From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: David Ahern <dsahern@gmail.com>, David Ahern <dsahern@kernel.org>,
netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,
daniel@iogearbox.net, john.fastabend@gmail.com, ast@kernel.org,
kafai@fb.com, songliubraving@fb.com, yhs@fb.com, andriin@fb.com,
brouer@redhat.com
Subject: Re: [PATCH RFC bpf-next 0/4] bpf: Add support for XDP programs in DEVMAPs
Date: Mon, 25 May 2020 14:56:26 +0200 [thread overview]
Message-ID: <87pnasi35x.fsf@toke.dk> (raw)
In-Reply-To: <20200525144752.3e87f8cd@carbon>
Jesper Dangaard Brouer <brouer@redhat.com> writes:
> On Mon, 25 May 2020 14:15:32 +0200
> Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
>> David Ahern <dsahern@gmail.com> writes:
>>
>> > On 5/22/20 9:59 AM, Toke Høiland-Jørgensen wrote:
>> >> David Ahern <dsahern@kernel.org> writes:
>> >>
>> >>> Implementation of Daniel's proposal for allowing DEVMAP entries to be
>> >>> a device index, program id pair. Daniel suggested an fd to specify the
>> >>> program, but that seems odd to me that you insert the value as an fd, but
>> >>> read it back as an id since the fd can be closed.
>> >>
>> >> While I can be sympathetic to the argument that it seems odd, every
>> >> other API uses FD for insert and returns ID, so why make it different
>> >> here? Also, the choice has privilege implications, since the CAP_BPF
>> >> series explicitly makes going from ID->FD a more privileged operation
>> >> than just querying the ID.
>
> Sorry, I don't follow.
> Can someone explain why is inserting an ID is a privilege problem?
See description here:
https://lore.kernel.org/bpf/20200513230355.7858-1-alexei.starovoitov@gmail.com/
Specifically, this part:
> Consolidating all CAP checks at load time makes security model similar to
> open() syscall. Once the user got an FD it can do everything with it.
> read/write/poll don't check permissions. The same way when bpf_prog_load
> command returns an FD the user can do everything (including attaching,
> detaching, and bpf_test_run).
>
> The important design decision is to allow ID->FD transition for
> CAP_SYS_ADMIN only. What it means that user processes can run
> with CAP_BPF and CAP_NET_ADMIN and they will not be able to affect each
> other unless they pass FDs via scm_rights or via pinning in bpffs.
>> > I do not like the model where the kernel changes the value the user
>> > pushed down.
>>
>> Yet it's what we do in every other interface where a user needs to
>> supply a program, including in prog array maps. So let's not create a
>> new inconsistent interface here...
>
> I sympathize with Ahern on this. It seems very weird to insert/write
> one value-type, but read another value-type.
Yeah, I do kinda agree that it's a bit weird. But it's what we do
everywhere else, so I think consistency wins out here. There might be an
argument that maps should be different (because they're conceptually a
read/write data structure not a syscall return value). But again, we
already have a map type that takes prog IDs, and that already does the
rewriting, so doing it different here would be even weirder...
-Toke
next prev parent reply other threads:[~2020-05-25 12:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 1:05 [PATCH RFC bpf-next 0/4] bpf: Add support for XDP programs in DEVMAPs David Ahern
2020-05-22 1:05 ` [PATCH RFC bpf-next 1/4] bpf: Handle 8-byte values in DEVMAP and DEVMAP_HASH David Ahern
2020-05-22 12:08 ` Jesper Dangaard Brouer
2020-05-22 16:04 ` Jesper Dangaard Brouer
2020-05-22 18:11 ` David Ahern
2020-05-22 1:05 ` [PATCH RFC bpf-next 2/4] bpf: Add support to attach bpf program to a devmap David Ahern
2020-05-22 16:02 ` Toke Høiland-Jørgensen
2020-05-22 17:45 ` David Ahern
2020-05-22 1:05 ` [PATCH RFC bpf-next 3/4] xdp: Add xdp_txq_info to xdp_buff David Ahern
2020-05-22 16:04 ` Toke Høiland-Jørgensen
2020-05-22 17:45 ` David Ahern
2020-05-22 1:05 ` [PATCH RFC bpf-next 4/4] bpftool: Add SEC name for xdp programs attached to device map David Ahern
2020-05-22 11:17 ` [PATCH RFC bpf-next 0/4] bpf: Add support for XDP programs in DEVMAPs Jesper Dangaard Brouer
2020-05-22 15:59 ` Toke Høiland-Jørgensen
2020-05-22 17:46 ` David Ahern
2020-05-25 12:15 ` Toke Høiland-Jørgensen
2020-05-25 12:47 ` Jesper Dangaard Brouer
2020-05-25 12:56 ` Toke Høiland-Jørgensen [this message]
2020-05-26 23:36 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pnasi35x.fsf@toke.dk \
--to=toke@redhat.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=brouer@redhat.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=dsahern@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.