* [PATCH bpf-next v4 2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto()
2024-11-29 8:59 [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message Marco Elver
@ 2024-11-29 8:59 ` Marco Elver
2024-11-29 16:43 ` Daniel Borkmann
2024-11-29 16:35 ` [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message Daniel Borkmann
2024-11-29 19:30 ` patchwork-bot+netdevbpf
2 siblings, 1 reply; 5+ messages in thread
From: Marco Elver @ 2024-11-29 8:59 UTC (permalink / raw)
To: elver, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko
Cc: Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Nikola Grcevski, bpf, linux-trace-kernel, linux-kernel
With bpf_get_probe_write_proto() no longer printing a message, we can
avoid it being a special case with its own permission check.
Refactor bpf_tracing_func_proto() similar to bpf_base_func_proto() to
have a section conditional on bpf_token_capable(CAP_SYS_ADMIN), where
the proto for bpf_probe_write_user() is returned. Finally, remove the
unnecessary bpf_get_probe_write_proto().
This simplifies the code, and adding additional CAP_SYS_ADMIN-only
helpers in future avoids duplicating the same CAP_SYS_ADMIN check.
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Marco Elver <elver@google.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
---
v4:
* Call bpf_base_func_proto() before bpf_token_capable() (no protos after
should override bpf_base_func_proto() protos), so we can avoid
indenting the switch-block after bpf_token_capable() (suggested by Alexei).
v3:
* Fix where bpf_base_func_proto() is called - it needs to be last,
because we may override protos (as is e.g. done for
BPF_FUNC_get_smp_processor_id).
v2:
* New patch.
---
kernel/trace/bpf_trace.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 0ab56af2e298..b07d8067aa6e 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -357,14 +357,6 @@ static const struct bpf_func_proto bpf_probe_write_user_proto = {
.arg3_type = ARG_CONST_SIZE,
};
-static const struct bpf_func_proto *bpf_get_probe_write_proto(void)
-{
- if (!capable(CAP_SYS_ADMIN))
- return NULL;
-
- return &bpf_probe_write_user_proto;
-}
-
#define MAX_TRACE_PRINTK_VARARGS 3
#define BPF_TRACE_PRINTK_SIZE 1024
@@ -1417,6 +1409,8 @@ late_initcall(bpf_key_sig_kfuncs_init);
static const struct bpf_func_proto *
bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
+ const struct bpf_func_proto *func_proto;
+
switch (func_id) {
case BPF_FUNC_map_lookup_elem:
return &bpf_map_lookup_elem_proto;
@@ -1458,9 +1452,6 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_perf_event_read_proto;
case BPF_FUNC_get_prandom_u32:
return &bpf_get_prandom_u32_proto;
- case BPF_FUNC_probe_write_user:
- return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ?
- NULL : bpf_get_probe_write_proto();
case BPF_FUNC_probe_read_user:
return &bpf_probe_read_user_proto;
case BPF_FUNC_probe_read_kernel:
@@ -1539,7 +1530,22 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_FUNC_trace_vprintk:
return bpf_get_trace_vprintk_proto();
default:
- return bpf_base_func_proto(func_id, prog);
+ break;
+ }
+
+ func_proto = bpf_base_func_proto(func_id, prog);
+ if (func_proto)
+ return func_proto;
+
+ if (!bpf_token_capable(prog->aux->token, CAP_SYS_ADMIN))
+ return NULL;
+
+ switch (func_id) {
+ case BPF_FUNC_probe_write_user:
+ return security_locked_down(LOCKDOWN_BPF_WRITE_USER) < 0 ?
+ NULL : &bpf_probe_write_user_proto;
+ default:
+ return NULL;
}
}
--
2.47.0.338.g60cca15819-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH bpf-next v4 2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto()
2024-11-29 8:59 ` [PATCH bpf-next v4 2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto() Marco Elver
@ 2024-11-29 16:43 ` Daniel Borkmann
0 siblings, 0 replies; 5+ messages in thread
From: Daniel Borkmann @ 2024-11-29 16:43 UTC (permalink / raw)
To: Marco Elver, Alexei Starovoitov, Andrii Nakryiko
Cc: Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Nikola Grcevski, bpf, linux-trace-kernel, linux-kernel
On 11/29/24 9:59 AM, Marco Elver wrote:
> With bpf_get_probe_write_proto() no longer printing a message, we can
> avoid it being a special case with its own permission check.
>
> Refactor bpf_tracing_func_proto() similar to bpf_base_func_proto() to
> have a section conditional on bpf_token_capable(CAP_SYS_ADMIN), where
> the proto for bpf_probe_write_user() is returned. Finally, remove the
> unnecessary bpf_get_probe_write_proto().
>
> This simplifies the code, and adding additional CAP_SYS_ADMIN-only
> helpers in future avoids duplicating the same CAP_SYS_ADMIN check.
>
> Suggested-by: Andrii Nakryiko <andrii@kernel.org>
> Signed-off-by: Marco Elver <elver@google.com>
> Acked-by: Jiri Olsa <jolsa@kernel.org>
Given the abuse that has been done with this helper, my preference is
we don't encourage wider use via bpf_token_capable.. but fair enough,
as long as it stays behind security_locked_down.
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message
2024-11-29 8:59 [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message Marco Elver
2024-11-29 8:59 ` [PATCH bpf-next v4 2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto() Marco Elver
@ 2024-11-29 16:35 ` Daniel Borkmann
2024-11-29 19:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 5+ messages in thread
From: Daniel Borkmann @ 2024-11-29 16:35 UTC (permalink / raw)
To: Marco Elver, Alexei Starovoitov, Andrii Nakryiko
Cc: Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Nikola Grcevski, bpf, linux-trace-kernel, linux-kernel
On 11/29/24 9:59 AM, Marco Elver wrote:
> The warning message for bpf_probe_write_user() was introduced in
> 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in
> tracers"), with the following in the commit message:
>
> Given this feature is meant for experiments, and it has a risk of
> crashing the system, and running programs, we print a warning on
> when a proglet that attempts to use this helper is installed,
> along with the pid and process name.
>
> After 8 years since 96ae52279594, bpf_probe_write_user() has found
> successful applications beyond experiments [1, 2], with no other good
> alternatives. Despite its intended purpose for "experiments", that
> doesn't stop Hyrum's law, and there are likely many more users depending
> on this helper: "[..] it does not matter what you promise [..] all
> observable behaviors of your system will be depended on by somebody."
>
> The ominous "helper that may corrupt user memory!" has offered no real
> benefit, and has been found to lead to confusion where the system
> administrator is loading programs with valid use cases.
>
> As such, remove the warning message.
>
> Link: https://lore.kernel.org/lkml/20240404190146.1898103-1-elver@google.com/ [1]
> Link: https://lore.kernel.org/r/lkml/CAAn3qOUMD81-vxLLfep0H6rRd74ho2VaekdL4HjKq+Y1t9KdXQ@mail.gmail.com/ [2]
> Link: https://lore.kernel.org/all/CAEf4Bzb4D_=zuJrg3PawMOW3KqF8JvJm9SwF81_XHR2+u5hkUg@mail.gmail.com/
> Signed-off-by: Marco Elver <elver@google.com>
> Acked-by: Jiri Olsa <jolsa@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message
2024-11-29 8:59 [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message Marco Elver
2024-11-29 8:59 ` [PATCH bpf-next v4 2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto() Marco Elver
2024-11-29 16:35 ` [PATCH bpf-next v4 1/2] bpf: Remove bpf_probe_write_user() warning message Daniel Borkmann
@ 2024-11-29 19:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-11-29 19:30 UTC (permalink / raw)
To: Marco Elver
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, yonghong.song,
john.fastabend, kpsingh, sdf, haoluo, jolsa, nikola.grcevski, bpf,
linux-trace-kernel, linux-kernel
Hello:
This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Fri, 29 Nov 2024 09:59:33 +0100 you wrote:
> The warning message for bpf_probe_write_user() was introduced in
> 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in
> tracers"), with the following in the commit message:
>
> Given this feature is meant for experiments, and it has a risk of
> crashing the system, and running programs, we print a warning on
> when a proglet that attempts to use this helper is installed,
> along with the pid and process name.
>
> [...]
Here is the summary with links:
- [bpf-next,v4,1/2] bpf: Remove bpf_probe_write_user() warning message
https://git.kernel.org/bpf/bpf-next/c/3389f8243a90
- [bpf-next,v4,2/2] bpf: Refactor bpf_tracing_func_proto() and remove bpf_get_probe_write_proto()
https://git.kernel.org/bpf/bpf-next/c/45e04eb4d9d8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread