From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3750C54E5D for ; Tue, 12 Mar 2024 20:11:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 616396B02B6; Tue, 12 Mar 2024 16:11:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5C6736B02B7; Tue, 12 Mar 2024 16:11:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4663A6B02B8; Tue, 12 Mar 2024 16:11:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 373986B02B6 for ; Tue, 12 Mar 2024 16:11:18 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id D6B50140737 for ; Tue, 12 Mar 2024 20:11:17 +0000 (UTC) X-FDA: 81889481394.09.3658CAA Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by imf12.hostedemail.com (Postfix) with ESMTP id 080DA40027 for ; Tue, 12 Mar 2024 20:11:15 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=quLgZoqX; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of mattbobrowski@google.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=mattbobrowski@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710274276; a=rsa-sha256; cv=none; b=oV1oyx6NLxEi5T4wWU/IGLyieVOW7jMhIRQrk1EODZEnhm71+aKYgnwmhaVwhKl5TiQVAh RGsUF+qfLCgmUpvxeJlupb+Cv4Qs5WweFVDKEF0tHO+Oje1q6gTQLX/qqm7pnPNUDdkkHh sa7x4cu7N9nxPiLQTwzrFMspSM16RJU= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=quLgZoqX; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf12.hostedemail.com: domain of mattbobrowski@google.com designates 209.85.167.42 as permitted sender) smtp.mailfrom=mattbobrowski@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710274276; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=aTW9UBNB4skRIIaA0uCJ32yGuAcFB87u0woHqEplkTs=; b=aMYfNDMgLrHel01Bygvu81I/i0cd1cYWNCZ6215rBJtHlSdcwH3ypm2XygUdH8DRB6byxn 2fzq6eM1SBfal1djIN65dGghl+Tfxn2G57tNK/MmA4o995ukoGPiAYqnQLqzBF1am5lqwo OSAgxIZJIJ7DB4uoAFsKIL5K6GQvHGg= Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-51320ca689aso5234811e87.2 for ; Tue, 12 Mar 2024 13:11:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710274274; x=1710879074; darn=kvack.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=aTW9UBNB4skRIIaA0uCJ32yGuAcFB87u0woHqEplkTs=; b=quLgZoqX5TkKYqVisl4Jbb89Gvxzw3RikVZ1LZp8+2Ph6+0sZekMph0HDaidGf1aIM rEEYiW9t00Du1Pi13sDrHUNvh1DD3HVkS8mL+YcqyEgdKqxTom3awqcXSp8LuIm++JRE eAK4dC2PzidBnrE6K7ygB4I00UVfRuexmDY+Qu3+bE6CIc8Kni/vrwgsaxfAANpkbv5W fT8DW6KR0cfSw59fyq7x8bKR5zSlYVVs6+RMahcQ/k8IoMgN9FibVoB73Q4S9el+29x9 f3SleK7qkLHWAD+HVwaZK1jRv+93krtIzUg/I7VH7Zq1mXcf6FSLIRYWtGkx18x9D2zk uRNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710274274; x=1710879074; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aTW9UBNB4skRIIaA0uCJ32yGuAcFB87u0woHqEplkTs=; b=enVAe/zGQ461PXeWr9owm7X0yKSH78sEC4y48MzeUhjsSBuxvCL6GvOnnfsfsfFhlB ZaoWTnh9xNp7p2HV/si/eQ5WvUw2z+RPpD4czBjhRnUBQ7RB49ds2xV1mAuNCpNquyiu BfD7F1GGZ9BsnyUj+eZ+ac0n1jnNHVJJosilw0YT7tGSe/f6N9CqwnEdtlOC17+yE3os YQmQ1jB39EFNn3XfK4Lu0zycC1fonU0MPh3xkjDK7+mfQ8RsgbXrtAb4DrY0n4kh/eTg tjGnSI6G/WRDshwqXc83JTgXZcPgT3sS8hSC5L+JpyJN2UJOEm9T9XPhFAOIYYubWuZ3 Ugsg== X-Forwarded-Encrypted: i=1; AJvYcCVq5idgPAkpgVe9Ret7VqDY1qpdojl5RikCWVjYya8e/nEa//1kS0l6crGxRIeX6ZvpWB5V2+85TOTEmF+uwC3MoIU= X-Gm-Message-State: AOJu0Ywz8iZ6hxU0g7J6BWxSLqICNqBi41flA5oitic66Z5aMOztX58u cXBJ7rTbW59lPqH/hSZuf012Ov41uT7oZ1LaaCc7teGpLt12NbB/hJLo1ffSZg== X-Google-Smtp-Source: AGHT+IF+AhYKVculquTNUnhCVljsflyqLdu6h/Yij3aC1xYaUjGLnZQatobo+tgbJCrmukCn6bUzVw== X-Received: by 2002:ac2:5f7b:0:b0:512:e58c:7bf1 with SMTP id c27-20020ac25f7b000000b00512e58c7bf1mr6443085lfc.40.1710274273885; Tue, 12 Mar 2024 13:11:13 -0700 (PDT) Received: from google.com (12.196.204.35.bc.googleusercontent.com. [35.204.196.12]) by smtp.gmail.com with ESMTPSA id h8-20020a0564020e0800b005653c441a20sm3775534edh.34.2024.03.12.13.11.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Mar 2024 13:11:13 -0700 (PDT) Date: Tue, 12 Mar 2024 20:11:09 +0000 From: Matt Bobrowski To: Christian Brauner Cc: Alexei Starovoitov , bpf , Alexei Starovoitov , Andrii Nakryiko , KP Singh , Jann Horn , Jiri Olsa , Daniel Borkmann , Linus Torvalds , Linux-Fsdevel , Andrew Morton , linux-mm , LSM List Subject: Re: [PATCH v2 bpf-next 0/9] add new acquire/release BPF kfuncs Message-ID: References: <20240306-flach-tragbar-b2b3c531bf0d@brauner> <20240306-sandgrube-flora-a61409c2f10c@brauner> <20240307-phosphor-entnahmen-8ef28b782abf@brauner> <20240308-kleben-eindecken-73c993fb3ebd@brauner> <20240311-geglaubt-kursverfall-500a27578cca@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 080DA40027 X-Stat-Signature: rr5hhj8tgirnhkmxebbmgp16fjuicpb4 X-HE-Tag: 1710274275-702690 X-HE-Meta: U2FsdGVkX18YcsFq4PFM/9g0MnAGDBHsMd5WZpcIaX/p1KD+cvfKXX1C9butUhtD7x9NpmqgPlCyfm1E40Ub3pKVla4FPylg5Yx4pfJQcl0CXjqvFjc30SLdBmwnCfIfL5sa8MsOG45hQUDibB3YW3bkUOobqh/h235Oo7hA42ibDX99MvcEsDzINIKEXn6tYzfgda+JND3c0UFefa37zasEqR0CiAnjnRdZsc6W/YO6AISAK7FxQRjStpq6gSnRXq2jWHd5uMeeq2Pr4C3g1tx2N4rViX7JNtjDJ0SBoHo1WiF8cz8BKSFWbWPiif0GaZzF5KcSU2NM5LrNopQMUZUVYxz8MT2SgWp94/C43vxjdautUrtGsFL3efk1UUJUHg3YUL7NbiNpnv5c7rfW32UfpSWqutHYVbrbnxPFxMTImt5JEbwm6JLzAVWreiABwODvGFQ3b/D4gW2s3MB1tpau18rdu/CCiki5NYREuGfphi0F1Xg5r1Jlao/Ul/YK3PADJEKyk4OS/X5nMBOgaycFldaI4n0Gb3k4QGkEdf/I6gSFKQTGTthgoCDZnatCi/BUtnzuCEQp7m+v6UosFtjBHMokVDUokdMq3gjT5SXkeCZE5B+883KrnyaXtor8wuRV+f70kLmo6ZuYgXDEmgstgGN4V9k5Xz8KhAPoDgNCD806+Sl0yT0dhLosKPUXbjflq0aalYXXUyIS5CJqm5EE5rbRWAgf0IZ97Iyq38oXMQhff8i8eFSG+v5Ka7FqcWgDJYYATQwJUJvMRSctWhiIapyLDYT/WLjOyhXi1KExOHckH+PX6e7ze4v7+pKfZJTZA65DtLa/gp/g+uaW8QGI5oxmx7Gi2t4t9RJWMPslDUf6jzFJF/A78KdAonJxjx+5x+ZHEib1BpuB/KCRIS6IvUn3aXT9pOOAwduiupnALxfJ9dpTZr3MgzaTr8dS3MtMtY49yjX7/KB+1We SObjBtWy x9BlspwNFOty+/psp/k7w9yWXvnswiZun9tZsRmDctWEDoRLGUUQBsSCfsy/RCMI59LeSbtpWfWiq4PCFgiVhpbVmf2j4KTSvvQaz7o0LrT0P+zsQkXIG3FjEFRXas5WGEROtEPfISdfQ7oh1ZLFFdq80Vg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Mar 12, 2024 at 05:06:36PM +0000, Matt Bobrowski wrote: > Hey Christian, > > On Mon, Mar 11, 2024 at 01:00:56PM +0100, Christian Brauner wrote: > > On Fri, Mar 08, 2024 at 05:23:30PM -0800, Alexei Starovoitov wrote: > > > On Fri, Mar 8, 2024 at 2:36 AM Christian Brauner wrote: > > > > > > > > > > > > These exports are specifically for an out-of-tree BPF LSM program that > > > > is not accessible to the public. The question in the other mail stands. > > > > > > The question was already answered. You just don't like the answer. > > > bpf progs are not equivalent to kernel modules. > > > They have completely different safety and visibility properties. > > > The safety part I already talked about. > > > Sounds like the visibility has to be explained. > > > Kernel modules are opaque binary blobs. > > > bpf programs are fully transparent. The intent is known > > > to the verifier and to anyone with understanding > > > of bpf assembly. > > > Those that cannot read bpf asm can read C source code that is > > > embedded in the bpf program in kernel memory. > > > It's not the same as "llvm-dwarfdump module.ko" on disk. > > > The bpf prog source code is loaded into the kernel > > > at program verification time for debugging and visibility reasons. > > > If there is a verifier bug and bpf manages to crash the kernel > > > vmcore will have relevant lines of program C source code right there. > > > > > > Hence out-of-tree or in-tree bpf makes no practical difference. > > > The program cannot hide its meaning and doesn't hamper debugging. > > > > > > Hence adding EXPORT_SYMBOL == Brace for impact! > > > Expect crashes, api misuse and what not. > > > > > > While adding bpf_kfunc is a nop for kernel development. > > > If kfunc is in the way of code refactoring it can be removed > > > (as we demonstrated several times). > > > A kfunc won't cause headaches for the kernel code it is > > > calling (assuming no verifier bugs). > > > If there is a bug it's on us to fix it as we demonstrated in the past. > > > For example: bpf_probe_read_kernel(). > > > It's a wrapper of copy_from_kernel_nofault() and over the years > > > bpf users hit various bugs in copy_from_kernel_nofault(), > > > reported them, and _bpf developers_ fixed them. > > > Though copy_from_kernel_nofault() is as generic as it can get > > > and the same bugs could have been reproduced without bpf > > > we took care of fixing these parts of the kernel. > > > > > > Look at path_put(). > > > It's EXPORT_SYMBOL and any kernel module can easily screw up > > > reference counting, so that sooner or later distro folks > > > will experience debug pains due to out-of-tree drivers. > > > > > > kfunc that calls path_put() won't have such consequences. > > > The verifier will prevent path_put() on a pointer that wasn't > > > acquired by the same bpf program. No support pains. > > > It's a nop for vfs folks. > > > > > > > > First of all, there is no such thing as get_task_fs_pwd/root > > > > > in the kernel. > > > > > > > > Yeah, we'd need specific helpers for a never seen before out-of-tree BPF > > > > LSM. I don't see how that's different from an out-of-tree kernel module. > > > > > > Sorry, but you don't seem to understand what bpf can and cannot do, > > > hence they look similar. > > > > Maybe. On the other hand you seem to ignore what I'm saying. You > > currently don't have a clear set of rules for when it's ok for someone > > to send patches and request access to bpf kfuncs to implement a new BPF > > program. This patchset very much illustrates this point. The safety > > properties of bpf don't matter for this. And again, your safety > > properties very much didn't protect you from your bpf_d_path() mess. > > > > We're not even clearly told where and how these helper are supposed to be > > used. That's not ok and will never be ok. As long as there are no clear > > criteria to operate under this is highly problematic. This may be fine > > from a bpf perspective and one can even understand why because that's > > apparently your model or promise to your users. But there's no reason to > > expect the same level of laxness from any of the subsystems you're > > requesting kfuncs from. > > You raise a completely fair point, and I truly do apologies for the > lack of context and in depth explanations around the specific > situations that the proposed BPF kfuncs are intended to be used > from. Admittedly, that's a failure on my part, and I can completely > understand why from a maintainers point of view there would be > reservations around acknowledging requests for adding such invisible > dependencies. > > Now, I'm in a little bit of a tough situation as I'm unable to point > you to an open-source BPF LSM implementation that intends to make use > of such newly proposed BPF kfuncs. That's just an unfortunate > constraint and circumstance that I'm having to deal with, so I'm just > going to have to provide heavily redacted and incomplete example to > illustrate how these BPF kfuncs intend to be used from BPF LSM > programs that I personally work on here at Google. Notably though, the > contexts that I do share here may obviously be a nonholistic view on > how these newly introduced BPF kfuncs end up getting used in practice > by some other completely arbitrary open-source BPF LSM programs. > > Anyway, as Alexei had pointed out in one of the prior responses, the > core motivating factor behind introducing these newly proposed BPF > kfuncs purely stems from the requirement of needing to call > bpf_d_path() safely on a struct path from the context of a BPF LSM > program, specifically within the security_file_open() and > security_mmap_file() LSM hooks. Now, as noted within the original bug > report [0], it's currently not considered safe to pluck a struct path > out from an arbitrary in-kernel data structure, which in our case was > current->mm->exe_file->f_path, and have it passed to bpf_d_path() from > the aforementioned LSM hook points, or any other LSM hook point for > that matter. > > So, without using these newly introduced BPF kfuncs, our BPF LSM > program hanging off security_file_open() looks as follows: > > ``` > int BPF_PROG(file_open, struct file *file) > { > // Perform a whole bunch of operations on the supplied file argument. This > // includes some form of policy evaluation, and if there's a violation against > // policy and auditing is enabled, then we eventually call bpf_d_path() on > // file->f_path. Calling bpf_d_path() on the file argument isn't problematic > // as we have a stable path here as the file argument is reference counted. > struct path *target = &file->f_path; > > // ... > > struct task_struct *current = bpf_get_current_task_btf(); > > // ... > > bpf_rcu_read_lock(); > // Reserve a slot on the BPF ring buffer such that the actor's path can be > // passed back to userspace. > void *buf = bpf_ringbuf_reserve(&ringbuf, PATH_MAX, 0); > if (!buf) { > goto unlock; > } > > // For contextual purposes when performing an audit we also call bpf_d_path() > // on the actor, being current->mm->exe_file->f_path. > struct path *actor = ¤t->mm->exe_file->f_path; > > // Now perform the path resolution on the actor via bpf_d_path(). > u64 ret = bpf_d_path(actor, buf, PATH_MAX); > if (ret > 0) { > bpf_ringbuf_submit(buf, BPF_RB_NO_WAKEUP); > } else { > bpf_ringbuf_discard(buf, 0); > } > > unlock: > bpf_rcu_read_unlock(); > return 0; > } > ``` Note that we're also aware of the fact that calling bpf_d_path() within an RCU read-side critical shouldn't be permitted. I have a patch teed up which addresses this. bpf_path_d_path() OTOH isn't susceptible to this problem as the BPF verifier ensure that BPF kfuncs annotated KF_SLEEPABLE can't be called whilst in an RCU read-side critical section. /M