From: Michael Ellerman <mpe@ellerman.id.au>
To: Willy Tarreau <w@1wt.eu>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Alon\, Liran" <liran@amazon.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
Dan Aloni <dan@kernelim.com>, bpf <bpf@vger.kernel.org>,
security@kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andrii@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@chromium.org>
Subject: Re: [PATCH] btf: Expose kernel BTF only to tasks with CAP_PERFMON
Date: Fri, 30 Oct 2020 22:23:57 +1100 [thread overview]
Message-ID: <87k0v8ufci.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20201029041501.GA16341@1wt.eu>
Willy Tarreau <w@1wt.eu> writes:
> On Wed, Oct 28, 2020 at 04:06:02PM -0700, Alexei Starovoitov wrote:
>> On Thu, Oct 29, 2020 at 12:30:49AM +0200, Alon, Liran wrote:
>> > > Guarding /sys/kernel/bpf/vmlinux behind CAP_PERFMON would break a lot
>> > > of users relying on BTF availability to build their BPF applications.
>> > True. If this patch is applied, would need to at least be behind an optin
>> > knob. Similar to dmesg_restrict.
>>
>> It's not going to be applied. If a file shouldn't be read by a user
>> it should have appropriate file permissions instead of 444.
>> Checking capable() in read() is very non-unix way to deal with permissions.
>
> Not only it's a non-unix way, both don't achieve the same goals at all!
>
> One checks for permissions at open() time and may for example allow a
> process to drop its uid after opening, while the other one allows to
> filter who can really read it, particularly in case the FD is inherited
> between processes. With this said, I don't see why there would be a
> special case for this one, it should definitely stick to file permissions
> only.
From include/linux/bpf.h:
static inline bool bpf_allow_ptr_leaks(void)
{
return perfmon_capable();
}
static inline bool bpf_allow_ptr_to_map_access(void)
{
return perfmon_capable();
}
static inline bool bpf_bypass_spec_v1(void)
{
return perfmon_capable();
}
static inline bool bpf_bypass_spec_v4(void)
{
return perfmon_capable();
}
There's also several cases in bpf_base_func_proto().
So it seems entirely reasonable to suggest that perfmon_capable() is the
right check here.
cheers
prev parent reply other threads:[~2020-10-30 11:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201028203853.2412751-1-dan@kernelim.com>
2020-10-28 21:56 ` [PATCH] btf: Expose kernel BTF only to tasks with CAP_PERFMON Andrii Nakryiko
2020-10-28 22:30 ` Alon, Liran
2020-10-28 23:06 ` Alexei Starovoitov
2020-10-29 4:15 ` Willy Tarreau
2020-10-30 11:23 ` Michael Ellerman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0v8ufci.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dan@kernelim.com \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=liran@amazon.com \
--cc=security@kernel.org \
--cc=songliubraving@fb.com \
--cc=w@1wt.eu \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.