From: Christian Brauner <brauner@kernel.org>
To: Andrii Nakryiko <andrii@kernel.org>
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, paul@paul-moore.com,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, keescook@chromium.org,
kernel-team@meta.com, sargun@sargun.me
Subject: Re: [PATCH v10 bpf-next 03/17] bpf: introduce BPF token object
Date: Mon, 27 Nov 2023 17:05:31 +0100 [thread overview]
Message-ID: <20231127-anvertrauen-geldhahn-08f009fe1af1@brauner> (raw)
In-Reply-To: <20231110034838.1295764-4-andrii@kernel.org>
> + if (path.mnt->mnt_root != path.dentry) {
You want to verify that you can only create tokens from the root of the
bpffs mount. So for
sudo mount -t bpf bpf /mnt
you want bpf tokens to be creatable from:
fd = open("/mnt")
or from bind-mounts of the fs root:
sudo mount --bind /mnt /srv
fd = open("/srv")
but not from
sudo mount --bind /mnt/foo /opt
fd = open("/opt")
But I think your current check allows for that because if you bind-mount
/mnt/foo to /opt then fd = open("/opt")
path.mnt->mnt_root == foo and path.dentry == foo
I think
path.dentry != path.mnt->mnt_sb->s_root
should give you what you want.
next prev parent reply other threads:[~2023-11-27 16:05 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-10 3:48 [PATCH v10 bpf-next 00/17] BPF token and BPF FS-based delegation Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 01/17] bpf: align CAP_NET_ADMIN checks with bpf_capable() approach Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 02/17] bpf: add BPF token delegation mount options to BPF FS Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 03/17] bpf: introduce BPF token object Andrii Nakryiko
2023-11-27 14:25 ` Christian Brauner
2023-11-27 18:16 ` Andrii Nakryiko
2023-11-27 16:05 ` Christian Brauner [this message]
2023-11-27 18:18 ` Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 04/17] bpf: add BPF token support to BPF_MAP_CREATE command Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 05/17] bpf: add BPF token support to BPF_BTF_LOAD command Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 06/17] bpf: add BPF token support to BPF_PROG_LOAD command Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 07/17] bpf: take into account BPF token when fetching helper protos Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 08/17] bpf: consistently use BPF token throughout BPF verifier logic Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 09/17] bpf,lsm: refactor bpf_prog_alloc/bpf_prog_free LSM hooks Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 10/17] bpf,lsm: refactor bpf_map_alloc/bpf_map_free " Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 11/17] bpf,lsm: add BPF token " Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 12/17] libbpf: add bpf_token_create() API Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 13/17] libbpf: add BPF token support to bpf_map_create() API Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 14/17] libbpf: add BPF token support to bpf_btf_load() API Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 15/17] libbpf: add BPF token support to bpf_prog_load() API Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 16/17] selftests/bpf: add BPF token-enabled tests Andrii Nakryiko
2023-11-10 3:48 ` [PATCH v10 bpf-next 17/17] bpf,selinux: allocate bpf_security_struct per BPF token Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231127-anvertrauen-geldhahn-08f009fe1af1@brauner \
--to=brauner@kernel.org \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kernel-team@meta.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox