From: "Theodore Ts'o" <tytso@mit.edu>
To: Christian Brauner <brauner@kernel.org>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Christoph Hellwig <hch@lst.de>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>, bpf <bpf@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
Lennart Poettering <lennart@poettering.net>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: fd == 0 means AT_FDCWD BPF_OBJ_GET commands
Date: Thu, 18 May 2023 10:30:16 -0400 [thread overview]
Message-ID: <ZGY2eICf8Ndr3Xg5@mit.edu> (raw)
In-Reply-To: <20230518-erdkugel-komprimieren-16548ca2a39c@brauner>
The other thing to note is that while the *convention* may be that 0,
1, and 2 are for stdin, stdout, and stderr, this is a *userspae*
convention. After all, system daemons like getty, gnome-terminal,
et. al, need to be able to open file descriptors for stdin, stdout,
and stderr, and it would be.....highly undesirable for the kernel to
have to special case those processes from being able to open those
file descriptors. So in the eyes of Kernel to Userspace API's we
should not specially privilege the meaning of file descriptors 0, 1,
and 2.
Besides, we have a perfectly good way of expressing "not a FD" and
that is negative values! File descriptors, after all, are signed
integers.
Finally, by having some kernel subsystem have a different meaning for
fd 0 means that there are potential security vulernabilities. It may
be the case that userspace *SHOULD* not use fd 0 for anythingn other
than stdin, and that should be something which should be handed to it
by its parent process.
However, consider what might happen if a malicious program where to
exec a process, perhaps a setuid process, with fd 0 closed. Now the
first file opened by that program will be assigned fd 0, and if that
gets passed to BPF, something surprising and wonderous --- but
hopefully not something that can be leveraged to be a high severity
security vulnerability --- may very well happen.
So if there is anyway to that we can change the BPF API's to change to
use negative values for special case meanings, we should do it.
Certainly for any new API's, and even for old API's, Linus has always
said that there are some special case times when we can break the
userspace ABI --- and security vulnerabilites are certainly one of
them.
Best regards,
- Ted
next prev parent reply other threads:[~2023-05-18 14:31 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-16 0:13 [PATCH bpf-next 0/3] Add O_PATH-based BPF_OBJ_PIN and BPF_OBJ_GET support Andrii Nakryiko
2023-05-16 0:13 ` [PATCH bpf-next 1/3] bpf: support O_PATH FDs in BPF_OBJ_PIN and BPF_OBJ_GET commands Andrii Nakryiko
2023-05-16 8:52 ` Jiri Olsa
2023-05-16 18:02 ` Andrii Nakryiko
2023-05-16 9:07 ` Christian Brauner
2023-05-16 18:02 ` Andrii Nakryiko
2023-05-17 9:11 ` fd == 0 means AT_FDCWD " Christian Brauner
2023-05-17 12:05 ` Christoph Hellwig
2023-05-17 16:17 ` Alexei Starovoitov
2023-05-17 21:48 ` Alexei Starovoitov
2023-05-18 8:38 ` Christian Brauner
2023-05-18 14:30 ` Theodore Ts'o [this message]
2023-05-18 16:25 ` Alexei Starovoitov
2023-05-18 16:33 ` Matthew Wilcox
2023-05-18 17:22 ` Christian Brauner
2023-05-18 17:20 ` Christian Brauner
2023-05-18 17:33 ` Linus Torvalds
2023-05-18 18:21 ` Christian Brauner
2023-05-18 18:26 ` Alexei Starovoitov
2023-05-18 18:57 ` Linus Torvalds
2023-05-19 4:44 ` Alexei Starovoitov
2023-05-19 8:13 ` Christian Brauner
2023-05-19 14:27 ` Theodore Ts'o
2023-05-19 17:51 ` Linus Torvalds
2023-05-23 7:49 ` Lennart Poettering
2023-05-23 17:25 ` Andrii Nakryiko
2023-08-26 4:27 ` Al Viro
2023-05-18 21:56 ` Andrii Nakryiko
2023-05-16 0:13 ` [PATCH bpf-next 2/3] libbpf: add opts-based bpf_obj_pin() API and add support for path_fd Andrii Nakryiko
2023-05-16 0:13 ` [PATCH bpf-next 3/3] selftests/bpf: add path_fd-based BPF_OBJ_PIN and BPF_OBJ_GET tests Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGY2eICf8Ndr3Xg5@mit.edu \
--to=tytso@mit.edu \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=hch@lst.de \
--cc=lennart@poettering.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox