| From: |
| Alexei Starovoitov <ast-AT-kernel.org> |
| To: |
| "David S . Miller" <davem-AT-davemloft.net> |
| Subject: |
| [PATCH bpf-next 0/6] bpf: introduce BPF_CGROUP_FILE_OPEN |
| Date: |
| Wed, 3 Oct 2018 19:57:44 -0700 |
| Message-ID: |
| <20181004025750.498303-1-ast@kernel.org> |
| Cc: |
| <daniel-AT-iogearbox.net>, <luto-AT-amacapital.net>, <viro-AT-zeniv.linux.org.uk>, <netdev-AT-vger.kernel.org>, <linux-kernel-AT-vger.kernel.org>, <kernel-team-AT-fb.com> |
| Archive-link: |
| Article |
Hi All,
Similar to networking sandboxing programs and cgroup-v2 based hooks
(BPF_CGROUP_INET_[INGRESS|EGRESS,] BPF_CGROUP_INET[4|6]_[BIND|CONNECT], etc)
introduce basic per-container sandboxing for file access via
new BPF_PROG_TYPE_FILE_FILTER program type that attaches after
security_file_open() LSM hook and works as additional file_open filter.
The new cgroup bpf hook is called BPF_CGROUP_FILE_OPEN.
Just like other cgroup-bpf programs new BPF_PROG_TYPE_FILE_FILTER type
is only available to root.
Use cases:
- disallow certain FS types within containers (fs_magic == CGROUP2_SUPER_MAGIC)
- restrict permissions in particular mount (mnt_id == X && (flags & O_RDWR))
- disallow access to hard linked sensitive files (nlink > 1 && mode == 0700)
- disallow access to world writeable files (mode == 0..7)
- disallow access to given set of files (dev_major == X && dev_minor == Y && inode == Z)
Alexei Starovoitov (6):
bpf: introduce BPF_PROG_TYPE_FILE_FILTER
fs: wire in BPF_CGROUP_FILE_OPEN hook
tools/bpf: sync uapi/bpf.h
trace/bpf: allow %o modifier in bpf_trace_printk
libbpf: support BPF_CGROUP_FILE_OPEN in libbpf
selftests/bpf: add a test for BPF_CGROUP_FILE_OPEN
fs/open.c | 4 +
include/linux/bpf-cgroup.h | 10 +
include/linux/bpf_types.h | 1 +
include/uapi/linux/bpf.h | 28 ++-
kernel/bpf/cgroup.c | 171 ++++++++++++++++++
kernel/bpf/syscall.c | 7 +
kernel/trace/bpf_trace.c | 2 +-
tools/include/uapi/linux/bpf.h | 28 ++-
tools/lib/bpf/libbpf.c | 3 +
tools/testing/selftests/bpf/.gitignore | 1 +
tools/testing/selftests/bpf/Makefile | 6 +-
tools/testing/selftests/bpf/bpf_helpers.h | 2 +
tools/testing/selftests/bpf/test_file_open.c | 154 ++++++++++++++++
.../selftests/bpf/test_file_open_common.h | 13 ++
.../selftests/bpf/test_file_open_kern.c | 48 +++++
15 files changed, 473 insertions(+), 5 deletions(-)
create mode 100644 tools/testing/selftests/bpf/test_file_open.c
create mode 100644 tools/testing/selftests/bpf/test_file_open_common.h
create mode 100644 tools/testing/selftests/bpf/test_file_open_kern.c
--
2.17.1
