|
|
Log in / Subscribe / Register

KRSI and proprietary BPF programs

By Jonathan Corbet
January 17, 2020
The "kernel runtime security instrumentation" (or KRSI) patch set enables the attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That article focused on ABI issues, but it deferred another potential problem to our 2020 predictions: the possibility that vendors could start shipping proprietary BPF programs for use with frameworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though, leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carry a GPL-compatible license.

It may be surprising to some that the kernel, while allowing BPF programs to declare their license, is entirely happy to load programs that have a proprietary license. This behavior, though, is consistent with how the kernel handles loadable modules: any module can be loaded, but modules without a GPL-compatible license will not have access to many kernel symbols (any that are exported with EXPORT_SYMBOL_GPL()). BPF programs interact with the kernel through special "helper functions", each of which must be explicitly exported; these, too, can have a "GPL only" marking on them. In current kernels, about 25% of the defined helpers are restricted to GPL-licensed code.

The issue of licensing for KRSI programs was first raised by SELinux maintainer Stephen Smalley, who noted:

And a traditional security module would necessarily fall under GPL; is the eBPF code required to be likewise? If not, KRSI is a gateway for proprietary LSMs.

After a bit of discussion, KRSI developer KP Singh suggested that he could add an explicit check for GPL-compatible licensing to KRSI. That might have resolved the issue right there, but Alexei Starovoitov objected to this change, saying that BPF programs should continue to be treated like loadable modules, and that the solution was simply to ensure that all of the helper functions needed to get real work done were marked GPL-only.

There is a bit of a problem with this reasoning, though, related to the specific role that BPF programs fill in KRSI. While the KRSI developers envision using BPF programs to do a variety of system-wide monitoring tasks, these programs also function as security hooks in their own right. They have full read access to the kernel data structures passed into those hooks and, in the end, they are charged with returning a Boolean value carrying their verdict as to whether a given operation should be allowed to proceed or not. There is a fairly wide range of security policies that could be implemented in BPF without calling any helper functions at all. Smalley pointed this out and added:

It seems like the question is whether the kernel developers are ok with exposing the entire LSM hook interface and all the associated data structures to non-GPLd code, irrespective of what helpers it may or may not use.

Starovoitov was unmoved by this concern, though, and argued that it should be possible to load simple non-GPL programs:

Primitive KRSI progs like 

    int bpf-prog(void*) { return REJECT; }

would be able to selectively disable a syscall with an overhead acceptable in production systems (unlike seccomp). I want this use case to be available to people. It's a bait, because to do real progs people would need to GPL them. Key helpers bpf_perf_event_output, bpf_ktime_get_ns, bpf_trace_printk are all GPL-ed. It may look that most networking helpers are not-GPL, but real life is different. To debug programs bpf_trace_printk() is necessary. To have communication with user space bpf_perf_event_output() is necessary. To measure anything or implement timestamps bpf_ktime_get_ns() is necessary.

So today all meaningful bpf programs are GPL. Those that are not GPL probably exist, but they're toy programs. Hence I have zero concerns about GPL bypass coming from tracing, networking, and, in the future, KRSI progs too.

Smalley was not convinced, saying: "I would anticipate developers of out-of-tree LSMs latching onto this bpf LSM and using it to avoid GPL". Greg Kroah-Hartman dropped into the conversation to support Smalley: "We have enough problem with companies trying to do that as-is, let's not give them any other ways to abuse our license". Starovoitov threw in the towel at this point, consoling himself that developers can always "undo it later when this early concerns prove to be overblown".

As a result of this discussion, the second posting of KRSI included the license check, though this was not noted in the changelog. This version also eliminated the securityfs-based API in favor of using the bpftool utility for configuration and introspection of security policies.

While there have been some minor comments on this version of the patch set, it may well be that the biggest roadblock to its merging has now been overcome. Other concerns, including the possibility of ABI-related problems in the future and the implications of allowing the attachment of BPF programs — with access to internal kernel data structures and veto power — to almost every operation user space can attempt, do not appear to worry many people. As a result, KRSI could conceivably be headed toward the mainline in the near future.

Index entries for this article
KernelBPF/Security
KernelSecurity/Security modules

to post comments

KRSI and proprietary BPF programs

Posted Jan 19, 2020 9:42 UTC (Sun) by mfuzzey (subscriber, #57966) [Link] (6 responses)

While I understand , and agree with, the desire to prevent proprietary security modules I'm not quite sure how this works legally.

INAL but I thought the legal basis for the GPL applying to modified kernels or kernel modules is that they are considered derived works of the original GPL kernel.
For modules it is even a bit murkier than that I think, which allows Nvidia to get away with their GPL shim loading a propriety binary driver (which was not originally designed solely for Linux).

But does derived work apply to independently developped BPF code just using hooks that the GPL kernel provides?

KRSI and proprietary BPF programs

Posted Jan 20, 2020 8:52 UTC (Mon) by rvolgers (guest, #63218) [Link] (5 responses)

The idea behind marking interfaces as GPL or not GPL is that marking something GPL-only means that the kernel developers consider it to be so intimately tied to the internals of the kernel that using it necessarily means your product is a derived work of the kernel as defined by the GPL.

Of course I don't think that precise interpretation has ever been tested in court. But it's easy to see how that extends to BPF security hooks. They get passed a structure full of data that is very much full of kernel implementation details and not intended as a public interface to "other projects". So it seems reasonable to say that if you write a BPF program that receives that as an argument, it's a derived work of the Linux kernel, and so must be released under a GPL compatible license.

KRSI and proprietary BPF programs

Posted Jan 20, 2020 16:53 UTC (Mon) by admalledd (subscriber, #95347) [Link] (3 responses)

Not legal advice, not a lawyer myself, etc etc.

At my work we have some brief workshops on various topics that are related to our work. One of the ones that they require us developers partake in is a bit about licensing and GPL/MIT/AGPL/etc that we might encounter for either plugins/packages/modules or platforms we might develop with/for. Mostly so that we remember to go and check in with legal on specifics whenever we use something new.

The big thing that was stated about "interfaces, API layers and poison licenses" (Sorry, corporates words...) is that if something does have to go to court (or arbitration and remediation, the corporate preference) the intent of initial developers placing code under the license in question, including even commented code or notes questioning if it should be, can have significant weight on "is this a derivative work". Courts are imperfect and imprecise, so they use things like "tests" that can be used to answer questions outside of their scope. These tests and questions would fall upon that there were marked "we, the kernel developers think using these things means you are so tied to us that you must be derivative" and that is a powerful argument to deconstruct from the other side. We ourselves use AGPL3 or MIT in a defensive fashion for any code we own outright and have to (by client contract/ask/funding) open source it. Applying comments, exports, etc flagging "you might be a derivative" is something we actually took from the Kernel. Of course in general corporate don't want to have to ever see a court room to enforce (or be enforced by) any of these, so mostly are just legal ammo to bring people to arbitration/remediation where corporate legal can say "it is so much easier if we all play nice hrm?".

As much to say: even if the BPF *didn't* see the internal structures, but the helpers were marked GPL (or the entire hook point, whatever) would certainly have me pushing that any BPF we wrote as also being GPL. Only way I would stand down is with a lot of CYA paperwork from both parties.

IMO the Nvidia shim (and some others) possibly violate the GPL as intended, but that too many people are locked in to requiring the module to use the hardware means no one really wants to take that close a legal look and risk having worthless hardware. Again, I am not a lawyer, my opinion is my own, etc.

KRSI and proprietary BPF programs

Posted Jan 21, 2020 2:43 UTC (Tue) by zlynx (guest, #2285) [Link] (2 responses)

IMO the nvidia binary module definitely violates the GPL. Once it is compiled. That's the key.

As far as I know no one distributes a fully compiled Nvidia driver module. The end user always does it. The end user cannot violate the GPL. The trick is the dual licensing of the Nvidia glue shim which is licensed both to link to the Nvidia proprietary .o driver and is licensed as GPL2 to link to the kernel.

The result of linking it all is a violation of all licenses and cannot be legally distributed. But no one cares because no one is distributing the result, just the individual pieces.

KRSI and proprietary BPF programs

Posted Jan 21, 2020 23:50 UTC (Tue) by gray_-_wolf (subscriber, #131074) [Link]

https://www.archlinux.org/packages/extra/x86_64/nvidia/ Based on the package content this looks like distributing compiled nvidia module. I have no idea if it is legal or not just pointing out that at least archlinux does distribute it in compiled form.

KRSI and proprietary BPF programs

Posted Jan 23, 2020 23:22 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

So, basically, the same loophole that ZFS-on-Linux has been using for ages? IIRC various people were upset about Canonical's semi-recent decision to cut out the middleman and provide full ZFS support on the install disk, but I've heard nothing about actual lawsuits.

KRSI and proprietary BPF programs

Posted Jan 30, 2020 22:38 UTC (Thu) by Wol (subscriber, #4433) [Link]

> So it seems reasonable to say that if you write a BPF program that receives that as an argument, it's a derived work of the Linux kernel, and so must be released under a GPL compatible license.

Except that one of the freedoms the GPL is - explicitly - designed to enforce is the freedom NOT to release your work.

So no, it is NOT a reasonable argument to say it must be released under a GPL-compatible licence ...

Cheers,
Wol

The GPL does not apply to *USERS*

Posted Jan 30, 2020 22:30 UTC (Thu) by Wol (subscriber, #4433) [Link]

> I want this use case to be available to people. It's a bait, because to do real progs people would need to GPL them.

As was pointed out in another comment, the end-user can do whatever they like, because they are not COPYing GPL code, therefore COPYright has no teeth. And actually, the author(s) of the GPL are quite happy with that, because the GPL explicitly does NOT force its users to distribute their code under the GPL. (It says IFF they distribute they have to use the GPL, but that's completely different from saying you MUST distribute).

So no - I don't think it should enforce "GPL only", because bearing in mind a lot of this stuff is likely to be in-house, that's meaningless cruft.

The other thing is whether BPF is distributed as byte-code, or as source. If it's distributed as source and jit'd in the kernel, again I don't see how the GPL has any teeth.

Cheers,
Wol


Copyright © 2020, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds