From: Christian Brauner <brauner@kernel.org>
To: Matt Bobrowski <mattbobrowski@google.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
kpsingh@google.com, jannh@google.com, jolsa@kernel.org,
daniel@iogearbox.net, torvalds@linux-foundation.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2 bpf-next 0/9] add new acquire/release BPF kfuncs
Date: Wed, 6 Mar 2024 12:21:22 +0100 [thread overview]
Message-ID: <20240306-flach-tragbar-b2b3c531bf0d@brauner> (raw)
In-Reply-To: <cover.1709675979.git.mattbobrowski@google.com>
On Wed, Mar 06, 2024 at 07:39:14AM +0000, Matt Bobrowski wrote:
> G'day All,
>
> The original cover letter providing background context and motivating
> factors around the needs for the BPF kfuncs introduced within this
> patch series can be found here [0], so please do reference that if
> need be.
>
> Notably, one of the main contention points within v1 of this patch
> series was that we were effectively leaning on some preexisting
> in-kernel APIs such as get_task_exe_file() and get_mm_exe_file()
> within some of the newly introduced BPF kfuncs. As noted in my
> response here [1] though, I struggle to understand the technical
> reasoning behind why exposing such in-kernel helpers, specifically
> only to BPF LSM program types in the form of BPF kfuncs, is inherently
> a terrible idea. So, until someone provides me with a sound technical
> explanation as to why this cannot or should not be done, I'll continue
> to lean on them. The alternative is to reimplement the necessary
> in-kernel APIs within the BPF kfuncs, but that's just nonsensical IMO.
You may lean as much as you like. What I've reacted to is that you've
(not you specifically, I'm sure) messed up. You've exposed d_path() to
users without understanding that it wasn't safe apparently.
And now we get patches that use the self-inflicted brokeness as an
argument to expose a bunch of other low-level helpers to fix that.
The fact that it's "just bpf LSM" programs doesn't alleviate any
concerns whatsoever. Not just because that is just an entry vector but
also because we have LSMs induced API abuse that we only ever get to see
the fallout from when we refactor apis and then it causes pain for the vfs.
I'll take another look at the proposed helpers you need as bpf kfuncs
and I'll give my best not to be overly annoyed by all of this. I have no
intention of not helping you quite the opposite but I'm annoyed that
we're here in the first place.
What I want is to stop this madness of exposing stuff to users without
fully understanding it's semantics and required guarantees.
next prev parent reply other threads:[~2024-03-06 11:21 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-06 7:39 [PATCH v2 bpf-next 0/9] add new acquire/release BPF kfuncs Matt Bobrowski
2024-03-06 7:39 ` [PATCH v2 bpf-next 1/9] bpf: rename fs_kfunc_set_ids to lsm_kfunc_set_ids Matt Bobrowski
2024-03-06 7:39 ` [PATCH v2 bpf-next 2/9] bpf: add new acquire/release BPF kfuncs for mm_struct Matt Bobrowski
2024-03-06 11:50 ` Christian Brauner
2024-03-06 7:39 ` [PATCH v2 bpf-next 3/9] bpf/selftests: add selftests for mm_struct acquire/release BPF kfuncs Matt Bobrowski
2024-03-06 7:40 ` [PATCH v2 bpf-next 4/9] bpf: add new acquire/release based BPF kfuncs for exe_file Matt Bobrowski
2024-03-06 11:31 ` Christian Brauner
2024-03-06 7:40 ` [PATCH v2 bpf-next 5/9] bpf/selftests: add selftests for exe_file acquire/release BPF kfuncs Matt Bobrowski
2024-03-06 7:40 ` [PATCH v2 bpf-next 6/9] bpf: add acquire/release based BPF kfuncs for fs_struct's paths Matt Bobrowski
2024-03-06 11:47 ` Christian Brauner
2024-03-06 7:40 ` [PATCH v2 bpf-next 7/9] bpf/selftests: add selftests for root/pwd path based BPF kfuncs Matt Bobrowski
2024-03-06 7:40 ` [PATCH v2 bpf-next 9/9] bpf/selftests: adapt selftests test_d_path for BPF kfunc bpf_path_d_path() Matt Bobrowski
2024-03-06 7:40 ` [PATCH v2 bpf-next 8/9] bpf: add trusted d_path() based " Matt Bobrowski
2024-03-06 11:21 ` Christian Brauner [this message]
2024-03-06 12:13 ` [PATCH v2 bpf-next 0/9] add new acquire/release BPF kfuncs Christian Brauner
2024-03-06 21:44 ` Paul Moore
2024-03-07 4:05 ` Alexei Starovoitov
2024-03-07 9:54 ` Christian Brauner
2024-03-07 20:50 ` Paul Moore
2024-03-08 3:25 ` Alexei Starovoitov
2024-03-08 10:58 ` Christian Brauner
2024-03-08 3:11 ` Alexei Starovoitov
2024-03-08 10:35 ` Christian Brauner
2024-03-09 1:23 ` Alexei Starovoitov
2024-03-11 12:00 ` Christian Brauner
2024-03-12 17:06 ` Matt Bobrowski
2024-03-12 20:11 ` Matt Bobrowski
2024-03-18 13:24 ` Christian Brauner
2024-03-13 21:05 ` Alexei Starovoitov
2024-03-18 13:14 ` Christian Brauner
2024-03-27 21:41 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240306-flach-tragbar-b2b3c531bf0d@brauner \
--to=brauner@kernel.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jannh@google.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).