Enable writing xattr from BPF programs #8261
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: 58ecb3a |
|
Upstream branch: 58ecb3a |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
52a1f92 to
50c3d5c
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e2b857e to
9a051e1
Compare
|
Upstream branch: 58ecb3a |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
50c3d5c to
43561fe
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
9a051e1 to
bef6461
Compare
|
Upstream branch: a7c2051 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
43561fe to
30ceba7
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
bef6461 to
04c6b5e
Compare
|
Upstream branch: a7c2051 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
30ceba7 to
0d1fd27
Compare
|
Upstream branch: a7c2051 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
0d1fd27 to
2f72154
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
04c6b5e to
419af5f
Compare
|
Upstream branch: 8eef6ac |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
2f72154 to
752621b
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=918978 expired. Closing PR. |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
5c185c3 to
232f71a
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
c0247f7 to
ce9b303
Compare
|
Upstream branch: c5d2bac |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
232f71a to
1eb3e68
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ce9b303 to
ce2660e
Compare
|
Upstream branch: c5d2bac |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
1eb3e68 to
19b0f00
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ce2660e to
0cdd956
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
0cdd956 to
b0c73ce
Compare
Introduct new xattr name prefix security.bpf., and enable reading these xattrs from bpf kfuncs bpf_get_[file|dentry]_xattr(). As we are on it, correct the comments for return value of bpf_get_[file|dentry]_xattr(), i.e. return length the xattr value on success. Signed-off-by: Song Liu <[email protected]> Acked-by: Christian Brauner <[email protected]> Reviewed-by: Jan Kara <[email protected]>
Extend test_progs fs_kfuncs to cover different xattr names. Specifically: xattr name "user.kfuncs" and "security.bpf.xxx" can be read from BPF program with kfuncs bpf_get_[file|dentry]_xattr(); while "security.bpf" and "security.selinux" cannot be read. Signed-off-by: Song Liu <[email protected]>
Add bpf_lsm_inode_removexattr and bpf_lsm_inode_post_removexattr to list sleepable_lsm_hooks. These two hooks are always called from sleepable context. Signed-off-by: Song Liu <[email protected]>
Polymorphism exists in kernel functions, BPF helpers, as well as kfuncs. When called from different contexts, it is necessary to pick the right version of a kfunc. One of such example is bpf_dynptr_from_skb vs. bpf_dynptr_from_skb_rdonly. To avoid the burden on the users, the verifier can inspect the calling context and select the right version of kfunc. However, with more kfuncs being added to the kernel, it is not scalable to push all these logic to the verifiler. Extend btf_kfunc_id_set to handle kfunc polymorphism. Specifically, a list of kfuncs, "hidden_set", and a new method "remap" is added to btf_kfunc_id_set. kfuncs in hidden_set do not have BTF_SET8_KFUNCS flag, and are not exposed in vmlinux.h. The remap method is used to inspect the calling context, and when necessary, remap the user visible kfuncs (for example, bpf_dynptr_from_skb), to its hidden version (for example, bpf_dynptr_from_skb_rdonly). The verifier calls in these remap logic via the new btf_kfunc_id_remap() API, and picks the right kfuncs for the context. Signed-off-by: Song Liu <[email protected]>
btf_kfunc_id_set.remap can pick proper version of a kfunc for the calling context. Use this logic to select bpf_dynptr_from_skb or bpf_dynptr_from_skb_rdonly. This will make the verifier simpler. Unfortunately, btf_kfunc_id_set.remap cannot cover the DYNPTR_TYPE_SKB logic in check_kfunc_args(). This can be addressed later. Signed-off-by: Song Liu <[email protected]>
Add the following kfuncs to set and remove xattrs from BPF programs: bpf_set_dentry_xattr bpf_remove_dentry_xattr bpf_set_dentry_xattr_locked bpf_remove_dentry_xattr_locked The _locked version of these kfuncs are called from hooks where dentry->d_inode is already locked. Instead of requiring the user to know which version of the kfuncs to use, the verifier will pick the proper kfunc based on the calling hook. Signed-off-by: Song Liu <[email protected]>
|
Upstream branch: c5d2bac |
Two sets of tests are added to exercise the not _locked and _locked version of the kfuncs. For both tests, user space accesses xattr security.bpf.foo on a testfile. The BPF program is triggered by user space access (on LSM hook inode_[set|get]_xattr) and sets or removes xattr security.bpf.bar. Then user space then validates that xattr security.bpf.bar is set or removed as expected. Note that, in both tests, the BPF programs use the not _locked kfuncs. The verifier picks the proper kfuncs based on the calling context. Signed-off-by: Song Liu <[email protected]>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
19b0f00 to
d80c70d
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
3 times, most recently
from
aee9254 to
da86bde
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=919642 irrelevant now. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Enable writing xattr from BPF programs
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=918509