-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update systemd bpf mount unit file to be more secure #10793
Comments
cc @borkmann |
thanks for opening the issue @travisghansen! |
@travisghansen, by default it's |
Ok not sure where arch got those options... might be good to see what it is on centos8 or Ubuntu as well. I will say the options above at least crudely work with cilium as that's what I used and initial testing shows files in the dir and traffic flowing at a basic level. |
I may have misunderstood the context of the earlier comment as well. I'm less concerned about cilium rules as I am foreign stuff being created in the fs due to so permissive options. Here's a fresh centos 8 install where support for bpf appears to be 'native' in some shape or form...notice the options are exactly the same as what I proposed as used by arch as well:
|
Ok, fair enough, I presume newer systemd is auto-mounting in this case. bpffs only takes the mode into account (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/inode.c#n606), but having the rest doesn't hurt. Could you send a PR to update the Cilium Unit file? Thanks |
For the record, on a quick grep I see at least three locations where we have this systemd snippet:
|
Yeah I assumed the same thing regarding newer versions of systemd auto-detecting and mounting. I'm pretty strapped for time (and I'm pretty weak with |
Ok, no problem, I'll look into it. |
Given bpf fs wasn't mounted before, then mount it with stricter permissions than the default ones (777). Also add few other options as discussed in #10793 such as `nosuid,nodev,noexec` though at least from bpf fs side these are ignored. Fixes: #10793 Reported-by: Travis Glenn Hansen <travisghansen@yahoo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Given bpf fs wasn't mounted before, then mount it with stricter permissions than the default ones (777). Also add few other options as discussed in #10793 such as `nosuid,nodev,noexec` though at least from bpf fs side these are ignored. Fixes: #10793 Reported-by: Travis Glenn Hansen <travisghansen@yahoo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[ upstream commit 95529fb ] Given bpf fs wasn't mounted before, then mount it with stricter permissions than the default ones (777). Also add few other options as discussed in #10793 such as `nosuid,nodev,noexec` though at least from bpf fs side these are ignored. Fixes: #10793 Reported-by: Travis Glenn Hansen <travisghansen@yahoo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 95529fb ] Given bpf fs wasn't mounted before, then mount it with stricter permissions than the default ones (777). Also add few other options as discussed in #10793 such as `nosuid,nodev,noexec` though at least from bpf fs side these are ignored. Fixes: #10793 Reported-by: Travis Glenn Hansen <travisghansen@yahoo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Joe Stringer <joe@cilium.io>
How to reproduce the issue
The example systemd unit file found here: https://cilium.readthedocs.io/en/stable/kubernetes/configuration/#bpffs-systemd
resulted in (what I think) are pretty insecure permissions for the
/sys/fs/bpf
directory for me on a centos7 install (don't have it in front of me directly right now but it was essentially777
with some tmp mode set).I updated it to the following to lock it down a bit tighter:
I don't know enough about
bpf
to say if it was truly dangerous but by the little that I do know of the nature ofbpf
I'd rather be safe than sorry :)The text was updated successfully, but these errors were encountered: