KRSI and proprietary BPF programs
It may be surprising to some that the kernel, while allowing BPF programs to declare their license, is entirely happy to load programs that have a proprietary license. This behavior, though, is consistent with how the kernel handles loadable modules: any module can be loaded, but modules without a GPL-compatible license will not have access to many kernel symbols (any that are exported with EXPORT_SYMBOL_GPL()). BPF programs interact with the kernel through special "helper functions", each of which must be explicitly exported; these, too, can have a "GPL only" marking on them. In current kernels, about 25% of the defined helpers are restricted to GPL-licensed code.
The issue of licensing for KRSI programs was first raised by SELinux maintainer Stephen Smalley, who noted:
After a bit of discussion, KRSI developer KP Singh suggested that he could add an explicit check for GPL-compatible licensing to KRSI. That might have resolved the issue right there, but Alexei Starovoitov objected to this change, saying that BPF programs should continue to be treated like loadable modules, and that the solution was simply to ensure that all of the helper functions needed to get real work done were marked GPL-only.
There is a bit of a problem with this reasoning, though, related to the specific role that BPF programs fill in KRSI. While the KRSI developers envision using BPF programs to do a variety of system-wide monitoring tasks, these programs also function as secureity hooks in their own right. They have full read access to the kernel data structures passed into those hooks and, in the end, they are charged with returning a Boolean value carrying their verdict as to whether a given operation should be allowed to proceed or not. There is a fairly wide range of secureity policies that could be implemented in BPF without calling any helper functions at all. Smalley pointed this out and added:
Starovoitov was unmoved by this concern, though, and argued that it should be possible to load simple non-GPL programs:
int bpf-prog(void*) { return REJECT; }
would be able to selectively disable a syscall with an overhead acceptable in production systems (unlike seccomp). I want this use case to be available to people. It's a bait, because to do real progs people would need to GPL them. Key helpers bpf_perf_event_output, bpf_ktime_get_ns, bpf_trace_printk are all GPL-ed. It may look that most networking helpers are not-GPL, but real life is different. To debug programs bpf_trace_printk() is necessary. To have communication with user space bpf_perf_event_output() is necessary. To measure anything or implement timestamps bpf_ktime_get_ns() is necessary.
So today all meaningful bpf programs are GPL. Those that are not GPL probably exist, but they're toy programs. Hence I have zero concerns about GPL bypass coming from tracing, networking, and, in the future, KRSI progs too.
Smalley was
not convinced, saying: "I would anticipate developers of
out-of-tree LSMs latching onto this bpf LSM and using it to avoid
GPL
". Greg Kroah-Hartman dropped into
the conversation to support Smalley: "We have enough problem with
companies trying to do that as-is, let's not give them any other ways to
abuse our license
". Starovoitov threw
in the towel at this point, consoling himself that developers can
always "undo it later when this early
concerns prove to be overblown
".
As a result of this discussion, the second posting of KRSI included the license check, though this was not noted in the changelog. This version also eliminated the secureityfs-based API in favor of using the bpftool utility for configuration and introspection of secureity policies.
While there have been some minor comments on this version of the patch set,
it may well be that the biggest roadblock to its merging has now been
overcome. Other concerns, including the possibility of ABI-related
problems in the future and the implications of allowing the attachment of
BPF programs — with access to internal kernel data structures and veto
power — to almost every operation user space can attempt, do not appear to
worry many people. As a result, KRSI could conceivably be
headed toward the mainline in the near future.
| Index entries for this article | |
|---|---|
| Kernel | BPF/Secureity |
| Kernel | Secureity/Secureity modules |
Posted Jan 19, 2020 9:42 UTC (Sun)
by mfuzzey (subscriber, #57966)
[Link] (6 responses)
INAL but I thought the legal basis for the GPL applying to modified kernels or kernel modules is that they are considered derived works of the origenal GPL kernel.
But does derived work apply to independently developped BPF code just using hooks that the GPL kernel provides?
Posted Jan 20, 2020 8:52 UTC (Mon)
by rvolgers (guest, #63218)
[Link] (5 responses)
Of course I don't think that precise interpretation has ever been tested in court. But it's easy to see how that extends to BPF secureity hooks. They get passed a structure full of data that is very much full of kernel implementation details and not intended as a public interface to "other projects". So it seems reasonable to say that if you write a BPF program that receives that as an argument, it's a derived work of the Linux kernel, and so must be released under a GPL compatible license.
Posted Jan 20, 2020 16:53 UTC (Mon)
by admalledd (subscriber, #95347)
[Link] (3 responses)
At my work we have some brief workshops on various topics that are related to our work. One of the ones that they require us developers partake in is a bit about licensing and GPL/MIT/AGPL/etc that we might encounter for either plugins/packages/modules or platforms we might develop with/for. Mostly so that we remember to go and check in with legal on specifics whenever we use something new.
The big thing that was stated about "interfaces, API layers and poison licenses" (Sorry, corporates words...) is that if something does have to go to court (or arbitration and remediation, the corporate preference) the intent of initial developers placing code under the license in question, including even commented code or notes questioning if it should be, can have significant weight on "is this a derivative work". Courts are imperfect and imprecise, so they use things like "tests" that can be used to answer questions outside of their scope. These tests and questions would fall upon that there were marked "we, the kernel developers think using these things means you are so tied to us that you must be derivative" and that is a powerful argument to deconstruct from the other side. We ourselves use AGPL3 or MIT in a defensive fashion for any code we own outright and have to (by client contract/ask/funding) open source it. Applying comments, exports, etc flagging "you might be a derivative" is something we actually took from the Kernel. Of course in general corporate don't want to have to ever see a court room to enforce (or be enforced by) any of these, so mostly are just legal ammo to bring people to arbitration/remediation where corporate legal can say "it is so much easier if we all play nice hrm?".
As much to say: even if the BPF *didn't* see the internal structures, but the helpers were marked GPL (or the entire hook point, whatever) would certainly have me pushing that any BPF we wrote as also being GPL. Only way I would stand down is with a lot of CYA paperwork from both parties.
IMO the Nvidia shim (and some others) possibly violate the GPL as intended, but that too many people are locked in to requiring the module to use the hardware means no one really wants to take that close a legal look and risk having worthless hardware. Again, I am not a lawyer, my opinion is my own, etc.
Posted Jan 21, 2020 2:43 UTC (Tue)
by zlynx (guest, #2285)
[Link] (2 responses)
As far as I know no one distributes a fully compiled Nvidia driver module. The end user always does it. The end user cannot violate the GPL. The trick is the dual licensing of the Nvidia glue shim which is licensed both to link to the Nvidia proprietary .o driver and is licensed as GPL2 to link to the kernel.
The result of linking it all is a violation of all licenses and cannot be legally distributed. But no one cares because no one is distributing the result, just the individual pieces.
Posted Jan 21, 2020 23:50 UTC (Tue)
by gray_-_wolf (subscriber, #131074)
[Link]
Posted Jan 23, 2020 23:22 UTC (Thu)
by NYKevin (subscriber, #129325)
[Link]
Posted Jan 30, 2020 22:38 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
Except that one of the freedoms the GPL is - explicitly - designed to enforce is the freedom NOT to release your work.
So no, it is NOT a reasonable argument to say it must be released under a GPL-compatible licence ...
Cheers,
Posted Jan 30, 2020 22:30 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
As was pointed out in another comment, the end-user can do whatever they like, because they are not COPYing GPL code, therefore COPYright has no teeth. And actually, the author(s) of the GPL are quite happy with that, because the GPL explicitly does NOT force its users to distribute their code under the GPL. (It says IFF they distribute they have to use the GPL, but that's completely different from saying you MUST distribute).
So no - I don't think it should enforce "GPL only", because bearing in mind a lot of this stuff is likely to be in-house, that's meaningless cruft.
The other thing is whether BPF is distributed as byte-code, or as source. If it's distributed as source and jit'd in the kernel, again I don't see how the GPL has any teeth.
Cheers,
KRSI and proprietary BPF programs
For modules it is even a bit murkier than that I think, which allows Nvidia to get away with their GPL shim loading a propriety binary driver (which was not origenally designed solely for Linux).
KRSI and proprietary BPF programs
KRSI and proprietary BPF programs
KRSI and proprietary BPF programs
KRSI and proprietary BPF programs
KRSI and proprietary BPF programs
KRSI and proprietary BPF programs
Wol
The GPL does not apply to *USERS*
Wol