bpf: make unprivileged BPF a compile time choice

teknoraver · Nobody · commit dad33b08616c · 2022-04-04T17:07:40.000-07:00
Add a compile time option to permanently disable unprivileged BPF and
the corresponding sysctl handler so that there's absolutely no
concern about unprivileged BPF being enabled from userspace during
runtime. Special purpose kernels can benefit from the build-time
assurance that unprivileged eBPF is disabled in all of their kernel
builds rather than having to rely on userspace to permanently disable
it at boot time.
The default behaviour is left unchanged, which is: unprivileged BPF
compiled in but disabled at boot.

Signed-off-by: Matteo Croce &lt;mcroce@microsoft.com&gt;
diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
@@ -67,10 +67,18 @@ config BPF_JIT_DEFAULT_ON
 	def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
 	depends on HAVE_EBPF_JIT && BPF_JIT
 
+config BPF_UNPRIV
+	bool "Unprivileged BPF"
+	default y
+	depends on BPF_SYSCALL
+	help
+	  Enables unprivileged BPF and the corresponding
+	  /proc/sys/kernel/unprivileged_bpf_disabled knob.
+
 config BPF_UNPRIV_DEFAULT_OFF
 	bool "Disable unprivileged BPF by default"
 	default y
-	depends on BPF_SYSCALL
+	depends on BPF_UNPRIV
 	help
 	  Disables unprivileged BPF by default by setting the corresponding
 	  /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
@@ -53,7 +53,9 @@ static DEFINE_IDR(link_idr);
 static DEFINE_SPINLOCK(link_idr_lock);
 
 int sysctl_unprivileged_bpf_disabled __read_mostly =
-	IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+	IS_BUILTIN(CONFIG_BPF_UNPRIV) ?
+		(IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0)
+		: 1;
 
 static const struct bpf_map_ops * const bpf_map_types[] = {
 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
@@ -184,6 +184,7 @@ void __weak unpriv_ebpf_notify(int new_state)
 {
 }
 
+#ifdef CONFIG_BPF_UNPRIV
 static int bpf_unpriv_handler(struct ctl_table *table, int write,
 			      void *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -206,6 +207,7 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,
 
 	return ret;
 }
+#endif /* CONFIG_BPF_UNPRIV */
 #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */
 
 /*
@@ -2300,6 +2302,7 @@ static struct ctl_table kern_table[] = {
 	},
 #endif
 #ifdef CONFIG_BPF_SYSCALL
+#ifdef CONFIG_BPF_UNPRIV
 	{
 		.procname	= "unprivileged_bpf_disabled",
 		.data		= &sysctl_unprivileged_bpf_disabled,
@@ -2309,6 +2312,7 @@ static struct ctl_table kern_table[] = {
 		.extra1		= SYSCTL_ZERO,
 		.extra2		= SYSCTL_TWO,
 	},
+#endif
 	{
 		.procname	= "bpf_stats_enabled",
 		.data		= &bpf_stats_enabled_key.key,

Original file line number	Diff line number	Diff line change
`@@ -184,6 +184,7 @@ void __weak unpriv_ebpf_notify(int new_state)`
`184`	`184`	`{`
`185`	`185`	`}`
`186`	`186`
	`187`	`+#ifdef CONFIG_BPF_UNPRIV`
`187`	`188`	`static int bpf_unpriv_handler(struct ctl_table *table, int write,`
`188`	`189`	`void buffer, size_t lenp, loff_t *ppos)`
`189`	`190`	`{`
`@@ -206,6 +207,7 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write,`
`206`	`207`
`207`	`208`	`return ret;`
`208`	`209`	`}`
	`210`	`+#endif /* CONFIG_BPF_UNPRIV */`
`209`	`211`	`#endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */`
`210`	`212`
`211`	`213`	`/*`
`@@ -2300,6 +2302,7 @@ static struct ctl_table kern_table[] = {`
`2300`	`2302`	`},`
`2301`	`2303`	`#endif`
`2302`	`2304`	`#ifdef CONFIG_BPF_SYSCALL`
	`2305`	`+#ifdef CONFIG_BPF_UNPRIV`
`2303`	`2306`	`{`
`2304`	`2307`	`.procname = "unprivileged_bpf_disabled",`
`2305`	`2308`	`.data = &sysctl_unprivileged_bpf_disabled,`
`@@ -2309,6 +2312,7 @@ static struct ctl_table kern_table[] = {`
`2309`	`2312`	`.extra1 = SYSCTL_ZERO,`
`2310`	`2313`	`.extra2 = SYSCTL_TWO,`
`2311`	`2314`	`},`
	`2315`	`+#endif`
`2312`	`2316`	`{`
`2313`	`2317`	`.procname = "bpf_stats_enabled",`
`2314`	`2318`	`.data = &bpf_stats_enabled_key.key,`