Received: from mx1.tetrasec.net (mx1.tetrasec.net [66.245.176.36])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2C431781A75
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 20 Feb 2020 17:35:13 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id A15CA38512;
	Thu, 20 Feb 2020 17:35:11 +0000 (UTC)
Received: from [10.189.48.130] (unknown [187.60.66.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id 7924A38511;
	Thu, 20 Feb 2020 17:35:09 +0000 (UTC)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Subject: Re: Proposed change: Enable eBPF for root users only
From: Natanael Copa <ncopa@alpinelinux.org>
In-Reply-To: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org>
Date: Thu, 20 Feb 2020 14:35:06 -0300
Cc: ~alpine/devel@lists.alpinelinux.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <779E84F6-2BEB-421D-A529-1C8E23EE4F61@alpinelinux.org>
References: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org>
To: Ariadne Conill <ariadne@dereferenced.org>
X-Mailer: Apple Mail (2.3608.60.0.2.5)

Hi!


> 11. feb. 2020 kl. 06:56 skrev Ariadne Conill =
<ariadne@dereferenced.org>:
>=20
> Hello,
>=20
> At present, Alpine does not ship kernels that are eBPF enabled.  An
> increasing amount of tools are dependent on eBPF, such as the support
> for VRFs in iproute2.  Accordingly, I would like to enable eBPF
> support for the root user only.
>=20
> I believe that restricting eBPF to privileged users does not introduce
> any new access or privilege to those users that does not already =
exist.
> If you have to be root to make use of the bpf(2) syscall, then you
> have to have already rooted the machine in order for eBPF to be useful
> to you.  There is a sysctl we can enable which locks bpf(2) down to
> root usage only, and I propose that we enable it by default: users who
> wish to expose eBPF to unprivileged users may adjust their =
configuration
> to do so.  This would involve placing a warning in the appropriate
> configuration file that notes that eBPF could be potentially used by
> an unprivileged user to compromise the machine.

My biggest complaint against eBPF has been that it opens up a new attack =
vector, that cannot be disabled with a boot option or sysctl. There have =
been some CVE related to this already.

> Overall, I believe that exposing eBPF to the root user can be used to
> enable many security wins in Alpine, such as making it easy to use
> VRFs to isolate the management plane from the application plane, e.g.
> placing sshd into vrf-mgmt and nginx into vrf-prod or similar.  eBPF
> programs can also be used in place of netfilter, allowing for more
> powerful packet filtering possibilities.  While those are not yet
> realized, putting these tools in the hands of the Alpine community
> will allow us to realize both of these possibilities in the future,
> possibly in the 3.12 release window (as it is still quite early!)

I think eBPF is a generally scary feature and we should not be too quick =
to enable. I guess there have been enough time now for it to mature, so =
I think we can enabled it.

> If there are no objections to this change, I will roll it out this
> week.

Seems like it was pushed already. For the record, I gave my ok to enable =
this to Carlo in private before that happened. I guess it would have =
been better if I responded on the email earlier. Sorry for that.

Thanks!

-nc

>=20
> Thanks,
> Ariadne