From: Roberto Sassu <roberto.sassu@huawei.com>
To: Roberto Sassu <roberto.sassu@huawei.com>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"andrii@kernel.org" <andrii@kernel.org>,
"kpsingh@kernel.org" <kpsingh@kernel.org>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"songliubraving@fb.com" <songliubraving@fb.com>,
"kafai@fb.com" <kafai@fb.com>, "yhs@fb.com" <yhs@fb.com>,
"dhowells@redhat.com" <dhowells@redhat.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH v5 2/5] bpf: Add bpf_lookup_user_key() and bpf_key_put() helpers
Date: Thu, 23 Jun 2022 12:36:52 +0000 [thread overview]
Message-ID: <f2d3da08e7774df9b44cc648dda7d0b8@huawei.com> (raw)
In-Reply-To: <796b55c79be142cab6a22dd281fdb9fa@huawei.com>
> From: Roberto Sassu [mailto:roberto.sassu@huawei.com]
> Sent: Wednesday, June 22, 2022 9:12 AM
> > From: Alexei Starovoitov [mailto:alexei.starovoitov@gmail.com]
> > Sent: Wednesday, June 22, 2022 12:33 AM
> > On Tue, Jun 21, 2022 at 06:37:54PM +0200, Roberto Sassu wrote:
> > > Add the bpf_lookup_user_key() and bpf_key_put() helpers, to respectively
> > > search a key with a given serial, and release the reference count of the
> > > found key.
> > >
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > ---
> > > include/uapi/linux/bpf.h | 16 ++++++++++++
> > > kernel/bpf/bpf_lsm.c | 46 ++++++++++++++++++++++++++++++++++
> > > kernel/bpf/verifier.c | 6 +++--
> > > scripts/bpf_doc.py | 2 ++
> > > tools/include/uapi/linux/bpf.h | 16 ++++++++++++
> > > 5 files changed, 84 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > > index e81362891596..7bbcf2cd105d 100644
> > > --- a/include/uapi/linux/bpf.h
> > > +++ b/include/uapi/linux/bpf.h
> > > @@ -5325,6 +5325,20 @@ union bpf_attr {
> > > * **-EACCES** if the SYN cookie is not valid.
> > > *
> > > * **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
> > > + *
> > > + * struct key *bpf_lookup_user_key(u32 serial, unsigned long flags)
> > > + * Description
> > > + * Search a key with a given *serial* and the provided *flags*, and
> > > + * increment the reference count of the key.
> >
> > Why passing 'flags' is ok to do?
> > Please think through every line of the patch.
>
> To be honest, I thought about it. Probably yes, I should do some
> sanitization, like I did for the keyring ID. When I checked
> lookup_user_key(), I saw that flags are checked individually, so
> an arbitrary value passed to the helper should not cause harm.
> Will do sanitization, if you prefer. It is just that we have to keep
> the eBPF code in sync with key flag definition (unless we have
> a 'last' flag).
I'm not sure that having a helper for lookup_user_key() alone is
correct. By having separate helpers for lookup and usage of the
key, nothing would prevent an eBPF program to ask for a
permission to pass the access control check, and then use the
key for something completely different from what it requested.
Looking at how lookup_user_key() is used in security/keys/keyctl.c,
it seems clear that it should be used together with the operation
that needs to be performed. Only in this way, the key permission
would make sense.
What do you think (also David)?
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
Managing Director: Li Peng, Yang Xi, Li He
next prev parent reply other threads:[~2022-06-23 12:36 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 16:37 [PATCH v5 0/5] bpf: Add bpf_verify_pkcs7_signature() helper Roberto Sassu
2022-06-21 16:37 ` [PATCH v5 1/5] bpf: Export bpf_dynptr_get_size() Roberto Sassu
2022-06-21 16:37 ` [PATCH v5 2/5] bpf: Add bpf_lookup_user_key() and bpf_key_put() helpers Roberto Sassu
2022-06-21 22:32 ` Alexei Starovoitov
2022-06-22 7:12 ` Roberto Sassu
2022-06-23 12:36 ` Roberto Sassu [this message]
2022-06-23 20:54 ` Alexei Starovoitov
2022-06-24 15:32 ` Roberto Sassu
2022-06-24 16:50 ` Alexei Starovoitov
2022-06-24 17:38 ` Roberto Sassu
2022-06-24 15:59 ` Roberto Sassu
2022-06-21 16:37 ` [PATCH v5 3/5] bpf: Add bpf_verify_pkcs7_signature() helper Roberto Sassu
2022-06-21 22:27 ` John Fastabend
2022-06-22 9:54 ` Roberto Sassu
2022-06-23 1:27 ` John Fastabend
2022-06-21 16:37 ` [PATCH v5 4/5] selftests/bpf: Add test for unreleased key references Roberto Sassu
2022-06-21 22:35 ` John Fastabend
2022-06-22 7:14 ` Roberto Sassu
2022-06-21 16:37 ` [PATCH v5 5/5] selftests/bpf: Add test for bpf_verify_pkcs7_signature() helper Roberto Sassu
2022-06-21 22:31 ` Alexei Starovoitov
2022-06-22 7:06 ` Roberto Sassu
2022-06-22 18:16 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f2d3da08e7774df9b44cc648dda7d0b8@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).