public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
From: Yonghong Song <yonghong.song@linux.dev>
To: Yafang Shao <laoar.shao@gmail.com>,
	ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
	andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
	kpsingh@kernel.org, sdf@google.com, haoluo@google.com,
	jolsa@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [RFC PATCH bpf-next 1/2] bpf: Add bpf_current_capable kfunc
Date: Mon, 14 Aug 2023 17:28:14 -0700	[thread overview]
Message-ID: <56dc2449-f01c-f0a7-e31b-cfe6cd157aaa@linux.dev> (raw)
In-Reply-To: <20230814143341.3767-2-laoar.shao@gmail.com>



On 8/14/23 7:33 AM, Yafang Shao wrote:
> Add a new bpf_current_capable kfunc to check whether the current task
> has a specific capability. In our use case, we will use it in a lsm bpf
> program to help identify if the user operation is permitted.
> 
> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>   kernel/bpf/helpers.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index eb91cae..bbee7ea 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -2429,6 +2429,11 @@ __bpf_kfunc void bpf_rcu_read_unlock(void)
>   	rcu_read_unlock();
>   }
>   
> +__bpf_kfunc bool bpf_current_capable(int cap)
> +{
> +	return has_capability(current, cap);
> +}

Since you are testing against 'current' capabilities, I assume
that the context should be process. Otherwise, you are testing
against random task which does not make much sense.

Since you are testing against 'current' cap, and if the capability
for that task is stable, you do not need this kfunc.
You can test cap in user space and pass it into the bpf program.

But if the cap for your process may change in the middle of
run, then you indeed need bpf prog to test capability in real time.
Is this your use case and could you describe in in more detail?

> +
>   __diag_pop();
>   
>   BTF_SET8_START(generic_btf_ids)
> @@ -2456,6 +2461,7 @@ __bpf_kfunc void bpf_rcu_read_unlock(void)
>   BTF_ID_FLAGS(func, bpf_task_under_cgroup, KF_RCU)
>   #endif
>   BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
> +BTF_ID_FLAGS(func, bpf_current_capable, KF_RCU)
>   BTF_SET8_END(generic_btf_ids)
>   
>   static const struct btf_kfunc_id_set generic_kfunc_set = {

  reply	other threads:[~2023-08-15  0:28 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-14 14:33 [RFC PATCH bpf-next 0/2] bpf: Add a new kfunc bpf_current_capable Yafang Shao
2023-08-14 14:33 ` [RFC PATCH bpf-next 1/2] bpf: Add bpf_current_capable kfunc Yafang Shao
2023-08-15  0:28   ` Yonghong Song [this message]
2023-08-15  2:45     ` Yafang Shao
2023-08-15  3:40       ` Yonghong Song
2023-08-15  5:49         ` Yafang Shao
2023-08-15 15:19           ` Yonghong Song
2023-08-17  1:53       ` Alexei Starovoitov
2023-08-17  2:30         ` Yafang Shao
2023-08-17  3:30           ` Alexei Starovoitov
2023-08-17  7:09             ` Yafang Shao
2023-08-17 15:30               ` Daniel Borkmann
2023-08-17 17:45                 ` Alexei Starovoitov
2023-09-13 12:25                   ` [PATCH 1/3] Revert "selftests/bpf: Add selftest for allow_ptr_leaks" Luis Gerhorst
2023-09-14 12:50                     ` patchwork-bot+netdevbpf
2023-09-13 12:28                   ` [PATCH 2/3] Revert "bpf: Fix issue in verifying allow_ptr_leaks" Luis Gerhorst
2023-09-14 16:20                     ` Alexei Starovoitov
2023-09-14 17:24                       ` Daniel Borkmann
2023-09-14 19:47                         ` Alexei Starovoitov
2023-09-18 11:25                           ` Luis Gerhorst
2023-09-19  8:57                             ` Alexei Starovoitov
2023-09-28 11:09                               ` Luis Gerhorst
2023-09-15  2:26                     ` Yafang Shao
2023-09-18 11:52                       ` Luis Gerhorst
2023-09-19  3:43                         ` Yafang Shao
2023-09-19  6:43                           ` Daniel Borkmann
2023-09-13 12:31                   ` [PATCH 3/3] selftests/bpf: Add selftest for packet-pointer Spectre v1 gadget Luis Gerhorst
2023-08-21  5:56                 ` [RFC PATCH bpf-next 1/2] bpf: Add bpf_current_capable kfunc Yafang Shao
2023-08-17 17:48               ` Alexei Starovoitov
2023-08-14 14:33 ` [RFC PATCH bpf-next 2/2] selftests/bpf: Add selftest for bpf_current_capable Yafang Shao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56dc2449-f01c-f0a7-e31b-cfe6cd157aaa@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=laoar.shao@gmail.com \
    --cc=martin.lau@linux.dev \
    --cc=sdf@google.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox