ebpf-disabled-for-users.html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2020-09-02 Wed 13:53 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Why eBPF for users is disabled in some distributions.</title>
<meta name="generator" content="Org mode" />
<meta name="author" content="Wade mealing" />
<style type="text/css">
 <!--/*--><![CDATA[/*><!--*/
  .title  { text-align: center;
             margin-bottom: .2em; }
  .subtitle { text-align: center;
              font-size: medium;
              font-weight: bold;
              margin-top:0; }
  .todo   { font-family: monospace; color: red; }
  .done   { font-family: monospace; color: green; }
  .priority { font-family: monospace; color: orange; }
  .tag    { background-color: #eee; font-family: monospace;
            padding: 2px; font-size: 80%; font-weight: normal; }
  .timestamp { color: #bebebe; }
  .timestamp-kwd { color: #5f9ea0; }
  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
  .underline { text-decoration: underline; }
  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
  p.verse { margin-left: 3%; }
  pre {
    border: 1px solid #ccc;
    box-shadow: 3px 3px 3px #eee;
    padding: 8pt;
    font-family: monospace;
    overflow: auto;
    margin: 1.2em;
  }
  pre.src {
    position: relative;
    overflow: visible;
    padding-top: 1.2em;
  }
  pre.src:before {
    display: none;
    position: absolute;
    background-color: white;
    top: -10px;
    right: 10px;
    padding: 3px;
    border: 1px solid black;
  }
  pre.src:hover:before { display: inline;}
  /* Languages per Org manual */
  pre.src-asymptote:before { content: 'Asymptote'; }
  pre.src-awk:before { content: 'Awk'; }
  pre.src-C:before { content: 'C'; }
  /* pre.src-C++ doesn't work in CSS */
  pre.src-clojure:before { content: 'Clojure'; }
  pre.src-css:before { content: 'CSS'; }
  pre.src-D:before { content: 'D'; }
  pre.src-ditaa:before { content: 'ditaa'; }
  pre.src-dot:before { content: 'Graphviz'; }
  pre.src-calc:before { content: 'Emacs Calc'; }
  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
  pre.src-fortran:before { content: 'Fortran'; }
  pre.src-gnuplot:before { content: 'gnuplot'; }
  pre.src-haskell:before { content: 'Haskell'; }
  pre.src-hledger:before { content: 'hledger'; }
  pre.src-java:before { content: 'Java'; }
  pre.src-js:before { content: 'Javascript'; }
  pre.src-latex:before { content: 'LaTeX'; }
  pre.src-ledger:before { content: 'Ledger'; }
  pre.src-lisp:before { content: 'Lisp'; }
  pre.src-lilypond:before { content: 'Lilypond'; }
  pre.src-lua:before { content: 'Lua'; }
  pre.src-matlab:before { content: 'MATLAB'; }
  pre.src-mscgen:before { content: 'Mscgen'; }
  pre.src-ocaml:before { content: 'Objective Caml'; }
  pre.src-octave:before { content: 'Octave'; }
  pre.src-org:before { content: 'Org mode'; }
  pre.src-oz:before { content: 'OZ'; }
  pre.src-plantuml:before { content: 'Plantuml'; }
  pre.src-processing:before { content: 'Processing.js'; }
  pre.src-python:before { content: 'Python'; }
  pre.src-R:before { content: 'R'; }
  pre.src-ruby:before { content: 'Ruby'; }
  pre.src-sass:before { content: 'Sass'; }
  pre.src-scheme:before { content: 'Scheme'; }
  pre.src-screen:before { content: 'Gnu Screen'; }
  pre.src-sed:before { content: 'Sed'; }
  pre.src-sh:before { content: 'shell'; }
  pre.src-sql:before { content: 'SQL'; }
  pre.src-sqlite:before { content: 'SQLite'; }
  /* additional languages in org.el's org-babel-load-languages alist */
  pre.src-forth:before { content: 'Forth'; }
  pre.src-io:before { content: 'IO'; }
  pre.src-J:before { content: 'J'; }
  pre.src-makefile:before { content: 'Makefile'; }
  pre.src-maxima:before { content: 'Maxima'; }
  pre.src-perl:before { content: 'Perl'; }
  pre.src-picolisp:before { content: 'Pico Lisp'; }
  pre.src-scala:before { content: 'Scala'; }
  pre.src-shell:before { content: 'Shell Script'; }
  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
  /* additional language identifiers per "defun org-babel-execute"
       in ob-*.el */
  pre.src-cpp:before  { content: 'C++'; }
  pre.src-abc:before  { content: 'ABC'; }
  pre.src-coq:before  { content: 'Coq'; }
  pre.src-groovy:before  { content: 'Groovy'; }
  /* additional language identifiers from org-babel-shell-names in
     ob-shell.el: ob-shell is the only babel language using a lambda to put
     the execution function name together. */
  pre.src-bash:before  { content: 'bash'; }
  pre.src-csh:before  { content: 'csh'; }
  pre.src-ash:before  { content: 'ash'; }
  pre.src-dash:before  { content: 'dash'; }
  pre.src-ksh:before  { content: 'ksh'; }
  pre.src-mksh:before  { content: 'mksh'; }
  pre.src-posh:before  { content: 'posh'; }
  /* Additional Emacs modes also supported by the LaTeX listings package */
  pre.src-ada:before { content: 'Ada'; }
  pre.src-asm:before { content: 'Assembler'; }
  pre.src-caml:before { content: 'Caml'; }
  pre.src-delphi:before { content: 'Delphi'; }
  pre.src-html:before { content: 'HTML'; }
  pre.src-idl:before { content: 'IDL'; }
  pre.src-mercury:before { content: 'Mercury'; }
  pre.src-metapost:before { content: 'MetaPost'; }
  pre.src-modula-2:before { content: 'Modula-2'; }
  pre.src-pascal:before { content: 'Pascal'; }
  pre.src-ps:before { content: 'PostScript'; }
  pre.src-prolog:before { content: 'Prolog'; }
  pre.src-simula:before { content: 'Simula'; }
  pre.src-tcl:before { content: 'tcl'; }
  pre.src-tex:before { content: 'TeX'; }
  pre.src-plain-tex:before { content: 'Plain TeX'; }
  pre.src-verilog:before { content: 'Verilog'; }
  pre.src-vhdl:before { content: 'VHDL'; }
  pre.src-xml:before { content: 'XML'; }
  pre.src-nxml:before { content: 'XML'; }
  /* add a generic configuration mode; LaTeX export needs an additional
     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
  pre.src-conf:before { content: 'Configuration File'; }

  table { border-collapse:collapse; }
  caption.t-above { caption-side: top; }
  caption.t-bottom { caption-side: bottom; }
  td, th { vertical-align:top;  }
  th.org-right  { text-align: center;  }
  th.org-left   { text-align: center;   }
  th.org-center { text-align: center; }
  td.org-right  { text-align: right;  }
  td.org-left   { text-align: left;   }
  td.org-center { text-align: center; }
  dt { font-weight: bold; }
  .footpara { display: inline; }
  .footdef  { margin-bottom: 1em; }
  .figure { padding: 1em; }
  .figure p { text-align: center; }
  .equation-container {
    display: table;
    text-align: center;
    width: 100%;
  }
  .equation {
    vertical-align: middle;
  }
  .equation-label {
    display: table-cell;
    text-align: right;
    vertical-align: middle;
  }
  .inlinetask {
    padding: 10px;
    border: 2px solid gray;
    margin: 10px;
    background: #ffffcc;
  }
  #org-div-home-and-up
   { text-align: right; font-size: 70%; white-space: nowrap; }
  textarea { overflow-x: auto; }
  .linenr { font-size: smaller }
  .code-highlighted { background-color: #ffff00; }
  .org-info-js_info-navigation { border-style: none; }
  #org-info-js_console-label
    { font-size: 10px; font-weight: bold; white-space: nowrap; }
  .org-info-js_search-highlight
    { background-color: #ffff00; color: #000000; font-weight: bold; }
  .org-svg { width: 90%; }
  /*]]>*/-->
</style>
<link rel="stylesheet" type="text/css" href="org.css"/>
<script type="text/javascript">
/*
@licstart  The following is the entire license notice for the
JavaScript code in this tag.

Copyright (C) 2012-2020 Free Software Foundation, Inc.

The JavaScript code in this tag is free software: you can
redistribute it and/or modify it under the terms of the GNU
General Public License (GNU GPL) as published by the Free Software
Foundation, either version 3 of the License, or (at your option)
any later version.  The code is distributed WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.

As additional permission under GNU GPL version 3 section 7, you
may distribute non-source (e.g., minimized or compacted) forms of
that code without the copy of the GNU GPL normally required by
section 4, provided you include this license notice and a URL
through which recipients can access the Corresponding Source.


@licend  The above is the entire license notice
for the JavaScript code in this tag.
*/
<!--/*--><![CDATA[/*><!--*/
 function CodeHighlightOn(elem, id)
 {
   var target = document.getElementById(id);
   if(null != target) {
     elem.cacheClassElem = elem.className;
     elem.cacheClassTarget = target.className;
     target.className = "code-highlighted";
     elem.className   = "code-highlighted";
   }
 }
 function CodeHighlightOff(elem, id)
 {
   var target = document.getElementById(id);
   if(elem.cacheClassElem)
     elem.className = elem.cacheClassElem;
   if(elem.cacheClassTarget)
     target.className = elem.cacheClassTarget;
 }
/*]]>*///-->
</script>
</head>
<body>
<div id="content">
<h1 class="title">Why eBPF for users is disabled in some distributions.</h1>
<div id="table-of-contents">
<h2>Table of Contents</h2>
<div id="text-table-of-contents">
<ul>
<li><a href="#org68e0573">Why eBPF filter operations are privileged in some distributions ?</a></li>
<li><a href="#org46e237b">Why is this effectively limited to root (CAP_SYS_ADMIN) only?</a></li>
<li><a href="#orgb13b431">How can I give a user access to use eBPF?</a></li>
<li><a href="#org69cd6b3">Conclusion</a></li>
</ul>
</div>
</div>


<div id="outline-container-org68e0573" class="outline-2">
<h2 id="org68e0573">Why eBPF filter operations are privileged in some distributions ?</h2>
<div class="outline-text-2" id="text-org68e0573">
<p>
eBPF is a mechanism in which local users can tell the Linux kernel to attach
pseudocode to tracepoints, kprobes, and perf events in the kernel. This
pseudocode is later translated into native instructions and executed. Because
of this it is heavily used in performance tuning and benchmarking. As this
instrumentation can be carried out without recompiling the kernel, eBPF is very
attractive for systems where this could be prohibitive either due to cost,
downtime, or complexity.
</p>

<p>
Using eBPF requires calling a syscall, bpf(2). This syscall is used for all
eBPF operations like loading programs attaching them to specific events,
creating eBPF maps, and access the map contents from tools. At this time, users
with CAP_SYS_ADMIN capability in the initial namespace can use the bpf(2)
syscall, which is effectively root level privileges.
</p>


<p>
To function correctly, the attached pseudocode requires access to privileged
data from within the kernel. The eBPF developers have created an in-kernel
verification system with in-depth checks before execution to ensure that
potentially malicious code is not permitted.
</p>


<p>
It provides such checks as:
</p>

<ul class="org-ul">
<li>infinite loop prevention,</li>
<li>out of range data access,</li>
<li>invalid register states,</li>
<li>kernel address leakage protection, and</li>
<li>limiting internal function calls.</li>
</ul>
</div>
</div>

<div id="outline-container-org46e237b" class="outline-2">
<h2 id="org46e237b">Why is this effectively limited to root (CAP_SYS_ADMIN) only?</h2>
<div class="outline-text-2" id="text-org46e237b">
<p>
The decision to limit this syscall to a user with CAP_SYS_ADMIN in the initial
namespace was intended to reduce the attack surface available to potential
intruders.
</p>

<p>
The more common use case of eBPF is to diagnose performance or system
bottlenecks that the system is currently facing. As such it is mainly used in
deep system-level debugging and performance tuning scenarios which a non-admin
user on a production system is not supposed to do.
</p>

<p>
Kernel exploits are not a new problem; eBPF creates a new attack vector that
contains additional attack vectors that were not previously accessible. By
limiting the ability to run eBPF syscall to CAP_SYS_ADMIN (or root) only
effectively disallows unprivileged (or regular) users of the system the ability
to attack the kernel using this method. This also limits the attack surface of
the subsystem. A local user with root access is expected to be able to perform
actions that have equivalent or worse impacts.
</p>

<p>
Since pseudocode translation and verification is a complex process, error
handling and preventing malicious behavior is very difficult. New code injected
into the kernel at runtime makes a very useful target for attackers. Even with
these prevention mechanisms in place there have been a number of flaws that
have been found in the eBPF code, especially the verifier itself. Red Hat has
limited eBPF access to a privileged operation and by doing so ensures that
fewer additional rights are granted if eBPF is successfully attacked.
</p>
</div>
</div>

<div id="outline-container-orgb13b431" class="outline-2">
<h2 id="orgb13b431">How can I give a user access to use eBPF?</h2>
<div class="outline-text-2" id="text-orgb13b431">
<p>
One possible workaround is to use setcap(8) to set the CAP_SYS_ADMIN flag on a
trusted binary with minimal attack surface that would call the relevant bpf(2)
syscall. For more information on the capabilities feature of the kernel check
out capabilities(7).
</p>

<p>
The other alternative is to allow the user to execute the specific binary with
the “sudo” command (see sudo(8) and sudoers(8)).
</p>

<p>
Red Hat Enterprise Linux does not have
/proc/sys/kernel/unprivileged_bpf_disabled available to enable access to
unprivileged users, and it is disabled by default. So, if you need it, you're
out of luck.
</p>
</div>
</div>

<div id="outline-container-org69cd6b3" class="outline-2">
<h2 id="org69cd6b3">Conclusion</h2>
<div class="outline-text-2" id="text-org69cd6b3">
<p>
Some Linux distributions, in the future, may ship with the ability to allow
users to insert eBPF rules. At this time RHEL and CENTOS has attempted to
reduce the risk of eBPF exploitation by limiting access to root and
CAP_SYS_ADMIN enabled processes. This trade-off reduces the attack vector on
the system at the cost of limiting which users can take advantage of eBPF
functionality.
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<p class="author">Author: Wade mealing</p>
<p class="date">Created: 2020-09-02 Wed 13:53</p>
<p class="validation"><a href="http://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>
</html>