow controlling these setting at early boot, this patch set > > > > adds the ability to change the default setting of these sysctl knobs > > > > as well as option to override them via a boot-time kernel parameter > > > > (in order to avoid rebuilding kernel each time a need of changing these > > > > defaults arises). > > > > > > > > The sysctl knobs in question are kernel.unprivileged_bpf_disable, > > > > net.core.bpf_jit_harden, and net.core.bpf_jit_kallsyms. > > > > > > - systemd is root. today it only uses cgroup-bpf progs which require root, > > > so disabling unpriv during boot time makes no difference to systemd. > > > what is the actual reason to present time? systemd also runs a lot of code, some of which is unprivileged. > > > - say in the future systemd wants to use so_reuseport+bpf for faster > > > networking. With unpriv disable during boot, it will force systemd > > > to do such networking from root, which will lower its security barrier. No, it will force systemd not to use SO_REUSEPORT BPF. > > > - bpf_jit_kallsyms sysctl has immediate effect on loaded programs. > > > Flipping it during the boot or right after or any time after > > > is the same thing. Why add such boot flag then? Well, that one was for completeness. > > > - jit_harden can be turned on by systemd. so turning it during the boot > > > will make systemd progs to be constant blinded. > > > Constant blinding protects kernel from unprivileged JIT spraying. > > > Are you worried that systemd will attack the kernel with JIT spraying? I'm worried that systemd can be exploited for a JIT spraying attack. Another thing I'm concerned with is that the generated code is different, which introduces additional complication during debugging. > > I think you are missing that, we want the ability to change these > > defaults in-order to avoid depending on /etc/sysctl.conf settings, and > > that the these sysctl.conf setting happen too late. > > What does it mean 'happens too late' ? > Too late for what? > sysctl.conf has plenty of system critical knobs like > kernel.perf_event_paranoid, kernel.core_pattern, etc > The behavior of the host is drastically different after sysctl config > is applied. > > > For example with jit_harden, there will be a difference between the > > loaded BPF program that got loaded at boot-time with systemd (no > > constant blinding) and when someone reloads that systemd service after > > /etc/sysctl.conf have been evaluated and setting bpf_jit_harden (now > > slower due to constant blinding). This is inconsistent behavior. > > net.core.bpf_jit_harden can be flipped back and forth at run-time, > so bpf progs before and after will be either blinded or not. > I don't see any inconsistency. That can't be the reason to maintain that inconsistency. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH bpf-next v2 1/3] bpf: add ability to configure unprivileged BPF via boot-time parameter
This patch introduces two configuration options, UNPRIVILEGED_BPF_BOOTPARAM and UNPRIVILEGED_BPF_BOOTPARAM_VALUE, that allow configuring the initial value of kernel.unprivileged_bpf_disabled sysctl knob, which is useful for the cases when disabling unprivileged bpf() access during the early boot is desirable. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 8 +++ init/Kconfig| 31 + kernel/bpf/syscall.c| 16 + 3 files changed, 55 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 11fc28e..aa8e831 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4355,6 +4355,14 @@ unknown_nmi_panic [X86] Cause panic on unknown NMI. + unprivileged_bpf_disabled= + Format: { "0" | "1" } + Sets initial value of kernel.unprivileged_bpf_disabled + sysctl knob. + 0 - unprivileged bpf() syscall access enabled. + 1 - unprivileged bpf() syscall access disabled. + Default value is set via kernel config option. + usbcore.authorized_default= [USB] Default USB device authorization: (default -1 = authorized except for wireless USB, diff --git a/init/Kconfig b/init/Kconfig index 480a4f2..1403a3e 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1404,6 +1404,37 @@ config BPF_JIT_ALWAYS_ON Enables BPF JIT and removes BPF interpreter to avoid speculative execution of BPF instructions by the interpreter +config UNPRIVILEGED_BPF_BOOTPARAM + bool "Unprivileged bpf() boot parameter" + depends on BPF_SYSCALL + default n + help + This option adds a kernel parameter 'unprivileged_bpf_disabled' + that allows configuring default state of the + kernel.unprivileged_bpf_disabled sysctl knob. + If this option is selected, unprivileged access to the bpf() syscall + can be disabled with unprivileged_bpf_disabled=1 on the kernel command + line. The purpose of this option is to allow disabling unprivileged + bpf() syscall access during the early boot. + + If you are unsure how to answer this question, answer N. + +config UNPRIVILEGED_BPF_BOOTPARAM_VALUE + int "Unprivileged bpf() boot parameter default value" + depends on UNPRIVILEGED_BPF_BOOTPARAM + range 0 1 + default 0 + help + This option sets the default value for the kernel parameter + 'unprivileged_bpf_disabled', which allows disabling unprivileged bpf() + syscall access at boot. If this option is set to 0 (zero), the + unprivileged bpf() boot kernel parameter will default to 0, allowing + unprivileged bpf() syscall access at bootup. If this option is + set to 1 (one), the unprivileged bpf() kernel parameter will default + to 1, disabling unprivileged bpf() syscall access at bootup. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index bfcde94..fdc5fd9 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -29,6 +29,7 @@ #include #include #include +#include #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \ (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \ @@ -45,7 +46,22 @@ static DEFINE_SPINLOCK(prog_idr_lock); static DEFINE_IDR(map_idr); static DEFINE_SPINLOCK(map_idr_lock); +#ifdef CONFIG_UNPRIVILEGED_BPF_BOOTPARAM +int sysctl_unprivileged_bpf_disabled __read_mostly = + CONFIG_UNPRIVILEGED_BPF_BOOTPARAM_VALUE; + +static int __init unprivileged_bpf_setup(char *str) +{ + unsigned long disabled; + + if (!kstrtoul(str, 0, )) + sysctl_unprivileged_bpf_disabled = !!disabled; + return 1; +} +__setup("unprivileged_bpf_disabled=", unprivileged_bpf_setup); +#else /* !CONFIG_UNPRIVILEGED_BPF_BOOTPARAM */ int sysctl_unprivileged_bpf_disabled __read_mostly; +#endif /* CONFIG_UNPRIVILEGED_BPF_BOOTPARAM */ static const struct bpf_map_ops * const bpf_map_types[] = { #define BPF_PROG_TYPE(_id, _ops) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH bpf-next v2 3/3] bpf: add ability to configure BPF JIT kallsyms export at the boot time
This patch introduces two configuration options, BPF_JIT_KALLSYMS_BOOTPARAM and BPF_JIT_KALLSYMS_BOOTPARAM_VALUE, that allow configuring the initial value of net.core.bpf_jit_kallsyms sysctl knob. This enables export of addresses of JIT'ed BPF programs that created during the early boot. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 10 + init/Kconfig| 30 + kernel/bpf/core.c | 14 3 files changed, 54 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 5adc6d0..10e7502 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -452,6 +452,16 @@ 2 - JIT hardening is enabled for all users. Default value is set via kernel config option. + bpf_jit_kallsyms= + Format: { "0" | "1" } + Sets initial value of net.core.bpf_jit_kallsyms + sysctl knob. + 0 - Addresses of JIT'ed BPF programs are not exported + to kallsyms. + 1 - Export of addresses of JIT'ed BPF programs is + enabled for privileged users. + Default value is set via kernel config option. + bttv.card= [HW,V4L] bttv (bt848 + bt878 based grabber cards) bttv.radio= Most important insmod options are available as kernel args too. diff --git a/init/Kconfig b/init/Kconfig index b661497..b5405ca 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1464,6 +1464,36 @@ config BPF_JIT_HARDEN_BOOTPARAM_VALUE If you are unsure how to answer this question, answer 0. +config BPF_JIT_KALLSYMS_BOOTPARAM + bool "BPF JIT kallsyms export boot parameter" + default n + help + This option adds a kernel parameter 'bpf_jit_kallsyms' that allows + configuring default state of the net.core.bpf_jit_kallsyms sysctl + knob. If this option is selected, the default value of the + net.core.bpf_jit_kallsyms sysctl knob can be set on the kernel command + line. The purpose of this option is to allow enabling BPF JIT + kallsyms export for the BPF programs created during the early boot, + so they can be traced later. + + If you are unsure how to answer this question, answer N. + +config BPF_JIT_KALLSYMS_BOOTPARAM_VALUE + int "BPF JIT kallsyms export boot parameter default value" + depends on BPF_JIT_HARDEN_BOOTPARAM + range 0 1 + default 0 + help + This option sets the default value for the kernel parameter + 'bpf_jit_kallsyms' that configures default value of the + net.core.bpf_jit_kallsyms sysctl knob at boot. If this option is set + to 0 (zero), the net.core.bpf_jit_kallsyms will default to 0, which + will lead to disabling of exporting of addresses of JIT'ed BPF + programs. If this option is set to 1 (one), addresses of privileged + BPF programs are exported to kallsyms. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 9edb7a8..003d708 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -321,7 +321,21 @@ __setup("bpf_jit_harden=", bpf_jit_harden_setup); int bpf_jit_harden __read_mostly; #endif /* CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ +#ifdef CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM +int bpf_jit_kallsyms __read_mostly = CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM_VALUE; + +static int __init bpf_jit_kallsyms_setup(char *str) +{ + unsigned long enabled; + + if (!kstrtoul(str, 0, )) + bpf_jit_kallsyms = !!enabled; + return 1; +} +__setup("bpf_jit_kallsyms=", bpf_jit_kallsyms_setup); +#else /* !CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM */ int bpf_jit_kallsyms __read_mostly; +#endif /* CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM */ static __always_inline void bpf_get_prog_addr_region(const struct bpf_prog *prog, -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH bpf-next v2 2/3] bpf: add ability to configure BPF JIT hardening via boot-time parameter
This patch introduces two configuration options, BPF_JIT_HARDEN_BOOTPARAM and BPF_JIT_HARDEN_BOOTPARAM_VALUE, that allow configuring the initial value of net.core.bpf_jit_harden sysctl knob, which is useful for enforcing JIT hardening during the early boot. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 10 + init/Kconfig| 29 + kernel/bpf/core.c | 17 +++ 3 files changed, 56 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index aa8e831..5adc6d0 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -442,6 +442,16 @@ bert_disable[ACPI] Disable BERT OS support on buggy BIOSes. + bpf_jit_harden= + Format: { "0" | "1" | "2" } + Sets initial value of net.core.bpf_jit_harden + sysctl knob. + 0 - JIT hardening is disabled. + 1 - JIT hardening is enabled for unprivileged users + only. + 2 - JIT hardening is enabled for all users. + Default value is set via kernel config option. + bttv.card= [HW,V4L] bttv (bt848 + bt878 based grabber cards) bttv.radio= Most important insmod options are available as kernel args too. diff --git a/init/Kconfig b/init/Kconfig index 1403a3e..b661497 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1435,6 +1435,35 @@ config UNPRIVILEGED_BPF_BOOTPARAM_VALUE If you are unsure how to answer this question, answer 0. +config BPF_JIT_HARDEN_BOOTPARAM + bool "BPF JIT harden boot parameter" + default n + help + This option adds a kernel parameter 'bpf_jit_harden' that allows + configuring default state of the net.core.bpf_jit_harden sysctl knob. + If this option is selected, the default value of the + net.core.bpf_jit_harden sysctl knob can be set on the kernel command + line. The purpose of this option is to allow enabling BPF JIT + hardening for the BPF programs created during the early boot. + + If you are unsure how to answer this question, answer N. + +config BPF_JIT_HARDEN_BOOTPARAM_VALUE + int "BPF JIT harden boot parameter default value" + depends on BPF_JIT_HARDEN_BOOTPARAM + range 0 2 + default 0 + help + This option sets the default value for the kernel parameter + 'bpf_jit_enabled' that configures default value of the + net.core.bpf_jit_harden sysctl knob at boot. If this option is set to + 0 (zero), the net.core.bpf_jit_harden will default to 0, which will + lead to no hardening at bootup. If this option is set to 1 (one), + hardening will be applied only to unprivileged users only. If this + option is set to 2 (two), JIT hardening will be enabled for all users. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 2194c6a..9edb7a8 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -32,6 +32,7 @@ #include #include #include +#include #include @@ -303,7 +304,23 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, #ifdef CONFIG_BPF_JIT /* All BPF JIT sysctl knobs here. */ int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON); + +#ifdef CONFIG_BPF_JIT_HARDEN_BOOTPARAM +int bpf_jit_harden __read_mostly = CONFIG_BPF_JIT_HARDEN_BOOTPARAM_VALUE; + +static int __init bpf_jit_harden_setup(char *str) +{ + unsigned long value; + + if (!kstrtoul(str, 0, )) + bpf_jit_harden = min(value, 2UL); + return 1; +} +__setup("bpf_jit_harden=", bpf_jit_harden_setup); +#else /* !CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ int bpf_jit_harden __read_mostly; +#endif /* CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ + int bpf_jit_kallsyms __read_mostly; static __always_inline void -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH bpf-next v2 0/3] bpf: add boot parameters for sysctl knobs
Some BPF sysctl knobs affect the loading of BPF programs, and during system boot/init stages these sysctls are not yet configured. A concrete example is systemd, that has implemented loading of BPF programs. Thus, to allow controlling these setting at early boot, this patch set adds the ability to change the default setting of these sysctl knobs as well as option to override them via a boot-time kernel parameter (in order to avoid rebuilding kernel each time a need of changing these defaults arises). The sysctl knobs in question are kernel.unprivileged_bpf_disable, net.core.bpf_jit_harden, and net.core.bpf_jit_kallsyms. Eugene Syromiatnikov (3): bpf: add ability to configure unprivileged BPF via boot-time parameter bpf: add ability to configure BPF JIT hardening via boot-time parameter bpf: add ability to configure BPF JIT kallsyms export at the boot time Documentation/admin-guide/kernel-parameters.txt | 28 init/Kconfig| 90 + kernel/bpf/core.c | 31 + kernel/bpf/syscall.c| 16 + 4 files changed, 165 insertions(+) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/3] bpf: add boot parameters for sysctl knobs
On Mon, May 21, 2018 at 11:58:13AM -0700, Alexei Starovoitov wrote: > On Mon, May 21, 2018 at 02:29:30PM +0200, Eugene Syromiatnikov wrote: > > Hello. > > > > This patch set adds ability to set default values for > > kernel.unprivileged_bpf_disable, net.core.bpf_jit_harden, > > net.core.bpf_jit_kallsyms sysctl knobs as well as option to override > > them via a boot-time kernel parameter. > > Commits log not only should explain 'what' is being done by the patch, > but 'why' as well. Some BPF sysctl knobs affect the loading of BPF programs, and during system boot/init stages these sysctls are not yet configured. A concrete example is systemd, that has implemented loading of BPF programs. Thus, to allow controlling these setting at early boot, this patch set adds the ability to change the default setting of these sysctl knobs as well as option to override them via a boot-time kernel parameter (in order to avoid rebuilding kernel each time a need of changing these defaults arises). The sysctl knobs in question are kernel.unprivileged_bpf_disable, net.core.bpf_jit_harden, and net.core.bpf_jit_kallsyms. -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/3] bpf: add ability to configure BPF JIT kallsyms export at the boot time
This patch introduces two configuration options, BPF_JIT_KALLSYMS_BOOTPARAM and BPF_JIT_KALLSYMS_BOOTPARAM_VALUE, that allow configuring the initial value of net.core.bpf_jit_kallsyms sysctl knob. This enables export of addresses of JIT'ed BPF programs that created during the early boot. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 10 + init/Kconfig| 30 + kernel/bpf/core.c | 14 3 files changed, 54 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 5adc6d0..10e7502 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -452,6 +452,16 @@ 2 - JIT hardening is enabled for all users. Default value is set via kernel config option. + bpf_jit_kallsyms= + Format: { "0" | "1" } + Sets initial value of net.core.bpf_jit_kallsyms + sysctl knob. + 0 - Addresses of JIT'ed BPF programs are not exported + to kallsyms. + 1 - Export of addresses of JIT'ed BPF programs is + enabled for privileged users. + Default value is set via kernel config option. + bttv.card= [HW,V4L] bttv (bt848 + bt878 based grabber cards) bttv.radio= Most important insmod options are available as kernel args too. diff --git a/init/Kconfig b/init/Kconfig index b661497..b5405ca 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1464,6 +1464,36 @@ config BPF_JIT_HARDEN_BOOTPARAM_VALUE If you are unsure how to answer this question, answer 0. +config BPF_JIT_KALLSYMS_BOOTPARAM + bool "BPF JIT kallsyms export boot parameter" + default n + help + This option adds a kernel parameter 'bpf_jit_kallsyms' that allows + configuring default state of the net.core.bpf_jit_kallsyms sysctl + knob. If this option is selected, the default value of the + net.core.bpf_jit_kallsyms sysctl knob can be set on the kernel command + line. The purpose of this option is to allow enabling BPF JIT + kallsyms export for the BPF programs created during the early boot, + so they can be traced later. + + If you are unsure how to answer this question, answer N. + +config BPF_JIT_KALLSYMS_BOOTPARAM_VALUE + int "BPF JIT kallsyms export boot parameter default value" + depends on BPF_JIT_HARDEN_BOOTPARAM + range 0 1 + default 0 + help + This option sets the default value for the kernel parameter + 'bpf_jit_kallsyms' that configures default value of the + net.core.bpf_jit_kallsyms sysctl knob at boot. If this option is set + to 0 (zero), the net.core.bpf_jit_kallsyms will default to 0, which + will lead to disabling of exporting of addresses of JIT'ed BPF + programs. If this option is set to 1 (one), addresses of privileged + BPF programs are exported to kallsyms. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 9edb7a8..003d708 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -321,7 +321,21 @@ __setup("bpf_jit_harden=", bpf_jit_harden_setup); int bpf_jit_harden __read_mostly; #endif /* CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ +#ifdef CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM +int bpf_jit_kallsyms __read_mostly = CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM_VALUE; + +static int __init bpf_jit_kallsyms_setup(char *str) +{ + unsigned long enabled; + + if (!kstrtoul(str, 0, )) + bpf_jit_kallsyms = !!enabled; + return 1; +} +__setup("bpf_jit_kallsyms=", bpf_jit_kallsyms_setup); +#else /* !CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM */ int bpf_jit_kallsyms __read_mostly; +#endif /* CONFIG_BPF_JIT_KALLSYMS_BOOTPARAM */ static __always_inline void bpf_get_prog_addr_region(const struct bpf_prog *prog, -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/3] bpf: add ability to configure BPF JIT hardening via boot-time parameter
This patch introduces two configuration options, BPF_JIT_HARDEN_BOOTPARAM and BPF_JIT_HARDEN_BOOTPARAM_VALUE, that allow configuring the initial value of net.core.bpf_jit_harden sysctl knob, which is useful for enforcing JIT hardening during the early boot. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 10 + init/Kconfig| 29 + kernel/bpf/core.c | 17 +++ 3 files changed, 56 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index aa8e831..5adc6d0 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -442,6 +442,16 @@ bert_disable[ACPI] Disable BERT OS support on buggy BIOSes. + bpf_jit_harden= + Format: { "0" | "1" | "2" } + Sets initial value of net.core.bpf_jit_harden + sysctl knob. + 0 - JIT hardening is disabled. + 1 - JIT hardening is enabled for unprivileged users + only. + 2 - JIT hardening is enabled for all users. + Default value is set via kernel config option. + bttv.card= [HW,V4L] bttv (bt848 + bt878 based grabber cards) bttv.radio= Most important insmod options are available as kernel args too. diff --git a/init/Kconfig b/init/Kconfig index 1403a3e..b661497 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1435,6 +1435,35 @@ config UNPRIVILEGED_BPF_BOOTPARAM_VALUE If you are unsure how to answer this question, answer 0. +config BPF_JIT_HARDEN_BOOTPARAM + bool "BPF JIT harden boot parameter" + default n + help + This option adds a kernel parameter 'bpf_jit_harden' that allows + configuring default state of the net.core.bpf_jit_harden sysctl knob. + If this option is selected, the default value of the + net.core.bpf_jit_harden sysctl knob can be set on the kernel command + line. The purpose of this option is to allow enabling BPF JIT + hardening for the BPF programs created during the early boot. + + If you are unsure how to answer this question, answer N. + +config BPF_JIT_HARDEN_BOOTPARAM_VALUE + int "BPF JIT harden boot parameter default value" + depends on BPF_JIT_HARDEN_BOOTPARAM + range 0 2 + default 0 + help + This option sets the default value for the kernel parameter + 'bpf_jit_enabled' that configures default value of the + net.core.bpf_jit_harden sysctl knob at boot. If this option is set to + 0 (zero), the net.core.bpf_jit_harden will default to 0, which will + lead to no hardening at bootup. If this option is set to 1 (one), + hardening will be applied only to unprivileged users only. If this + option is set to 2 (two), JIT hardening will be enabled for all users. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 2194c6a..9edb7a8 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -32,6 +32,7 @@ #include #include #include +#include #include @@ -303,7 +304,23 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off, #ifdef CONFIG_BPF_JIT /* All BPF JIT sysctl knobs here. */ int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON); + +#ifdef CONFIG_BPF_JIT_HARDEN_BOOTPARAM +int bpf_jit_harden __read_mostly = CONFIG_BPF_JIT_HARDEN_BOOTPARAM_VALUE; + +static int __init bpf_jit_harden_setup(char *str) +{ + unsigned long value; + + if (!kstrtoul(str, 0, )) + bpf_jit_harden = min(value, 2UL); + return 1; +} +__setup("bpf_jit_harden=", bpf_jit_harden_setup); +#else /* !CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ int bpf_jit_harden __read_mostly; +#endif /* CONFIG_BPF_JIT_HARDEN_BOOTPARAM */ + int bpf_jit_kallsyms __read_mostly; static __always_inline void -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/3] bpf: add ability to configure unprivileged BPF via boot-time parameter
This patch introduces two configuration options, UNPRIVILEGED_BPF_BOOTPARAM and UNPRIVILEGED_BPF_BOOTPARAM_VALUE, that allow configuring the initial value of kernel.unprivileged_bpf_disabled sysctl knob, which is useful for the cases when disabling unprivileged bpf() access during the early boot is desirable. Signed-off-by: Eugene Syromiatnikov <e...@redhat.com> --- Documentation/admin-guide/kernel-parameters.txt | 8 +++ init/Kconfig| 31 + kernel/bpf/syscall.c| 16 + 3 files changed, 55 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 11fc28e..aa8e831 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4355,6 +4355,14 @@ unknown_nmi_panic [X86] Cause panic on unknown NMI. + unprivileged_bpf_disabled= + Format: { "0" | "1" } + Sets initial value of kernel.unprivileged_bpf_disabled + sysctl knob. + 0 - unprivileged bpf() syscall access enabled. + 1 - unprivileged bpf() syscall access disabled. + Default value is set via kernel config option. + usbcore.authorized_default= [USB] Default USB device authorization: (default -1 = authorized except for wireless USB, diff --git a/init/Kconfig b/init/Kconfig index 480a4f2..1403a3e 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1404,6 +1404,37 @@ config BPF_JIT_ALWAYS_ON Enables BPF JIT and removes BPF interpreter to avoid speculative execution of BPF instructions by the interpreter +config UNPRIVILEGED_BPF_BOOTPARAM + bool "Unprivileged bpf() boot parameter" + depends on BPF_SYSCALL + default n + help + This option adds a kernel parameter 'unprivileged_bpf_disabled' + that allows configuring default state of the + kernel.unprivileged_bpf_disabled sysctl knob. + If this option is selected, unprivileged access to the bpf() syscall + can be disabled with unprivileged_bpf_disabled=1 on the kernel command + line. The purpose of this option is to allow disabling unprivileged + bpf() syscall access during the early boot. + + If you are unsure how to answer this question, answer N. + +config UNPRIVILEGED_BPF_BOOTPARAM_VALUE + int "Unprivileged bpf() boot parameter default value" + depends on UNPRIVILEGED_BPF_BOOTPARAM + range 0 1 + default 0 + help + This option sets the default value for the kernel parameter + 'unprivileged_bpf_disabled', which allows disabling unprivileged bpf() + syscall access at boot. If this option is set to 0 (zero), the + unprivileged bpf() boot kernel parameter will default to 0, allowing + unprivileged bpf() syscall access at bootup. If this option is + set to 1 (one), the unprivileged bpf() kernel parameter will default + to 1, disabling unprivileged bpf() syscall access at bootup. + + If you are unsure how to answer this question, answer 0. + config USERFAULTFD bool "Enable userfaultfd() system call" select ANON_INODES diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index bfcde94..fdc5fd9 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -29,6 +29,7 @@ #include #include #include +#include #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \ (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \ @@ -45,7 +46,22 @@ static DEFINE_SPINLOCK(prog_idr_lock); static DEFINE_IDR(map_idr); static DEFINE_SPINLOCK(map_idr_lock); +#ifdef CONFIG_UNPRIVILEGED_BPF_BOOTPARAM +int sysctl_unprivileged_bpf_disabled __read_mostly = + CONFIG_UNPRIVILEGED_BPF_BOOTPARAM_VALUE; + +static int __init unprivileged_bpf_setup(char *str) +{ + unsigned long disabled; + + if (!kstrtoul(str, 0, )) + sysctl_unprivileged_bpf_disabled = !!disabled; + return 1; +} +__setup("unprivileged_bpf_disabled=", unprivileged_bpf_setup); +#else /* !CONFIG_UNPRIVILEGED_BPF_BOOTPARAM */ int sysctl_unprivileged_bpf_disabled __read_mostly; +#endif /* CONFIG_UNPRIVILEGED_BPF_BOOTPARAM */ static const struct bpf_map_ops * const bpf_map_types[] = { #define BPF_PROG_TYPE(_id, _ops) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/3] bpf: add boot parameters for sysctl knobs
Hello. This patch set adds ability to set default values for kernel.unprivileged_bpf_disable, net.core.bpf_jit_harden, net.core.bpf_jit_kallsyms sysctl knobs as well as option to override them via a boot-time kernel parameter. Eugene Syromiatnikov (3): bpf: add ability to configure unprivileged BPF via boot-time parameter bpf: add ability to configure BPF JIT hardening via boot-time parameter bpf: add ability to configure BPF JIT kallsyms export at the boot time Documentation/admin-guide/kernel-parameters.txt | 28 init/Kconfig| 90 + kernel/bpf/core.c | 31 + kernel/bpf/syscall.c| 16 + 4 files changed, 165 insertions(+) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html