Received: from out.migadu.com (out.migadu.com [91.121.223.63])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 388CC781AA3
	for <~alpine/devel@lists.alpinelinux.org>; Tue, 11 Feb 2020 09:56:36 +0000 (UTC)
Received: (Migadu outbound); Tue, 11 Feb 2020 09:56:35 +0000
Authentication-Results: out.migadu.com; auth=pass (plain)
Received: from wms0-eu-central.migadu.com (wms0-eu-central.migadu.com [139.162.159.86])
	by out.migadu.com (Haraka/2.8.16) with ESMTPSA id 7E7711AA-A482-45DD-8EF8-337CA4BEC758.1
	envelope-from <ariadne@dereferenced.org> (authenticated bits=0)
	(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 verify=FAIL);
	Tue, 11 Feb 2020 09:56:35 +0000
MIME-Version: 1.0
Date: Tue, 11 Feb 2020 09:56:35 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: RainLoop/1.12.1
From: "Ariadne Conill" <ariadne@dereferenced.org>
Message-ID: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org>
Subject: Proposed change: Enable eBPF for root users only
To: ~alpine/devel@lists.alpinelinux.org
DKIM-Signature: v=1;a=rsa-sha256;bh=ZP1hzVcFbf/FXZCE199v/hEDfGjbUuL01H17bI39AAc=;c=relaxed/simple;d=dereferenced.org;h=from:subject:date:to;s=default;b=LUMfT00t0/3iemXaGGUx62y85ivi6Va3TnQ7mrNP1Fc7nl1/DL0F8xtY0GJlD41sIOs3ee6BsDrHOGqO4LmLN6Hlthl/WXUSS0ecbD9EdfrGWFVN6crgbiYOZMITNrOF8++NX75gH3QvA0bQ25MDNXtMI2sEgg8TOA0Obd80ZBk=

Hello,=0A=0AAt present, Alpine does not ship kernels that are eBPF enable=
d.  An=0Aincreasing amount of tools are dependent on eBPF, such as the su=
pport=0Afor VRFs in iproute2.  Accordingly, I would like to enable eBPF=
=0Asupport for the root user only.=0A=0AI believe that restricting eBPF t=
o privileged users does not introduce=0Aany new access or privilege to th=
ose users that does not already exist.=0AIf you have to be root to make u=
se of the bpf(2) syscall, then you=0Ahave to have already rooted the mach=
ine in order for eBPF to be useful=0Ato you.  There is a sysctl we can en=
able which locks bpf(2) down to=0Aroot usage only, and I propose that we =
enable it by default: users who=0Awish to expose eBPF to unprivileged use=
rs may adjust their configuration=0Ato do so.  This would involve placing=
 a warning in the appropriate=0Aconfiguration file that notes that eBPF c=
ould be potentially used by=0Aan unprivileged user to compromise the mach=
ine.=0A=0AOverall, I believe that exposing eBPF to the root user can be u=
sed to=0Aenable many security wins in Alpine, such as making it easy to u=
se=0AVRFs to isolate the management plane from the application plane, e.g=
.=0Aplacing sshd into vrf-mgmt and nginx into vrf-prod or similar.  eBPF=
=0Aprograms can also be used in place of netfilter, allowing for more=0Ap=
owerful packet filtering possibilities.  While those are not yet=0Arealiz=
ed, putting these tools in the hands of the Alpine community=0Awill allow=
 us to realize both of these possibilities in the future,=0Apossibly in t=
he 3.12 release window (as it is still quite early!)=0A=0AIf there are no=
 objections to this change, I will roll it out this=0Aweek.=0A=0AThanks,=
=0AAriadne