From: Yaniv Agman <yanivagman@gmail.com>
To: Hengqi Chen <hengqi.chen@gmail.com>
Cc: bpf <bpf@vger.kernel.org>,
ast@kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
andrii@kernel.org, Yonghong Song <yhs@fb.com>,
john.fastabend@gmail.com, jolsa@kernel.org
Subject: Re: [PATCH bpf-next v2] bpf: expose bpf_d_path helper to vfs_* and security_* functions
Date: Thu, 22 Jul 2021 13:15:11 +0300 [thread overview]
Message-ID: <CAMy7=ZUB36TL-8PmtJ_Nm48PFmdjSBVLYXWKyFiqm6QCOYZrMA@mail.gmail.com> (raw)
In-Reply-To: <20210719151753.399227-1-hengqi.chen@gmail.com>
בתאריך יום ב׳, 19 ביולי 2021 ב-18:43 מאת Hengqi Chen
<hengqi.chen@gmail.com>:
>
> Add vfs_* and security_* to bpf_d_path allowlist, so that we can use
> bpf_d_path helper to extract full file path from these functions'
> `struct path *` and `struct file *` arguments. This will help tools
> like IOVisor's filetop[2]/filelife to get full file path.
>
> Changes since v1: [1]
> - Alexei and Yonghong suggested that bpf_d_path helper could also
> apply to vfs_* and security_file_* kernel functions. Added them.
>
> [1] https://lore.kernel.org/bpf/20210712162424.2034006-1-hengqi.chen@gmail.com/
> [2] https://github.com/iovisor/bcc/issues/3527
>
> Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
> ---
> kernel/trace/bpf_trace.c | 50 ++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 48 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 08906007306d..c784f3c7143f 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -850,16 +850,62 @@ BPF_CALL_3(bpf_d_path, struct path *, path, char *, buf, u32, sz)
> BTF_SET_START(btf_allowlist_d_path)
> #ifdef CONFIG_SECURITY
> BTF_ID(func, security_file_permission)
> -BTF_ID(func, security_inode_getattr)
> BTF_ID(func, security_file_open)
> +BTF_ID(func, security_file_ioctl)
> +BTF_ID(func, security_file_free)
> +BTF_ID(func, security_file_alloc)
> +BTF_ID(func, security_file_lock)
> +BTF_ID(func, security_file_fcntl)
> +BTF_ID(func, security_file_set_fowner)
> +BTF_ID(func, security_file_receive)
> +BTF_ID(func, security_inode_getattr)
> #endif
> #ifdef CONFIG_SECURITY_PATH
> BTF_ID(func, security_path_truncate)
> +BTF_ID(func, security_path_notify)
> +BTF_ID(func, security_path_unlink)
> +BTF_ID(func, security_path_mkdir)
> +BTF_ID(func, security_path_rmdir)
> +BTF_ID(func, security_path_mknod)
> +BTF_ID(func, security_path_symlink)
> +BTF_ID(func, security_path_link)
> +BTF_ID(func, security_path_rename)
> +BTF_ID(func, security_path_chmod)
> +BTF_ID(func, security_path_chown)
> +BTF_ID(func, security_path_chroot)
> #endif
> BTF_ID(func, vfs_truncate)
> BTF_ID(func, vfs_fallocate)
> -BTF_ID(func, dentry_open)
> BTF_ID(func, vfs_getattr)
> +BTF_ID(func, vfs_fadvise)
> +BTF_ID(func, vfs_fchmod)
> +BTF_ID(func, vfs_fchown)
> +BTF_ID(func, vfs_open)
> +BTF_ID(func, vfs_setpos)
> +BTF_ID(func, vfs_llseek)
> +BTF_ID(func, vfs_read)
> +BTF_ID(func, vfs_write)
> +BTF_ID(func, vfs_iocb_iter_read)
> +BTF_ID(func, vfs_iter_read)
> +BTF_ID(func, vfs_readv)
> +BTF_ID(func, vfs_iocb_iter_write)
> +BTF_ID(func, vfs_iter_write)
> +BTF_ID(func, vfs_writev)
> +BTF_ID(func, vfs_copy_file_range)
> +BTF_ID(func, vfs_getattr_nosec)
> +BTF_ID(func, vfs_ioctl)
> +BTF_ID(func, vfs_fsync_range)
> +BTF_ID(func, vfs_fsync)
> +BTF_ID(func, vfs_utimes)
> +BTF_ID(func, vfs_statfs)
> +BTF_ID(func, vfs_dedupe_file_range_one)
> +BTF_ID(func, vfs_dedupe_file_range)
> +BTF_ID(func, vfs_clone_file_range)
> +BTF_ID(func, vfs_cancel_lock)
> +BTF_ID(func, vfs_test_lock)
> +BTF_ID(func, vfs_setlease)
> +BTF_ID(func, vfs_lock_file)
> +BTF_ID(func, dentry_open)
> BTF_ID(func, filp_close)
> BTF_SET_END(btf_allowlist_d_path)
>
> --
> 2.25.1
>
Thanks for opening this PR!
I was looking for a way to do that in a tool I develop (Tracee), and
had to implement this functionality by myself:
https://github.com/aquasecurity/tracee/blob/main/tracee-ebpf/tracee/tracee.bpf.c#L1494
Maybe It's too much to ask, but I wonder if it will be possible to add
other functions to this allowlist.
Currently, other than vfs_write(v), and security_file_open, we also
need it for security_sb_mount and security_bprm_check.
For security_bprm_check() we extract the path from bprm->file->f_path.
Actually, any securty_* function that has a struct argument from which
it is possible to reach a path struct is a possible candidate for us.
In addition to this, we also use it for the sched_process_exec
tracepoint, but I'm not sure if adding a tracepoint is related here,
as it is not exactly a function.
Yaniv
prev parent reply other threads:[~2021-07-22 10:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-19 15:17 [PATCH bpf-next v2] bpf: expose bpf_d_path helper to vfs_* and security_* functions Hengqi Chen
2021-07-19 19:02 ` Andrii Nakryiko
2021-07-22 5:01 ` Hengqi Chen
2021-07-23 0:14 ` Andrii Nakryiko
2021-07-22 10:15 ` Yaniv Agman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAMy7=ZUB36TL-8PmtJ_Nm48PFmdjSBVLYXWKyFiqm6QCOYZrMA@mail.gmail.com' \
--to=yanivagman@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=hengqi.chen@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.