Received: from mx1.tetrasec.net (mx1.tetrasec.net [66.245.176.36])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 784C37819CF
	for <~alpine/devel@lists.alpinelinux.org>; Wed, 12 Feb 2020 23:59:11 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 558BA3167D;
	Wed, 12 Feb 2020 23:59:10 +0000 (UTC)
Received: from [172.17.48.222] (68-187-202-164.dhcp.ahvl.nc.charter.com [68.187.202.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: nangel@tetrasec.net)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id 0F5A13167C;
	Wed, 12 Feb 2020 23:59:09 +0000 (UTC)
Message-ID: <0d6de607494492941127ad1f0ef96b366d6ab92c.camel@alpinelinux.org>
Subject: Re: Proposed change: Enable eBPF for root users only
From: Nathan Angelacos <nangel@alpinelinux.org>
To: Ariadne Conill <ariadne@dereferenced.org>, 
	~alpine/devel@lists.alpinelinux.org
Date: Wed, 12 Feb 2020 18:59:09 -0500
In-Reply-To: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org>
References: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.3 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

+1

On Tue, 2020-02-11 at 09:56 +0000, Ariadne Conill wrote:
> Hello,
> 
> At present, Alpine does not ship kernels that are eBPF enabled.  An
> increasing amount of tools are dependent on eBPF, such as the support
> for VRFs in iproute2.  Accordingly, I would like to enable eBPF
> support for the root user only.
> 
> I believe that restricting eBPF to privileged users does not
> introduce
> any new access or privilege to those users that does not already
> exist.
> If you have to be root to make use of the bpf(2) syscall, then you
> have to have already rooted the machine in order for eBPF to be
> useful
> to you.  There is a sysctl we can enable which locks bpf(2) down to
> root usage only, and I propose that we enable it by default: users
> who
> wish to expose eBPF to unprivileged users may adjust their
> configuration
> to do so.  This would involve placing a warning in the appropriate
> configuration file that notes that eBPF could be potentially used by
> an unprivileged user to compromise the machine.
> 
> Overall, I believe that exposing eBPF to the root user can be used to
> enable many security wins in Alpine, such as making it easy to use
> VRFs to isolate the management plane from the application plane, e.g.
> placing sshd into vrf-mgmt and nginx into vrf-prod or similar.  eBPF
> programs can also be used in place of netfilter, allowing for more
> powerful packet filtering possibilities.  While those are not yet
> realized, putting these tools in the hands of the Alpine community
> will allow us to realize both of these possibilities in the future,
> possibly in the 3.12 release window (as it is still quite early!)
> 
> If there are no objections to this change, I will roll it out this
> week.
> 
> Thanks,
> Ariadne