Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id E6B21781B6C
	for <~alpine/devel@lists.alpinelinux.org>; Thu, 13 Feb 2020 12:24:11 +0000 (UTC)
Received: by mail-ed1-f53.google.com with SMTP id p3so6568174edx.7
        for <~alpine/devel@lists.alpinelinux.org>; Thu, 13 Feb 2020 04:24:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZM2C2qlnjFq9UNj0aVl8sBDCbqVS+B9m07B4+WwY7LQ=;
        b=lfGwqexQklsm+0FWn/1tEN4KG+GQSWTRk+D4VridFaR0cUwTWa8cBYsUQ0OnuQC+x4
         WYsGmCLUXtaJBdanI2/FMISPkar7IBg0+i4eG0Ree4CkOo10DZIDOrzTpWJm5rkDK5hi
         eI5IdD8d46d3mKTXCRCBhNHAITH/h5WeB5LrcQD9ZpYEW7Joe9haBahBfASjhbZxTL8f
         HfbLcS5FvXo86Tghm1aQ2aE6oOlJgPk1t6CjgYmv6WQTiGoO3b3nh9jwpVxgoRZMVWeH
         HNgiEEZCIjCTg6r+z4fhDPMu7ivH3uKR1Qk4ai5g+d1d3MQNqlPs+GGvKyyQfnjGlmK/
         pgzQ==
X-Gm-Message-State: APjAAAUr8BLl6nuf1TgOLrz6j1eLx7hM+6Wjoc5DCOtB9Z+KRMl91Bkk
	m39LXS36DjL2fNdi/BLFjv7rtYFV/y1L/XibJ4q9AA==
X-Google-Smtp-Source: APXvYqyAucvsPG2EtPheMs6IK6014cCXo4PY+TBg4OE7C7y+pPWUmQpXCmMxolsTViiYElDt0vvFC5S2HDmv2ebLENw=
X-Received: by 2002:a17:906:594f:: with SMTP id g15mr10485144ejr.122.1581596650762;
 Thu, 13 Feb 2020 04:24:10 -0800 (PST)
MIME-Version: 1.0
References: <0ce680254adefb97ca977a49b59bbe93@dereferenced.org> <0d6de607494492941127ad1f0ef96b366d6ab92c.camel@alpinelinux.org>
In-Reply-To: <0d6de607494492941127ad1f0ef96b366d6ab92c.camel@alpinelinux.org>
From: Richard Mortier <mort@cantab.net>
Date: Thu, 13 Feb 2020 12:23:59 +0000
Message-ID: <CAN2Hq058=LMe8zd8S2WLw4=HOH0N7Om_mppnhtF8SJiM1w6UTA@mail.gmail.com>
Subject: Re: Proposed change: Enable eBPF for root users only
To: Nathan Angelacos <nangel@alpinelinux.org>, Ariadne Conill <ariadne@dereferenced.org>
Cc: ~alpine/devel@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"

+1

On Wed, 12 Feb 2020 at 23:59, Nathan Angelacos <nangel@alpinelinux.org> wrote:
>
> +1
>
> On Tue, 2020-02-11 at 09:56 +0000, Ariadne Conill wrote:
> > Hello,
> >
> > At present, Alpine does not ship kernels that are eBPF enabled.  An
> > increasing amount of tools are dependent on eBPF, such as the support
> > for VRFs in iproute2.  Accordingly, I would like to enable eBPF
> > support for the root user only.
> >
> > I believe that restricting eBPF to privileged users does not
> > introduce
> > any new access or privilege to those users that does not already
> > exist.
> > If you have to be root to make use of the bpf(2) syscall, then you
> > have to have already rooted the machine in order for eBPF to be
> > useful
> > to you.  There is a sysctl we can enable which locks bpf(2) down to
> > root usage only, and I propose that we enable it by default: users
> > who
> > wish to expose eBPF to unprivileged users may adjust their
> > configuration
> > to do so.  This would involve placing a warning in the appropriate
> > configuration file that notes that eBPF could be potentially used by
> > an unprivileged user to compromise the machine.
> >
> > Overall, I believe that exposing eBPF to the root user can be used to
> > enable many security wins in Alpine, such as making it easy to use
> > VRFs to isolate the management plane from the application plane, e.g.
> > placing sshd into vrf-mgmt and nginx into vrf-prod or similar.  eBPF
> > programs can also be used in place of netfilter, allowing for more
> > powerful packet filtering possibilities.  While those are not yet
> > realized, putting these tools in the hands of the Alpine community
> > will allow us to realize both of these possibilities in the future,
> > possibly in the 3.12 release window (as it is still quite early!)
> >
> > If there are no objections to this change, I will roll it out this
> > week.
> >
> > Thanks,
> > Ariadne
>


-- 
Richard Mortier
mort@cantab.net