From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DC03C5475B for ; Fri, 8 Mar 2024 03:25:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 04A2F6B0328; Thu, 7 Mar 2024 22:25:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id F13C06B0329; Thu, 7 Mar 2024 22:25:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E02D26B032A; Thu, 7 Mar 2024 22:25:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id CB54A6B0328 for ; Thu, 7 Mar 2024 22:25:20 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 6FE41140F50 for ; Fri, 8 Mar 2024 03:25:20 +0000 (UTC) X-FDA: 81872431200.27.D544B90 Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) by imf13.hostedemail.com (Postfix) with ESMTP id B34A120003 for ; Fri, 8 Mar 2024 03:25:18 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=bOrb2Mf5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf13.hostedemail.com: domain of alexei.starovoitov@gmail.com designates 209.85.167.47 as permitted sender) smtp.mailfrom=alexei.starovoitov@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709868318; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LPSiClXTZkXxOQQM7cnS4xIuIQY9WF4sDtVpHq+rPH4=; b=LKHLeX5pIKXWT2GUoCa8/J62dfQR0ICd9H0v194jJPO7JOsMdmyuE+34IlW4+WiT4z/QYK wSXGaK6aEUvnSRPuItAY8tROpNMAMX5Uve/5XaUeX5/Q+TB0LLlScIjrbHqod5FgFXxVup CyRfnh4+kI4Jr6y0MbZtpcq3va8x0kM= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=bOrb2Mf5; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf13.hostedemail.com: domain of alexei.starovoitov@gmail.com designates 209.85.167.47 as permitted sender) smtp.mailfrom=alexei.starovoitov@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709868318; a=rsa-sha256; cv=none; b=7xB/Owp/gOXFnFg2K3gbwUNWbNfz0bfvWWez6wCteRPVByAFWez9nmkupWxX9/bNF4Cbw+ DF39WKyHstMaLd1siBc7Fc8+BgIbWVJjIWqjBmTOe/92KlG/lTMxzWAGybykJ0qk0ivekh N/NKTClxzW6azWaajufXCLw56ggWzAg= Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-512e4f4e463so2233708e87.1 for ; Thu, 07 Mar 2024 19:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709868317; x=1710473117; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LPSiClXTZkXxOQQM7cnS4xIuIQY9WF4sDtVpHq+rPH4=; b=bOrb2Mf55odoo/EXct4jNOirlkz+nTgOhfX7v91dbv1DoCCm9CfHjWBpTQPueCjDxN bxKRJBOBjK8+YLOC6aWXYl0WjO1+mWmezpj9xW0jZvsRMi7MJbeAiMKlD9SAN8pbqZEn 9gZfbmBnyyhSJBOp32lfzRDmxBH9cvwgRbAj7DNQ8SZbk4cYxjYiO2pV2fGl9ff9D+By bd2jDAVM7RkYRR9NeV47thXQ/n5vh3jbJOZuK+ADRh+svOxgsCtfcJYGrlH8hXfzPC7e l0Mq4MeNx5SjzeKnzYTQGqLIjfh47cyJO8xwcvRWy1tCGboZQzWW68KnTLXODaIE80vA 5w1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709868317; x=1710473117; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LPSiClXTZkXxOQQM7cnS4xIuIQY9WF4sDtVpHq+rPH4=; b=gt3amOvS1IG4xsFGGL3b57GTMxet4UReDTewvDFsrD3kAlsvkluZuoa8alARC/QK7F 3T5BRpBv/ngBFmwW4DZyZ6gOtgw3OoP5Kl5/ufkMiNogVlKJ2JzXuClMjFNCLT7HmRAr 77Lmmzbmf0Mpk09SIG5h/8X6p/N4KQljI7LHIFTdiGqkMktMv8aWdMB+IKW8DoqhKCYg nfK+AAmWL5TUDpCzX9NUSVrF69AI3pbEJKuJYoxyp+E/e6LnhCzoEn1V23c7sm34UE4u kpjAB5mWNV31NMMROrTy6JrOJdMd80bRwtlzhUKcbABeNj2JntfTrg/9B/oKVRF7LBUg cGjA== X-Forwarded-Encrypted: i=1; AJvYcCVLchIce6pFKd1w7QszmIeQAcuv3iIs0xe2vupTVSe6sMzQV4kLw3i9qSVRPbJZLpcsdl0Fw35qN2TU/s4DvV3shTA= X-Gm-Message-State: AOJu0YwuvdP+cBXUxyiA4VkDBMlVLdYzEKBV2GNfkAwuGsApQonUCjV3 edFS9xh2HjbvGcCYSJ1PazcjqJqvXNGGp/y+zmWnv74nFtLwVCHJF7cDvEpZ0t15jToTFu1XQjt fHq4+46MRDXabL9wYE7WITovBhtA= X-Google-Smtp-Source: AGHT+IFSVbbuqmWwNNTZOd4k0Y+Frt5MCyeYjJjNoXLplH7e4td4X/jthidRHH/iK8DjOzl55b03fcskIUPEJP5DWjE= X-Received: by 2002:a05:6512:1250:b0:513:95b6:2e79 with SMTP id fb16-20020a056512125000b0051395b62e79mr222993lfb.69.1709868316510; Thu, 07 Mar 2024 19:25:16 -0800 (PST) MIME-Version: 1.0 References: <20240306-flach-tragbar-b2b3c531bf0d@brauner> <20240306-sandgrube-flora-a61409c2f10c@brauner> <20240307-phosphor-entnahmen-8ef28b782abf@brauner> In-Reply-To: From: Alexei Starovoitov Date: Thu, 7 Mar 2024 19:25:05 -0800 Message-ID: Subject: Re: [PATCH v2 bpf-next 0/9] add new acquire/release BPF kfuncs To: Paul Moore Cc: Christian Brauner , Matt Bobrowski , bpf , Alexei Starovoitov , Andrii Nakryiko , KP Singh , Jann Horn , Jiri Olsa , Daniel Borkmann , Linus Torvalds , Linux-Fsdevel , Andrew Morton , linux-mm , LSM List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: 55yz46azrmmyfinrzqqthebn9zz55ctq X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: B34A120003 X-HE-Tag: 1709868318-535285 X-HE-Meta: U2FsdGVkX1/HRxtk/kCXuT0L91PlES7YM2X/y/w+XsIl4PEWHCWKf3CQGmln0bsQcs809SSxqoPFYbLO7g1LPB2HcuAUwIUNCe0osj2po87yMbLmVqajPeUzNRM6gu4ituN25BxEZ/cOfW/jK4YwNrZrDNGcXgsCg64xNjr+77QZr5WqbxConYnTo7z3uZ3makfXBe1V0x2Bv+ArRnjDG8Jk5YaBFkvFIpcrdfNw8+gUkMZ2aO1WrIAk+pJZo8jVvGgx4wQr3+X6RgsdhQCmQMeuXRL4rcnPFrwHMykYnjuXcdxQ5xL9UlDnDL6hWB0C8pdr8E92v/m4TytuN8vabYjImpw4tHnAPkW7+410zyZrFuBuZWRg7QFSeMZQQr5n9DI9dJl6fuWBbC/oXilfjaYAiDmSBySnntQIGc5J9EawNFjSR/1X6PiD19iRxDXgx+rUeyIeoq0RKDLANOkHOC5saViugor+AmNNXh+FD1P3E5nx9jHZtoJxt8OBiljxTmcm9OkYl/DJTW257kBDbfSeOeV3ve2xaMT5piQhQ8IEigAberT6/E8jON8pOH+B13r27p6jZhzTmgkwOwCdasyZJQFl2oHTRDLOmq5Osl+atuzSI/h1Ntk2xizKG5P6dbOjOyOVla5nNRHq2vE4LjXWog5RMgTA+Vuji60k71uS5TxMfPi/i8bEXO+Dn6LgJAI9oG3F6F9kvY8Wbc+Au2J1nbWREbYowqGjshgKnOFDlFUzknQylTmV4Z+ZrQf/fNfiEB/wct6VUrirmUo9kC4uIl0J+GxxXBADWgYKXYbJsYtnnpoaAgIIDdrPVvh6M4knBxA1frx0e4co603eee2ij9LDyGNsUBu6029agt0XsFwbt7eaz4lM/pbCUA2LKj3NbMZodg311iwhveKvZkBfSQbi0+SDsXnyBbXFJLHh6e9vaeQvxnpeD7jHZVCZcQlI5Ec1Zh+APT2fdF6 bupr3mv5 MUcOqrk0DbVeCxd8rhjwR47tuouzdQ+ozOoXs31BiZ1YxL+vmP6PmjkiNm5CB7vfCHhW6 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Mar 7, 2024 at 12:51=E2=80=AFPM Paul Moore wr= ote: > > On Thu, Mar 7, 2024 at 4:55=E2=80=AFAM Christian Brauner wrote: > > > > There's one fundamental question here that we'll need an official answe= r to: > > > > Is it ok for an out-of-tree BPF LSM program, that nobody has ever seen > > to request access to various helpers in the kernel? > > Phrased in a slightly different way, and a bit more generalized: do we > treat out-of-tree BPF programs the same as we do with out-of-tree > kernel modules? I believe that's the real question, and if we answer > that, we should also have our answer for the internal helper function > question. >From 10k ft view bpf programs may look like kernel modules, but looking closely they are very different. Modules can read/write any data structure and can call any exported functio= n. All modules fall into two categories GPL or not. While bpf progs are divided by program type. Tracing progs can read any kernel memory safely via probe_read_kernel. Networking prog can read/write packets, but cannot read kernel memory. bpf_lsm programs can be called from lsm hooks and call only kfuncs that were explicitly allowlisted to bpf_lsm prog type. Furthermore kfuncs have acquire/release semantics enforced by the verifier. For example, bpf progs can do bpf_rcu_read_lock() which is a wrapper around rcu_read_lock() and the verifier will make sure that bpf_rcu_read_unlock() is called. Under bpf_rcu_read_lock() bpf programs can dereference __rcu tagged fields and the verifier will track them as rcu protected objects until bpf_rcu_read_unlock(). In other words the verifier is doing sparse-on-steroids analysis and enforcing it. Kernel modules are not subject to such enforcement. One more distinction: 99.9% of bpf features require a GPL-ed bpf program. All kfuncs are GPL only.