From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bpf-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D959EC43334
	for <bpf@archiver.kernel.org>; Tue, 28 Jun 2022 17:29:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233232AbiF1R3q (ORCPT <rfc822;bpf@archiver.kernel.org>);
        Tue, 28 Jun 2022 13:29:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45012 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233210AbiF1R3p (ORCPT <rfc822;bpf@vger.kernel.org>);
        Tue, 28 Jun 2022 13:29:45 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C92B387A1
        for <bpf@vger.kernel.org>; Tue, 28 Jun 2022 10:29:44 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 9E3BB6198A
        for <bpf@vger.kernel.org>; Tue, 28 Jun 2022 17:29:43 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05105C341CA
        for <bpf@vger.kernel.org>; Tue, 28 Jun 2022 17:29:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1656437383;
        bh=TqEYTZnMgksw0Z2Wcnpbc4laQ2Yl9I0Q2zLV8wa/sQ4=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=BeJx60YZ3iy46fSHB9s+0nASIyUqWvA5+4pTt9eJ79A+Wrt+pQlWfxX7v5Ck/6slT
         tLMwCuJO51fg9c9xdASV2P53gX7lO12ZrMKhfzXs0CFNLHZGQVUxeKND3MDZGz70Cw
         luWuzf4Q7oLInMYZGWGOkrPUsWMN7/fvVP17+jS4ooL9s5pTP1SMJHZpA3kzkPji7g
         Z9ETPkf9PW57hK9VvPU74e+ViVODollDaeHEhlYNB461F4LRpc6/HWHZuAHTGjpoCC
         lH7U4YGoJa78AggNbfxzrmAxJtlspdezcFBU3y757NLBUXjHW0X2PyiHdHhIabJnSe
         lvPEKCII3E4IQ==
Received: by mail-yb1-f173.google.com with SMTP id d5so23410102yba.5
        for <bpf@vger.kernel.org>; Tue, 28 Jun 2022 10:29:42 -0700 (PDT)
X-Gm-Message-State: AJIora/J441q4q4MS4Z7NI2UBAvc4X7qB4RExw3/GiW59htZJR87Csxi
        /VyHyQxi9Eiuf+jhVjTSKxQOlgLoY1F0UvNff1Fsfw==
X-Google-Smtp-Source: AGRyM1uL5WWmevZOAv80me4K4eb2sB6Nm3KzUbn3rqFmoXRjZ0358Dge6nXwFDzpRGo+tp+WsYXuS8PaHbnt+rMCyUg=
X-Received: by 2002:a05:6902:701:b0:66d:2797:ec90 with SMTP id
 k1-20020a056902070100b0066d2797ec90mr4702142ybt.84.1656437382101; Tue, 28 Jun
 2022 10:29:42 -0700 (PDT)
MIME-Version: 1.0
References: <20220628161948.475097-1-kpsingh@kernel.org> <20220628161948.475097-5-kpsingh@kernel.org>
 <Yrs4+ThR4ACb5eD/@ZenIV>
In-Reply-To: <Yrs4+ThR4ACb5eD/@ZenIV>
From:   KP Singh <kpsingh@kernel.org>
Date:   Tue, 28 Jun 2022 19:29:31 +0200
X-Gmail-Original-Message-ID: <CACYkzJ4RyrF4dZWwt-Wo75AbE7eK7Q6dbr+b8DHcw7paMeUEwA@mail.gmail.com>
Message-ID: <CACYkzJ4RyrF4dZWwt-Wo75AbE7eK7Q6dbr+b8DHcw7paMeUEwA@mail.gmail.com>
Subject: Re: [PATCH v5 bpf-next 4/5] bpf: Add a bpf_getxattr kfunc
To:     Al Viro <viro@zeniv.linux.org.uk>
Cc:     bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Yosry Ahmed <yosryahmed@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

On Tue, Jun 28, 2022 at 7:23 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:
> > LSMs like SELinux store security state in xattrs. bpf_getxattr enables
> > BPF LSM to implement similar functionality. In combination with
> > bpf_local_storage, xattrs can be used to develop more complex security
> > policies.
> >
> > This kfunc wraps around __vfs_getxattr which can sleep and is,
> > therefore, limited to sleepable programs using the newly added
> > sleepable_set for kfuncs.
>
> "Sleepable" is nowhere near enough - for a trivial example, consider
> what e.g. ext2_xattr_get() does.
>         down_read(&EXT2_I(inode)->xattr_sem);
> in there means that having that thing executed in anything that happens
> to hold ->xattr_sem is a deadlock fodder.
>

We could limit this to sleepable LSM hooks:

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/bpf_lsm.c#n169

and when we have abilities to tag
kernel functions and pointers with the work Yonghong did
(e.g. https://reviews.llvm.org/D113496) we can expand the set.


> "Can't use that in BPF program executed in non-blocking context" is
> *not* sufficient to make it safe.