From: Michael Ellerman <mpe@ellerman.id.au>
To: Willy Tarreau <w@1wt.eu>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Alon\, Liran" <liran@amazon.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
Dan Aloni <dan@kernelim.com>, bpf <bpf@vger.kernel.org>,
security@kernel.org, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andrii@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@chromium.org>
Subject: Re: [PATCH] btf: Expose kernel BTF only to tasks with CAP_PERFMON
Date: Fri, 30 Oct 2020 22:23:57 +1100 [thread overview]
Message-ID: <87k0v8ufci.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20201029041501.GA16341@1wt.eu>
Willy Tarreau <w@1wt.eu> writes:
> On Wed, Oct 28, 2020 at 04:06:02PM -0700, Alexei Starovoitov wrote:
>> On Thu, Oct 29, 2020 at 12:30:49AM +0200, Alon, Liran wrote:
>> > > Guarding /sys/kernel/bpf/vmlinux behind CAP_PERFMON would break a lot
>> > > of users relying on BTF availability to build their BPF applications.
>> > True. If this patch is applied, would need to at least be behind an optin
>> > knob. Similar to dmesg_restrict.
>>
>> It's not going to be applied. If a file shouldn't be read by a user
>> it should have appropriate file permissions instead of 444.
>> Checking capable() in read() is very non-unix way to deal with permissions.
>
> Not only it's a non-unix way, both don't achieve the same goals at all!
>
> One checks for permissions at open() time and may for example allow a
> process to drop its uid after opening, while the other one allows to
> filter who can really read it, particularly in case the FD is inherited
> between processes. With this said, I don't see why there would be a
> special case for this one, it should definitely stick to file permissions
> only.
From include/linux/bpf.h:
static inline bool bpf_allow_ptr_leaks(void)
{
return perfmon_capable();
}
static inline bool bpf_allow_ptr_to_map_access(void)
{
return perfmon_capable();
}
static inline bool bpf_bypass_spec_v1(void)
{
return perfmon_capable();
}
static inline bool bpf_bypass_spec_v4(void)
{
return perfmon_capable();
}
There's also several cases in bpf_base_func_proto().
So it seems entirely reasonable to suggest that perfmon_capable() is the
right check here.
cheers
prev parent reply other threads:[~2020-10-30 11:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201028203853.2412751-1-dan@kernelim.com>
2020-10-28 21:56 ` [PATCH] btf: Expose kernel BTF only to tasks with CAP_PERFMON Andrii Nakryiko
2020-10-28 22:30 ` Alon, Liran
2020-10-28 23:06 ` Alexei Starovoitov
2020-10-29 4:15 ` Willy Tarreau
2020-10-30 11:23 ` Michael Ellerman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k0v8ufci.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dan@kernelim.com \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=liran@amazon.com \
--cc=security@kernel.org \
--cc=songliubraving@fb.com \
--cc=w@1wt.eu \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox