From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: ast@kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org,
joe@wand.net.nz, john.fastabend@gmail.com, yhs@fb.com,
andrii.nakryiko@gmail.com, jakub.kicinski@netronome.com,
tgraf@suug.ch, lmb@cloudflare.com
Subject: Re: [PATCH rfc v3 bpf-next 2/9] bpf: add program side {rd,wr}only support for maps
Date: Mon, 11 Mar 2019 16:06:44 -0700 [thread overview]
Message-ID: <20190311230643.hpbcxczrq46hnn7r@ast-mbp> (raw)
In-Reply-To: <20190311215125.17793-3-daniel@iogearbox.net>
On Mon, Mar 11, 2019 at 10:51:18PM +0100, Daniel Borkmann wrote:
> This work adds two new map creation flags BPF_F_RDONLY_PROG
> and BPF_F_WRONLY_PROG in order to allow for read-only or
> write-only BPF maps from a BPF program side.
>
> Today we have BPF_F_RDONLY and BPF_F_WRONLY, but this only
> applies to system call side, meaning the BPF program has full
> read/write access to the map as usual while bpf(2) calls with
> map fd can either only read or write into the map depending
> on the flags. BPF_F_RDONLY_PROG and BPF_F_WRONLY_PROG allows
> for the exact opposite such that verifier is going to reject
> program loads if write into a read-only map or a read into a
> write-only map is detected. For read-only map case also some
> helpers are forbidden for programs that would alter the map
> state such as map deletion, update, etc.
>
> We've enabled this generic map extension to various non-special
> maps holding normal user data: array, hash, lru, lpm, local
> storage, queue and stack. Further map types could be followed
> up in future depending on use-case. Main use case here is to
> forbid writes into .rodata map values from verifier side.
I think WRONLY | WRONLY_PROG should be invalid combination?
Since these attributes are set at creation time and cannot be changed,
nothing can ever read from it, so why write into it?
Similarly RDONLY | RDONLY_PROG is invalid too?
Also looking at the next patch and 'lock' command...
May be it would be cleaner to do add WRONCE (from syscall) flag?
Then for .rodata the attrs will be RDONLY_PROG | WRONCE
and no 'lock' necessary.
WRONCE_PROG probably doesn't make sense.
Storing dangling task_struct pointer in the next patch doesn't look great.
The whole 'lock' concept feels useful, but in the context of implementing
.rodata it feels that WRONCE would be a better fit,
since libbpf won't be able to make a mistake and forget to 'lock'.
'lock' syscall cmd can be confused with BPF_F_LOCK too.
next prev parent reply other threads:[~2019-03-11 23:06 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 21:51 [PATCH rfc v3 bpf-next 0/9] BPF support for global data Daniel Borkmann
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 1/9] bpf: implement lookup-free direct value access for maps Daniel Borkmann
2019-03-14 18:11 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 2/9] bpf: add program side {rd,wr}only support " Daniel Borkmann
2019-03-11 23:06 ` Alexei Starovoitov [this message]
2019-03-11 23:34 ` Daniel Borkmann
2019-03-14 19:27 ` Andrii Nakryiko
2019-03-14 19:26 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 3/9] bpf: add syscall side map lock support Daniel Borkmann
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 4/9] bpf, obj: allow . char as part of the name Daniel Borkmann
2019-03-14 19:40 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 5/9] bpf: sync bpf.h uapi header from tools infrastructure Daniel Borkmann
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 6/9] bpf, libbpf: refactor relocation handling Daniel Borkmann
2019-03-14 21:05 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 7/9] bpf, libbpf: support global data/bss/rodata sections Daniel Borkmann
2019-03-14 22:14 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 8/9] bpf, selftest: test {rd,wr}only flags and direct value access Daniel Borkmann
2019-03-19 18:18 ` Andrii Nakryiko
2019-03-11 21:51 ` [PATCH rfc v3 bpf-next 9/9] bpf, selftest: test global data/bss/rodata sections Daniel Borkmann
2019-03-19 18:28 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190311230643.hpbcxczrq46hnn7r@ast-mbp \
--to=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jakub.kicinski@netronome.com \
--cc=joe@wand.net.nz \
--cc=john.fastabend@gmail.com \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.