Re: [PATCH bpf-next 2/2] selftests/bpf: Add tests for bpf_get_dentry_xattr

BPF List
 help / color / mirror / Atom feed

From: Song Liu <songliubraving@meta.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Song Liu <songliubraving@meta.com>, Song Liu <song@kernel.org>,
	bpf <bpf@vger.kernel.org>,
	Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Kernel Team <kernel-team@meta.com>,
	"andrii@kernel.org" <andrii@kernel.org>,
	"eddyz87@gmail.com" <eddyz87@gmail.com>,
	"ast@kernel.org" <ast@kernel.org>,
	"daniel@iogearbox.net" <daniel@iogearbox.net>,
	"martin.lau@linux.dev" <martin.lau@linux.dev>,
	"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
	"jack@suse.cz" <jack@suse.cz>,
	"kpsingh@kernel.org" <kpsingh@kernel.org>,
	"mattbobrowski@google.com" <mattbobrowski@google.com>
Subject: Re: [PATCH bpf-next 2/2] selftests/bpf: Add tests for bpf_get_dentry_xattr
Date: Tue, 30 Jul 2024 05:58:31 +0000	[thread overview]
Message-ID: <2FE83412-65A5-451B-8722-E0B8035BFD30@fb.com> (raw)
In-Reply-To: <20240729-zollfrei-verteidigen-cf359eb36601@brauner>

Hi Christian, 

Thanks a lot for your detailed explanation! We will revisit the design 
based on these comments and suggestions. 

One more question about a potential new kfunc bpf_get_inode_xattr(): 
Should it take dentry as input? IOW, should it look like:

__bpf_kfunc int bpf_get_inode_xattr(struct dentry *dentry, const char *name__str,
                                    struct bpf_dynptr *value_p)
{
        struct bpf_dynptr_kern *value_ptr = (struct bpf_dynptr_kern *)value_p;
        u32 value_len;
        void *value;
        int ret;

        if (strncmp(name__str, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
                return -EPERM;

        value_len = __bpf_dynptr_size(value_ptr);
        value = __bpf_dynptr_data_rw(value_ptr, value_len);
        if (!value)
                return -EINVAL;

        ret = inode_permission(&nop_mnt_idmap, dentry->d_inode, MAY_READ);
        if (ret)
                return ret;
        return __vfs_getxattr(dentry, dentry->d_inode, name__str, value, value_len);
}


I am asking because many security_inode_* hooks actually taking dentry as 
argument. So it makes sense to use dentry for kfuncs. Maybe we should
call it bpf_get_dentry_xattr, which is actually the same kfunc in this
set (1/2)?

Thanks,
Song



> On Jul 29, 2024, at 6:46 AM, Christian Brauner <brauner@kernel.org> wrote:
[...]
>>> Imho, what you're doing belongs into inode_permission() not into
>>> security_file_open(). That's already too late and it's somewhat clear
>>> from the example you're using that you're essentially doing permission
>>> checking during path lookup.
>> 
>> I am not sure I follow the suggestion to implement this with 
>> security_inode_permission()? Could you please share more details about
>> this idea?

[...]

next prev parent reply	other threads:[~2024-07-30  5:58 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-25 23:47 [PATCH bpf-next 0/2] Add kfuncs to support reading xattr from dentry Song Liu
2024-07-25 23:47 ` [PATCH bpf-next 1/2] bpf: Add kfunc bpf_get_dentry_xattr() to read " Song Liu
2024-07-26  5:34   ` Al Viro
2024-07-26  7:01     ` Song Liu
2024-07-25 23:47 ` [PATCH bpf-next 2/2] selftests/bpf: Add tests for bpf_get_dentry_xattr Song Liu
2024-07-26  7:06   ` Christian Brauner
2024-07-26  9:19     ` Song Liu
2024-07-26 11:51       ` Christian Brauner
2024-07-26 19:43         ` Song Liu
2024-07-29 13:46           ` Christian Brauner
2024-07-30  5:58             ` Song Liu [this message]
2024-07-30  8:59               ` Christian Brauner
2024-08-19  7:18             ` Song Liu
2024-08-19 11:16               ` Christian Brauner
2024-08-19 13:12                 ` Mickaël Salaün
2024-08-19 20:35                   ` Song Liu
2024-08-20 12:45                     ` Mickaël Salaün
2024-08-20 17:42                       ` Song Liu
2024-08-20 21:11                         ` Paul Moore
2024-08-21  3:43                           ` Song Liu
2024-08-23 10:38                             ` Mickaël Salaün
2024-08-19 20:25                 ` Song Liu
2024-08-20  5:42                   ` Song Liu
2024-08-20  6:29                   ` Al Viro
2024-08-20  7:23                     ` Song Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2FE83412-65A5-451B-8722-E0B8035BFD30@fb.com \
    --to=songliubraving@meta.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=brauner@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=jack@suse.cz \
    --cc=kernel-team@meta.com \
    --cc=kpsingh@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mattbobrowski@google.com \
    --cc=song@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox