[BPF] Unlocking the bpf_probe_write_user helper in controlled scenarios?

From: Nikola Grcevski
Date: Mon Mar 04 2024 - 11:19:05 EST

Next message: Joel Fernandes: "Re: [PATCH] rcutorture: Fix rcu_torture_pipe_update_one()/rcu_torture_writer() data race and concurrency bug"
Previous message: Roberto Sassu: "Re: [PATCH v2 24/25] commoncap: use vfs fscaps interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since this kernel commit
https://github.com/torvalds/linux/commit/51e1bb9eeaf7868db56e58f47848e364ab4c4129,
the bpf_probe_write_user helper is locked down and cannot be used when
the kernel is set in integrity or security mode. We have a use case
for this helper for BPF enabled automatic context propagation of
OpenTelemetry trace headers (OpenTelemetry Go Auto Instrumentation and
Grafana Beyla). We write the W3C Trace Context header in outgoing HTTP
requests, by using uprobes attached to language specific HTTP/gRPC
libraries.

Writing the headers might be possible sometimes with the use of
bpf_skb_store_bytes helper, however it's not possible to be done when
TLS is enabled and it becomes very hard when the data is hpack encoded
(e.g. gRPC/HTTP2).

I'm asking if it's possible to reconsider unlocking this helper and if
it's not possible to be fully unlocked, can we unlock it for more
limited use? For example, allowed only in uprobes or only if certain
things (like memory range or PIDs) are specified though a BPF LSM
policy?

Currently when this helper is loaded by the BPF verifier, the lockdown
is checked in this order, so it seems we can only further restrict the
use by a LSM policy:

security_locked_down() {
lockdown_is_locked_down();
bpf_lsm_locked_down();
}

Thanks!

Next message: Joel Fernandes: "Re: [PATCH] rcutorture: Fix rcu_torture_pipe_update_one()/rcu_torture_writer() data race and concurrency bug"
Previous message: Roberto Sassu: "Re: [PATCH v2 24/25] commoncap: use vfs fscaps interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]