mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-25 05:34:00 +08:00
4f3446bb80
This work adds a generic facility for use from eBPF JIT compilers that allows for further hardening of JIT generated images through blinding constants. In response to the original work on BPF JIT spraying published by Keegan McAllister [1], most BPF JITs were changed to make images read-only and start at a randomized offset in the page, where the rest was filled with trap instructions. We have this nowadays in x86, arm, arm64 and s390 JIT compilers. Additionally, later work also made eBPF interpreter images read only for kernels supporting DEBUG_SET_MODULE_RONX, that is, x86, arm, arm64 and s390 archs as well currently. This is done by default for mentioned JITs when JITing is enabled. Furthermore, we had a generic and configurable constant blinding facility on our todo for quite some time now to further make spraying harder, and first implementation since around netconf 2016. We found that for systems where untrusted users can load cBPF/eBPF code where JIT is enabled, start offset randomization helps a bit to make jumps into crafted payload harder, but in case where larger programs that cross page boundary are injected, we again have some part of the program opcodes at a page start offset. With improved guessing and more reliable payload injection, chances can increase to jump into such payload. Elena Reshetova recently wrote a test case for it [2, 3]. Moreover, eBPF comes with 64 bit constants, which can leave some more room for payloads. Note that for all this, additional bugs in the kernel are still required to make the jump (and of course to guess right, to not jump into a trap) and naturally the JIT must be enabled, which is disabled by default. For helping mitigation, the general idea is to provide an option bpf_jit_harden that admins can tweak along with bpf_jit_enable, so that for cases where JIT should be enabled for performance reasons, the generated image can be further hardened with blinding constants for unpriviledged users (bpf_jit_harden == 1), with trading off performance for these, but not for privileged ones. We also added the option of blinding for all users (bpf_jit_harden == 2), which is quite helpful for testing f.e. with test_bpf.ko. There are no further e.g. hardening levels of bpf_jit_harden switch intended, rationale is to have it dead simple to use as on/off. Since this functionality would need to be duplicated over and over for JIT compilers to use, which are already complex enough, we provide a generic eBPF byte-code level based blinding implementation, which is then just transparently JITed. JIT compilers need to make only a few changes to integrate this facility and can be migrated one by one. This option is for eBPF JITs and will be used in x86, arm64, s390 without too much effort, and soon ppc64 JITs, thus that native eBPF can be blinded as well as cBPF to eBPF migrations, so that both can be covered with a single implementation. The rule for JITs is that bpf_jit_blind_constants() must be called from bpf_int_jit_compile(), and in case blinding is disabled, we follow normally with JITing the passed program. In case blinding is enabled and we fail during the process of blinding itself, we must return with the interpreter. Similarly, in case the JITing process after the blinding failed, we return normally to the interpreter with the non-blinded code. Meaning, interpreter doesn't change in any way and operates on eBPF code as usual. For doing this pre-JIT blinding step, we need to make use of a helper/auxiliary register, here BPF_REG_AX. This is strictly internal to the JIT and not in any way part of the eBPF architecture. Just like in the same way as JITs internally make use of some helper registers when emitting code, only that here the helper register is one abstraction level higher in eBPF bytecode, but nevertheless in JIT phase. That helper register is needed since f.e. manually written program can issue loads to all registers of eBPF architecture. The core concept with the additional register is: blind out all 32 and 64 bit constants by converting BPF_K based instructions into a small sequence from K_VAL into ((RND ^ K_VAL) ^ RND). Therefore, this is transformed into: BPF_REG_AX := (RND ^ K_VAL), BPF_REG_AX ^= RND, and REG <OP> BPF_REG_AX, so actual operation on the target register is translated from BPF_K into BPF_X one that is operating on BPF_REG_AX's content. During rewriting phase when blinding, RND is newly generated via prandom_u32() for each processed instruction. 64 bit loads are split into two 32 bit loads to make translation and patching not too complex. Only basic thing required by JITs is to call the helper bpf_jit_blind_constants()/bpf_jit_prog_release_other() pair, and to map BPF_REG_AX into an unused register. Small bpf_jit_disasm extract from [2] when applied to x86 JIT: echo 0 > /proc/sys/net/core/bpf_jit_harden ffffffffa034f5e9 + <x>: [...] 39: mov $0xa8909090,%eax 3e: mov $0xa8909090,%eax 43: mov $0xa8ff3148,%eax 48: mov $0xa89081b4,%eax 4d: mov $0xa8900bb0,%eax 52: mov $0xa810e0c1,%eax 57: mov $0xa8908eb4,%eax 5c: mov $0xa89020b0,%eax [...] echo 1 > /proc/sys/net/core/bpf_jit_harden ffffffffa034f1e5 + <x>: [...] 39: mov $0xe1192563,%r10d 3f: xor $0x4989b5f3,%r10d 46: mov %r10d,%eax 49: mov $0xb8296d93,%r10d 4f: xor $0x10b9fd03,%r10d 56: mov %r10d,%eax 59: mov $0x8c381146,%r10d 5f: xor $0x24c7200e,%r10d 66: mov %r10d,%eax 69: mov $0xeb2a830e,%r10d 6f: xor $0x43ba02ba,%r10d 76: mov %r10d,%eax 79: mov $0xd9730af,%r10d 7f: xor $0xa5073b1f,%r10d 86: mov %r10d,%eax 89: mov $0x9a45662b,%r10d 8f: xor $0x325586ea,%r10d 96: mov %r10d,%eax [...] As can be seen, original constants that carry payload are hidden when enabled, actual operations are transformed from constant-based to register-based ones, making jumps into constants ineffective. Above extract/example uses single BPF load instruction over and over, but of course all instructions with constants are blinded. Performance wise, JIT with blinding performs a bit slower than just JIT and faster than interpreter case. This is expected, since we still get all the performance benefits from JITing and in normal use-cases not every single instruction needs to be blinded. Summing up all 296 test cases averaged over multiple runs from test_bpf.ko suite, interpreter was 55% slower than JIT only and JIT with blinding was 8% slower than JIT only. Since there are also some extremes in the test suite, I expect for ordinary workloads that the performance for the JIT with blinding case is even closer to JIT only case, f.e. nmap test case from suite has averaged timings in ns 29 (JIT), 35 (+ blinding), and 151 (interpreter). BPF test suite, seccomp test suite, eBPF sample code and various bigger networking eBPF programs have been tested with this and were running fine. For testing purposes, I also adapted interpreter and redirected blinded eBPF image to interpreter and also here all tests pass. [1] http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html [2] https://github.com/01org/jit-spray-poc-for-ksp/ [3] http://www.openwall.com/lists/kernel-hardening/2016/05/03/5 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Elena Reshetova <elena.reshetova@intel.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
318 lines
11 KiB
Plaintext
318 lines
11 KiB
Plaintext
Documentation for /proc/sys/net/*
|
|
(c) 1999 Terrehon Bowden <terrehon@pacbell.net>
|
|
Bodo Bauer <bb@ricochet.net>
|
|
(c) 2000 Jorge Nerin <comandante@zaralinux.com>
|
|
(c) 2009 Shen Feng <shen@cn.fujitsu.com>
|
|
|
|
For general info and legal blurb, please look in README.
|
|
|
|
==============================================================
|
|
|
|
This file contains the documentation for the sysctl files in
|
|
/proc/sys/net
|
|
|
|
The interface to the networking parts of the kernel is located in
|
|
/proc/sys/net. The following table shows all possible subdirectories. You may
|
|
see only some of them, depending on your kernel's configuration.
|
|
|
|
|
|
Table : Subdirectories in /proc/sys/net
|
|
..............................................................................
|
|
Directory Content Directory Content
|
|
core General parameter appletalk Appletalk protocol
|
|
unix Unix domain sockets netrom NET/ROM
|
|
802 E802 protocol ax25 AX25
|
|
ethernet Ethernet protocol rose X.25 PLP layer
|
|
ipv4 IP version 4 x25 X.25 protocol
|
|
ipx IPX token-ring IBM token ring
|
|
bridge Bridging decnet DEC net
|
|
ipv6 IP version 6 tipc TIPC
|
|
..............................................................................
|
|
|
|
1. /proc/sys/net/core - Network core options
|
|
-------------------------------------------------------
|
|
|
|
bpf_jit_enable
|
|
--------------
|
|
|
|
This enables Berkeley Packet Filter Just in Time compiler.
|
|
Currently supported on x86_64 architecture, bpf_jit provides a framework
|
|
to speed packet filtering, the one used by tcpdump/libpcap for example.
|
|
Values :
|
|
0 - disable the JIT (default value)
|
|
1 - enable the JIT
|
|
2 - enable the JIT and ask the compiler to emit traces on kernel log.
|
|
|
|
bpf_jit_harden
|
|
--------------
|
|
|
|
This enables hardening for the Berkeley Packet Filter Just in Time compiler.
|
|
Supported are eBPF JIT backends. Enabling hardening trades off performance,
|
|
but can mitigate JIT spraying.
|
|
Values :
|
|
0 - disable JIT hardening (default value)
|
|
1 - enable JIT hardening for unprivileged users only
|
|
2 - enable JIT hardening for all users
|
|
|
|
dev_weight
|
|
--------------
|
|
|
|
The maximum number of packets that kernel can handle on a NAPI interrupt,
|
|
it's a Per-CPU variable.
|
|
Default: 64
|
|
|
|
default_qdisc
|
|
--------------
|
|
|
|
The default queuing discipline to use for network devices. This allows
|
|
overriding the default of pfifo_fast with an alternative. Since the default
|
|
queuing discipline is created without additional parameters so is best suited
|
|
to queuing disciplines that work well without configuration like stochastic
|
|
fair queue (sfq), CoDel (codel) or fair queue CoDel (fq_codel). Don't use
|
|
queuing disciplines like Hierarchical Token Bucket or Deficit Round Robin
|
|
which require setting up classes and bandwidths. Note that physical multiqueue
|
|
interfaces still use mq as root qdisc, which in turn uses this default for its
|
|
leaves. Virtual devices (like e.g. lo or veth) ignore this setting and instead
|
|
default to noqueue.
|
|
Default: pfifo_fast
|
|
|
|
busy_read
|
|
----------------
|
|
Low latency busy poll timeout for socket reads. (needs CONFIG_NET_RX_BUSY_POLL)
|
|
Approximate time in us to busy loop waiting for packets on the device queue.
|
|
This sets the default value of the SO_BUSY_POLL socket option.
|
|
Can be set or overridden per socket by setting socket option SO_BUSY_POLL,
|
|
which is the preferred method of enabling. If you need to enable the feature
|
|
globally via sysctl, a value of 50 is recommended.
|
|
Will increase power usage.
|
|
Default: 0 (off)
|
|
|
|
busy_poll
|
|
----------------
|
|
Low latency busy poll timeout for poll and select. (needs CONFIG_NET_RX_BUSY_POLL)
|
|
Approximate time in us to busy loop waiting for events.
|
|
Recommended value depends on the number of sockets you poll on.
|
|
For several sockets 50, for several hundreds 100.
|
|
For more than that you probably want to use epoll.
|
|
Note that only sockets with SO_BUSY_POLL set will be busy polled,
|
|
so you want to either selectively set SO_BUSY_POLL on those sockets or set
|
|
sysctl.net.busy_read globally.
|
|
Will increase power usage.
|
|
Default: 0 (off)
|
|
|
|
rmem_default
|
|
------------
|
|
|
|
The default setting of the socket receive buffer in bytes.
|
|
|
|
rmem_max
|
|
--------
|
|
|
|
The maximum receive socket buffer size in bytes.
|
|
|
|
tstamp_allow_data
|
|
-----------------
|
|
Allow processes to receive tx timestamps looped together with the original
|
|
packet contents. If disabled, transmit timestamp requests from unprivileged
|
|
processes are dropped unless socket option SOF_TIMESTAMPING_OPT_TSONLY is set.
|
|
Default: 1 (on)
|
|
|
|
|
|
wmem_default
|
|
------------
|
|
|
|
The default setting (in bytes) of the socket send buffer.
|
|
|
|
wmem_max
|
|
--------
|
|
|
|
The maximum send socket buffer size in bytes.
|
|
|
|
message_burst and message_cost
|
|
------------------------------
|
|
|
|
These parameters are used to limit the warning messages written to the kernel
|
|
log from the networking code. They enforce a rate limit to make a
|
|
denial-of-service attack impossible. A higher message_cost factor, results in
|
|
fewer messages that will be written. Message_burst controls when messages will
|
|
be dropped. The default settings limit warning messages to one every five
|
|
seconds.
|
|
|
|
warnings
|
|
--------
|
|
|
|
This sysctl is now unused.
|
|
|
|
This was used to control console messages from the networking stack that
|
|
occur because of problems on the network like duplicate address or bad
|
|
checksums.
|
|
|
|
These messages are now emitted at KERN_DEBUG and can generally be enabled
|
|
and controlled by the dynamic_debug facility.
|
|
|
|
netdev_budget
|
|
-------------
|
|
|
|
Maximum number of packets taken from all interfaces in one polling cycle (NAPI
|
|
poll). In one polling cycle interfaces which are registered to polling are
|
|
probed in a round-robin manner.
|
|
|
|
netdev_max_backlog
|
|
------------------
|
|
|
|
Maximum number of packets, queued on the INPUT side, when the interface
|
|
receives packets faster than kernel can process them.
|
|
|
|
netdev_rss_key
|
|
--------------
|
|
|
|
RSS (Receive Side Scaling) enabled drivers use a 40 bytes host key that is
|
|
randomly generated.
|
|
Some user space might need to gather its content even if drivers do not
|
|
provide ethtool -x support yet.
|
|
|
|
myhost:~# cat /proc/sys/net/core/netdev_rss_key
|
|
84:50:f4:00:a8:15:d1:a7:e9:7f:1d:60:35:c7:47:25:42:97:74:ca:56:bb:b6:a1:d8: ... (52 bytes total)
|
|
|
|
File contains nul bytes if no driver ever called netdev_rss_key_fill() function.
|
|
Note:
|
|
/proc/sys/net/core/netdev_rss_key contains 52 bytes of key,
|
|
but most drivers only use 40 bytes of it.
|
|
|
|
myhost:~# ethtool -x eth0
|
|
RX flow hash indirection table for eth0 with 8 RX ring(s):
|
|
0: 0 1 2 3 4 5 6 7
|
|
RSS hash key:
|
|
84:50:f4:00:a8:15:d1:a7:e9:7f:1d:60:35:c7:47:25:42:97:74:ca:56:bb:b6:a1:d8:43:e3:c9:0c:fd:17:55:c2:3a:4d:69:ed:f1:42:89
|
|
|
|
netdev_tstamp_prequeue
|
|
----------------------
|
|
|
|
If set to 0, RX packet timestamps can be sampled after RPS processing, when
|
|
the target CPU processes packets. It might give some delay on timestamps, but
|
|
permit to distribute the load on several cpus.
|
|
|
|
If set to 1 (default), timestamps are sampled as soon as possible, before
|
|
queueing.
|
|
|
|
optmem_max
|
|
----------
|
|
|
|
Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence
|
|
of struct cmsghdr structures with appended data.
|
|
|
|
2. /proc/sys/net/unix - Parameters for Unix domain sockets
|
|
-------------------------------------------------------
|
|
|
|
There is only one file in this directory.
|
|
unix_dgram_qlen limits the max number of datagrams queued in Unix domain
|
|
socket's buffer. It will not take effect unless PF_UNIX flag is specified.
|
|
|
|
|
|
3. /proc/sys/net/ipv4 - IPV4 settings
|
|
-------------------------------------------------------
|
|
Please see: Documentation/networking/ip-sysctl.txt and ipvs-sysctl.txt for
|
|
descriptions of these entries.
|
|
|
|
|
|
4. Appletalk
|
|
-------------------------------------------------------
|
|
|
|
The /proc/sys/net/appletalk directory holds the Appletalk configuration data
|
|
when Appletalk is loaded. The configurable parameters are:
|
|
|
|
aarp-expiry-time
|
|
----------------
|
|
|
|
The amount of time we keep an ARP entry before expiring it. Used to age out
|
|
old hosts.
|
|
|
|
aarp-resolve-time
|
|
-----------------
|
|
|
|
The amount of time we will spend trying to resolve an Appletalk address.
|
|
|
|
aarp-retransmit-limit
|
|
---------------------
|
|
|
|
The number of times we will retransmit a query before giving up.
|
|
|
|
aarp-tick-time
|
|
--------------
|
|
|
|
Controls the rate at which expires are checked.
|
|
|
|
The directory /proc/net/appletalk holds the list of active Appletalk sockets
|
|
on a machine.
|
|
|
|
The fields indicate the DDP type, the local address (in network:node format)
|
|
the remote address, the size of the transmit pending queue, the size of the
|
|
received queue (bytes waiting for applications to read) the state and the uid
|
|
owning the socket.
|
|
|
|
/proc/net/atalk_iface lists all the interfaces configured for appletalk.It
|
|
shows the name of the interface, its Appletalk address, the network range on
|
|
that address (or network number for phase 1 networks), and the status of the
|
|
interface.
|
|
|
|
/proc/net/atalk_route lists each known network route. It lists the target
|
|
(network) that the route leads to, the router (may be directly connected), the
|
|
route flags, and the device the route is using.
|
|
|
|
|
|
5. IPX
|
|
-------------------------------------------------------
|
|
|
|
The IPX protocol has no tunable values in proc/sys/net.
|
|
|
|
The IPX protocol does, however, provide proc/net/ipx. This lists each IPX
|
|
socket giving the local and remote addresses in Novell format (that is
|
|
network:node:port). In accordance with the strange Novell tradition,
|
|
everything but the port is in hex. Not_Connected is displayed for sockets that
|
|
are not tied to a specific remote address. The Tx and Rx queue sizes indicate
|
|
the number of bytes pending for transmission and reception. The state
|
|
indicates the state the socket is in and the uid is the owning uid of the
|
|
socket.
|
|
|
|
The /proc/net/ipx_interface file lists all IPX interfaces. For each interface
|
|
it gives the network number, the node number, and indicates if the network is
|
|
the primary network. It also indicates which device it is bound to (or
|
|
Internal for internal networks) and the Frame Type if appropriate. Linux
|
|
supports 802.3, 802.2, 802.2 SNAP and DIX (Blue Book) ethernet framing for
|
|
IPX.
|
|
|
|
The /proc/net/ipx_route table holds a list of IPX routes. For each route it
|
|
gives the destination network, the router node (or Directly) and the network
|
|
address of the router (or Connected) for internal networks.
|
|
|
|
6. TIPC
|
|
-------------------------------------------------------
|
|
|
|
tipc_rmem
|
|
----------
|
|
|
|
The TIPC protocol now has a tunable for the receive memory, similar to the
|
|
tcp_rmem - i.e. a vector of 3 INTEGERs: (min, default, max)
|
|
|
|
# cat /proc/sys/net/tipc/tipc_rmem
|
|
4252725 34021800 68043600
|
|
#
|
|
|
|
The max value is set to CONN_OVERLOAD_LIMIT, and the default and min values
|
|
are scaled (shifted) versions of that same value. Note that the min value
|
|
is not at this point in time used in any meaningful way, but the triplet is
|
|
preserved in order to be consistent with things like tcp_rmem.
|
|
|
|
named_timeout
|
|
--------------
|
|
|
|
TIPC name table updates are distributed asynchronously in a cluster, without
|
|
any form of transaction handling. This means that different race scenarios are
|
|
possible. One such is that a name withdrawal sent out by one node and received
|
|
by another node may arrive after a second, overlapping name publication already
|
|
has been accepted from a third node, although the conflicting updates
|
|
originally may have been issued in the correct sequential order.
|
|
If named_timeout is nonzero, failed topology updates will be placed on a defer
|
|
queue until another event arrives that clears the error, or until the timeout
|
|
expires. Value is in milliseconds.
|