From: Christian Brauner <brauner@kernel.org>
To: KP Singh <kpsingh@kernel.org>
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Benjamin Tissoires <benjamin.tissoires@redhat.com>,
Yosry Ahmed <yosryahmed@google.com>
Subject: Re: [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc
Date: Tue, 28 Jun 2022 19:22:18 +0200 [thread overview]
Message-ID: <20220628172218.yzsrafhoof4wuf45@wittgenstein> (raw)
In-Reply-To: <20220628161948.475097-5-kpsingh@kernel.org>
On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:
> LSMs like SELinux store security state in xattrs. bpf_getxattr enables
> BPF LSM to implement similar functionality. In combination with
> bpf_local_storage, xattrs can be used to develop more complex security
> policies.
>
> This kfunc wraps around __vfs_getxattr which can sleep and is,
> therefore, limited to sleepable programs using the newly added
> sleepable_set for kfuncs.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
> kernel/trace/bpf_trace.c | 42 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 42 insertions(+)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 4be976cf7d63..87496d57b099 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -20,6 +20,7 @@
> #include <linux/fprobe.h>
> #include <linux/bsearch.h>
> #include <linux/sort.h>
> +#include <linux/xattr.h>
>
> #include <net/bpf_sk_storage.h>
>
> @@ -1181,6 +1182,47 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = {
> .arg1_type = ARG_PTR_TO_CTX,
> };
>
> +__diag_push();
> +__diag_ignore_all("-Wmissing-prototypes",
> + "kfuncs that are used in tracing/LSM BPF programs");
> +
> +ssize_t bpf_getxattr(struct dentry *dentry, struct inode *inode,
> + const char *name, void *value, int value__sz)
> +{
> + return __vfs_getxattr(dentry, inode, name, value, value__sz);
So this might all be due to my ignorance where and how this is supposed
to be used but using __vfs_getxattr() is performing _zero_ permission
checks. That means every eBPF program will be able to retrieve whatever
extended attribute it likes.
In addition to generic permission checking your code also assumes that
every caller is located in the initial user namespace. Is that a valid
assumption?
POSIX ACLs can store additional [u,g]ids on disk that need to be
translated according to the caller's user namespace.
Looking at your selftest example you have a current task and you also
have access to a struct file which makes me doubt that this assumption
is correct. But I'm happy to be convinced otherwise.
Also, if the current task is retrieving extended attributes from an
idmapped mount you also need to take the mount's idmapping into account.
Otherwise again, you'll retrieve misleading [g,u]id values...
Could you explain to me why that is safe and how this is going to be
used, please? As it stands I can't make heads nor tails of this.
next prev parent reply other threads:[~2022-06-28 17:23 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-28 16:19 [PATCH v5 bpf-next 0/5] Add bpf_getxattr KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 1/5] btf: Add a new kfunc set which allows to mark a function to be sleepable KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 2/5] bpf: kfunc support for ARG_PTR_TO_CONST_STR KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 3/5] bpf: Allow kfuncs to be used in LSM programs KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc KP Singh
2022-06-28 17:22 ` Christian Brauner [this message]
2022-06-28 17:23 ` Al Viro
2022-06-28 17:29 ` KP Singh
2022-06-28 16:19 ` [PATCH v5 bpf-next 5/5] bpf/selftests: Add a selftest for bpf_getxattr KP Singh
2022-06-28 17:33 ` Christian Brauner
2022-06-28 17:52 ` KP Singh
2022-06-28 22:28 ` Alexei Starovoitov
2022-06-29 8:11 ` Christian Brauner
2022-06-29 9:55 ` Christian Brauner
2022-06-30 3:02 ` Alexei Starovoitov
2022-06-30 11:45 ` Christian Brauner
2022-06-30 12:21 ` KP Singh
2022-06-30 12:23 ` KP Singh
2022-06-30 13:26 ` Christian Brauner
2022-06-30 13:29 ` KP Singh
2022-06-30 13:47 ` Christian Brauner
2022-06-30 14:37 ` Christian Brauner
2022-06-30 16:10 ` Casey Schaufler
2022-06-30 22:23 ` KP Singh
2022-06-30 23:23 ` Casey Schaufler
2022-07-01 8:32 ` Amir Goldstein
2022-07-01 8:58 ` Christian Brauner
2022-07-01 9:24 ` Amir Goldstein
2022-06-30 16:28 ` Amir Goldstein
2022-06-30 22:25 ` KP Singh
2022-06-28 17:13 ` [PATCH v5 bpf-next 0/5] Add bpf_getxattr Christian Brauner
2022-06-28 17:20 ` KP Singh
2022-06-28 17:21 ` KP Singh
2022-06-29 1:36 ` Dave Chinner
2022-06-29 2:00 ` KP Singh
2022-06-29 2:05 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220628172218.yzsrafhoof4wuf45@wittgenstein \
--to=brauner@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=benjamin.tissoires@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=yosryahmed@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.