From: Song Liu <songliubraving@meta.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: "Dr. Greg" <greg@enjellic.com>, Song Liu <song@kernel.org>,
Song Liu <songliubraving@meta.com>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
Kernel Team <kernel-team@meta.com>,
"andrii@kernel.org" <andrii@kernel.org>,
"eddyz87@gmail.com" <eddyz87@gmail.com>,
"ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"martin.lau@linux.dev" <martin.lau@linux.dev>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"brauner@kernel.org" <brauner@kernel.org>,
"jack@suse.cz" <jack@suse.cz>,
"kpsingh@kernel.org" <kpsingh@kernel.org>,
"mattbobrowski@google.com" <mattbobrowski@google.com>,
"amir73il@gmail.com" <amir73il@gmail.com>,
"repnop@google.com" <repnop@google.com>,
"jlayton@kernel.org" <jlayton@kernel.org>,
Josef Bacik <josef@toxicpanda.com>,
"mic@digikod.net" <mic@digikod.net>,
"gnoack@google.com" <gnoack@google.com>
Subject: Re: [PATCH bpf-next 0/4] Make inode storage available to tracing prog
Date: Thu, 14 Nov 2024 18:08:06 +0000 [thread overview]
Message-ID: <4BF6D271-51D5-4768-A460-0853ABC5602D@fb.com> (raw)
In-Reply-To: <53a3601e-0999-4603-b69f-7bed39d4d89a@schaufler-ca.com>
> On Nov 14, 2024, at 9:29 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
[...]
>>
>>
>> The LSM inode information is obviously security sensitive, which I
>> presume would be be the motivation for Casey's concern that a 'mistake
>> by a BPF programmer could cause the whole system to blow up', which in
>> full disclosure is only a rough approximation of his statement.
>>
>> We obviously can't speak directly to Casey's concerns. Casey, any
>> specific technical comments on the challenges of using a common inode
>> specific storage architecture?
>
> My objection to using a union for the BPF and LSM pointer is based
> on the observation that a lot of modern programmers don't know what
> a union does. The BPF programmer would see that there are two ways
> to accomplish their task, one for CONFIG_SECURITY=y and the other
> for when it isn't. The second is much simpler. Not understanding
> how kernel configuration works, nor being "real" C language savvy,
> the programmer installs code using the simpler interfaces on a
> Redhat system. The SELinux inode data is compromised by the BPF
> code, which thinks the data is its own. Hilarity ensues.
There must be some serious misunderstanding here. So let me
explain the idea again.
With CONFIG_SECURITY=y, the code will work the same as right now.
BPF inode storage uses i_security, just as any other LSMs.
With CONFIG_SECURITY=n, i_security does not exist, so the bpf
inode storage will use i_bpf_storage.
Since this is a CONFIG_, all the logic got sorted out at compile
time. Thus the user API (for user space and for bpf programs)
stays the same.
Actually, I can understand the concern with union. Although,
the logic is set at kernel compile time, it is still possible
for kernel source code to use i_bpf_storage when
CONFIG_SECURITY is enabled. (Yes, I guess now I finally understand
the concern).
We can address this with something like following:
#ifdef CONFIG_SECURITY
void *i_security;
#elif CONFIG_BPF_SYSCALL
struct bpf_local_storage __rcu *i_bpf_storage;
#endif
This will help catch all misuse of the i_bpf_storage at compile
time, as i_bpf_storage doesn't exist with CONFIG_SECURITY=y.
Does this make sense?
Thanks,
Song
next prev parent reply other threads:[~2024-11-14 18:08 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 8:25 [PATCH bpf-next 0/4] Make inode storage available to tracing prog Song Liu
2024-11-12 8:25 ` [PATCH bpf-next 1/4] bpf: lsm: Remove hook to bpf_task_storage_free Song Liu
2024-11-12 8:25 ` [PATCH bpf-next 2/4] bpf: Make bpf inode storage available to tracing program Song Liu
2024-11-13 10:19 ` Christian Brauner
2024-11-13 14:15 ` Song Liu
2024-11-13 18:29 ` Casey Schaufler
2024-11-13 19:00 ` Song Liu
2024-11-21 9:04 ` Christian Brauner
2024-11-14 21:11 ` Song Liu
2024-11-15 11:19 ` Jan Kara
2024-11-15 17:35 ` Song Liu
2024-11-19 14:21 ` Jeff Layton
2024-11-19 15:25 ` Amir Goldstein
2024-11-19 15:30 ` Amir Goldstein
2024-11-19 21:53 ` Song Liu
2024-11-20 9:19 ` Amir Goldstein
2024-11-20 9:28 ` Christian Brauner
2024-11-20 11:19 ` Amir Goldstein
2024-11-21 8:43 ` Christian Brauner
2024-11-21 13:48 ` Jeff Layton
2024-11-21 8:08 ` Song Liu
2024-11-21 9:14 ` Christian Brauner
2024-11-23 0:08 ` Alexei Starovoitov
2024-11-12 8:25 ` [PATCH bpf-next 3/4] bpf: Add recursion avoid logic for inode storage Song Liu
2024-11-12 8:25 ` [PATCH bpf-next 3/4] bpf: Add recursion prevention " Song Liu
2024-11-12 8:25 ` [PATCH bpf-next 4/4] selftest/bpf: Add test for inode local storage recursion Song Liu
2024-11-12 8:26 ` [PATCH bpf-next 4/4] selftest/bpf: Test inode local storage recursion prevention Song Liu
2024-11-12 8:35 ` [PATCH bpf-next 0/4] Make inode storage available to tracing prog Song Liu
2024-11-12 18:09 ` Casey Schaufler
2024-11-12 18:44 ` Song Liu
2024-11-13 1:10 ` Casey Schaufler
2024-11-13 1:37 ` Song Liu
2024-11-13 18:06 ` Casey Schaufler
2024-11-13 18:57 ` Song Liu
2024-11-14 16:36 ` Dr. Greg
2024-11-14 17:29 ` Casey Schaufler
2024-11-14 18:08 ` Song Liu [this message]
2024-11-14 21:49 ` James Bottomley
2024-11-14 22:30 ` Song Liu
2024-11-17 22:59 ` Song Liu
2024-11-19 12:27 ` Dr. Greg
2024-11-19 18:14 ` Casey Schaufler
2024-11-19 22:35 ` Song Liu
2024-11-20 16:54 ` Dr. Greg
2024-11-21 8:28 ` Song Liu
2024-11-21 16:02 ` Dr. Greg
2024-11-21 18:11 ` Casey Schaufler
2024-11-23 17:01 ` Dr. Greg
2024-11-25 20:49 ` Casey Schaufler
2024-11-21 17:47 ` Casey Schaufler
2024-11-21 18:28 ` Song Liu
2024-11-23 19:11 ` Paul Moore
2024-11-14 17:51 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BF6D271-51D5-4768-A460-0853ABC5602D@fb.com \
--to=songliubraving@meta.com \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=greg@enjellic.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@meta.com \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=repnop@google.com \
--cc=song@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox