From: Al Viro <viro@zeniv.linux.org.uk>
To: Carlos Neira <cneirabustos@gmail.com>
Cc: netdev@vger.kernel.org, yhs@fb.com, ebiederm@xmission.com,
brouer@redhat.com, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v10 2/4] bpf: new helper to obtain namespace data from current task New bpf helper bpf_get_current_pidns_info.
Date: Fri, 6 Sep 2019 16:24:35 +0100
Message-ID: <20190906152435.GW1131@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190906150952.23066-3-cneirabustos@gmail.com>
On Fri, Sep 06, 2019 at 11:09:50AM -0400, Carlos Neira wrote:
> +BPF_CALL_2(bpf_get_current_pidns_info, struct bpf_pidns_info *, pidns_info, u32,
> + size)
> +{
> + const char *pidns_path = "/proc/self/ns/pid";
> + fname = kmem_cache_alloc(names_cachep, GFP_ATOMIC);
> + if (unlikely(!fname)) {
> + ret = -ENOMEM;
> + goto clear;
> + }
> + const size_t fnamesize = offsetof(struct filename, iname[1]);
> + struct filename *tmp;
> +
> + tmp = kmalloc(fnamesize, GFP_ATOMIC);
> + if (unlikely(!tmp)) {
> + __putname(fname);
> + ret = -ENOMEM;
> + goto clear;
> + }
> +
> + tmp->name = (char *)fname;
> + fname = tmp;
> + len = strlen(pidns_path) + 1;
> + memcpy((char *)fname->name, pidns_path, len);
> + fname->uptr = NULL;
> + fname->aname = NULL;
> + fname->refcnt = 1;
> +
> + ret = filename_lookup(AT_FDCWD, fname, 0, &kp, NULL);
> + if (ret)
> + goto clear;
Where do I begin?
* getname_kernel() is there for purpose
* so's kern_path(), damnit
> +
> + inode = d_backing_inode(kp.dentry);
> + pidns_info->dev = (u32)inode->i_rdev;
* ... and this is utter bollocks - userland doesn't
have to have procfs mounted anywhere; it doesn't have to
have it mounted on /proc; it can bloody well bind a symlink
to anywhere and anythin on top of /proc/self even if its
has procfs mounted there.
This is fundamentally wrong; nothing in the kernel
(bpf very much included) has any business assuming anything
about what's mounted where. And while we are at it,
how deep on kernel stack can that thing be called?
Because pathname resolution can bring all kinds of interesting
crap into the game - consider e.g. NFS4 referral traversal.
And it can occur - see above about the lack of warranties
that your pathwalk will go to procfs and will remain there.
NAKed-by: Al Viro <viro@zeniv.linux.org.uk>
next prev parent reply index
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 15:09 [PATCH bpf-next v10 0/4] BPF: New helper to obtain namespace data from current task Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 1/4] fs/namei.c: make available filename_lookup() for bpf helpers Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 2/4] bpf: new helper to obtain namespace data from current task New bpf helper bpf_get_current_pidns_info Carlos Neira
2019-09-06 15:24 ` Al Viro [this message]
2019-09-06 15:46 ` Al Viro
2019-09-06 16:00 ` Al Viro
2019-09-06 23:21 ` Yonghong Song
2019-09-07 0:10 ` Al Viro
2019-09-07 6:34 ` Yonghong Song
2019-09-09 17:45 ` Carlos Antonio Neira Bustos
2019-09-10 22:35 ` Yonghong Song
2019-09-10 23:15 ` Al Viro
2019-09-11 8:16 ` Eric W. Biederman
2019-09-12 5:49 ` Yonghong Song
[not found] ` <CACiB22j9M2gmccnh7XqqFp8g7qKFuiOrSAVJiA2tQHLB0pmoSQ@mail.gmail.com>
2019-09-13 2:56 ` Yonghong Song
2019-09-13 11:58 ` Carlos Antonio Neira Bustos
2019-09-13 16:59 ` Eric W. Biederman
2019-09-13 17:28 ` Yonghong Song
2019-09-11 4:32 ` Carlos Antonio Neira Bustos
2019-09-11 8:17 ` Eric W. Biederman
2019-09-10 22:46 ` Yonghong Song
2019-09-11 4:33 ` Carlos Antonio Neira Bustos
2019-09-06 15:09 ` [PATCH bpf-next v10 3/4] tools: Added bpf_get_current_pidns_info helper Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 4/4] tools/testing/selftests/bpf: Add self-tests for helper bpf_get_pidns_info Carlos Neira
2019-09-10 22:55 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190906152435.GW1131@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=cneirabustos@gmail.com \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
BPF Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
bpf@vger.kernel.org
public-inbox-index bpf
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.bpf
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git