Unprivileged BPF and authoritative security hooks [LWN.net]

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 1:38 UTC (Fri) by developer122 (guest, #152928)
Parent article: Unprivileged BPF and authoritative security hooks

If linux has truly become single user (single user of servers, personal computers, and embedded devices) then might as well strip out all the user IDs, group IDs, filesystem permissions, access lists, and all the other access control mechanisms. After all, who needs to access control one's self? :P

to post comments

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 2:09 UTC (Fri) by geofft (subscriber, #59789) [Link] (3 responses)

Android uses user IDs to great effect to sandbox applications from each other, even though Android is almost always used as a single-user OS. (On the other hand, iOS runs everything as a single user and has a separate kernel sandboxing thing, kind of like a mix between seccomp and LSMs. Both approaches have had bugs but have basically been sound designs overall, so maybe this is an argument that single-user machines don't really need UIDs.)

I'm not sure if this is what was meant, but I can see the argument that Linux is a single-person OS and powerful features like BPF should be controlled and assigned to UIDs by a single person.

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 3:21 UTC (Fri) by raven667 (subscriber, #5198) [Link] (2 responses)

> can see the argument that Linux is a single-person OS

Sure, most Linux systems are owner-operated, but as soon as you accept a use case where this isn't true, then you end up needing all the complexity and policy for multi-user systems, so you might as well plan for that from the start.

Unprivileged BPF and authoritative security hooks

Posted Apr 29, 2023 6:36 UTC (Sat) by developer122 (guest, #152928) [Link] (1 responses)

I wonder if the entire concept of user IDs, filesystem permissions, etc could be exported into one or more LSMs.

Unprivileged BPF and authoritative security hooks

Posted May 3, 2023 10:36 UTC (Wed) by smurf (subscriber, #17840) [Link]

No reason it can't be AFAIK.

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 4:45 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

Quite a few container workloads basically do just that. I won't mind an option to just disable all DAC entirely in containers for a small speedup.

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 22:36 UTC (Fri) by dbnichol (subscriber, #39622) [Link]

CAP_DAC_OVERRIDE?

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 9:24 UTC (Fri) by farnz (subscriber, #17727) [Link]

Even though I am the only user of my laptop, I have multiple Linux users on it with different permissions; they provide a form of sandboxing between tasks for me, so that (for example) I can run a build as a user that can only pull from my local git repo, and cannot read my files otherwise, nor is it permitted network access. This, in turn, helps me catch stupid mistakes before I trigger CI - forgetting to git add a new file is one of my favourite tricks.

I was inspired to do this by Android, which uses a similar trick for isolation between applications.

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 13:59 UTC (Fri) by ballombe (subscriber, #9523) [Link]

Please read this in the context it was written.
The context was that userspace bpf made so easy do privilege escalation we could as well run everything as root.
It was not a comment on personnal computer use.
<https://lwn.net/ml/netdev/20190813215823.3sfbakzzjjykyng2...>

Unprivileged BPF and authoritative security hooks

Posted Apr 28, 2023 18:17 UTC (Fri) by Karellen (subscriber, #67644) [Link]

Well, sometimes it's nice to be unable to accidentally overwrite your boot sector when you're just trying to dial the modem. ;-)