Received: by 10.223.185.116 with SMTP id b49csp3674224wrg; Tue, 6 Mar 2018 03:08:05 -0800 (PST) X-Google-Smtp-Source: AG47ELtteIoX3DkSt9KFhF3qVf3AuFSIFJvbG7hfjqSZPiBWbj2qg3taCSrga/dPgLzoUGfMYo22 X-Received: by 10.99.170.73 with SMTP id x9mr14852228pgo.393.1520334485568; Tue, 06 Mar 2018 03:08:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520334485; cv=none; d=google.com; s=arc-20160816; b=YIolZhZ1cOlpGtFSx5HiMOaT6OAqoEimmY+Ro9ajhAzcdMTpUdjzfry4097657Nahv juNdCOkqrv2yN4uTJDFPBjadwi1Yq6IHs2kRvx9+WZ5ZrLw61Nb4cOvrNaKed2O/djap Oa6ncoHUKnHNq8laQsS35keEPkfzYB/LPdP4qvY67sUzk1QOdyoX7rJ6TEVtzfFTQyR2 zSDT/L5l5Wyv6vH5Y3IE7tS5mGUyO5a9NV2dr5ARsn9496sEXf6SQn43+keNDFT5Cwnx alcnto7VtVlLPiCBo7/LbPTjde/Q0BuxG6oPGStkkuudkOcFa1/eCJoAcY7hNj9t6aTB +adQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=2YD0491dWCOEFf+rf0CH4JtVpWX+EeNXkdX/TiF+geo=; b=ayo81XG8FyWNCiXmArpLidByl6ZinTDcReze7UkH+ZyknPjiJFQzL1D2sud2qIojec P6KZZh88DE9eqxTO2rKtL3JvXtfaSTfJD6wQJgIIOJVma+LCirVwlJTmZGLBYzKT994N sDmXHvFex07IIt+rMArGip3XdmSeHh+vfolm4BUrjhZVRFtdi2hRlZ++TT+A4Nynwvyg 2Adqos2f1EpWNH3TYfz2VDimJbxmXCsm8eMdPVKGTjcFy6hGDyLsO0LIrS/Zq/RRQDsY wYzi30NKGzA2820nOKBiBZztHGHpzsTicquWEXsi/uaLjbRQ0hB8hy0p3QWsugPgI9DK 4Chg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f62-v6si10847940plb.313.2018.03.06.03.07.51; Tue, 06 Mar 2018 03:08:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753517AbeCFLFt (ORCPT + 99 others); Tue, 6 Mar 2018 06:05:49 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:47362 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753236AbeCFLFr (ORCPT ); Tue, 6 Mar 2018 06:05:47 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 68E15F8E; Tue, 6 Mar 2018 11:05:46 +0000 (UTC) Date: Tue, 6 Mar 2018 03:05:49 -0800 From: Greg KH To: Alexei Starovoitov Cc: davem@davemloft.net, daniel@iogearbox.net, torvalds@linux-foundation.org, mcgrof@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@fb.com, linux-api@vger.kernel.org Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries Message-ID: <20180306110549.GB31087@kroah.com> References: <20180306013457.1955486-1-ast@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180306013457.1955486-1-ast@kernel.org> User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 05, 2018 at 05:34:57PM -0800, Alexei Starovoitov wrote: > As the first step in development of bpfilter project [1] the request_module() > code is extended to allow user mode helpers to be invoked. Idea is that > user mode helpers are built as part of the kernel build and installed as > traditional kernel modules with .ko file extension into distro specified > location, such that from a distribution point of view, they are no different > than regular kernel modules. Thus, allow request_module() logic to load such > user mode helper (umh) modules via: > > request_module("foo") -> > call_umh("modprobe foo") -> > sys_finit_module(FD of /lib/modules/.../foo.ko) -> > call_umh(struct file) > > Such approach enables kernel to delegate functionality traditionally done > by kernel modules into user space processes (either root or !root) and > reduces security attack surface of such new code, meaning in case of > potential bugs only the umh would crash but not the kernel. Another > advantage coming with that would be that bpfilter.ko can be debugged and > tested out of user space as well (e.g. opening the possibility to run > all clang sanitizers, fuzzers or test suites for checking translation). > Also, such architecture makes the kernel/user boundary very precise: > control plane is done by the user space while data plane stays in the kernel. > > It's easy to distinguish "umh module" from traditional kernel module: > > $ readelf -h bld/net/bpfilter/bpfilter.ko|grep Type > Type: EXEC (Executable file) > $ readelf -h bld/net/ipv4/netfilter/iptable_filter.ko |grep Type > Type: REL (Relocatable file) Any chance you can add a field to your "umh module" type such that a normal 'modinfo' program will be able to notice it is different easily? > Since umh can crash, can be oom-ed by the kernel, killed by admin, > the subsystem that uses them (like bpfilter) need to manage life > time of umh on its own, so module infra doesn't do any accounting > of them. They don't appear in "lsmod" and cannot be "rmmod". > Multiple request_module("umh") will load multiple umh.ko processes. > > Similar to kernel modules the kernel will be tainted if "umh module" > has invalid signature. Shouldn't we fail to load the "module" if the signature is not valid if CONFIG_MODULE_SIG_FORCE=y is enabled, like we do for modules? I run my systems like that, and just "warning" isn't probably a good idea for systems that want to enforce that everything is signed properly? Other than that, one minor question: > @@ -1745,7 +1745,9 @@ static int do_execveat_common(int fd, struct filename *filename, > sched_exec(); > > bprm->file = file; > - if (fd == AT_FDCWD || filename->name[0] == '/') { > + if (!filename) { > + bprm->filename = "/dev/null"; Why the use of "/dev/null" for the filename here, and elsewhere in the code? While I'm "sure" that everyone really does have /dev/null/ mounted in the root namespace, what is the use of it here? Also, what "namespace" does this usermode helper run in? I'm guessing the "root" one, which is fine with me, but note that people have complained in the past about other UMH running in that namespace and not in the specific namespace of the "container" that they wanted it to run in. Anyway, this is crazy stuff, but I like the idea and have no objection to it overall :) thanks, greg k-h