Received: by 10.223.185.116 with SMTP id b49csp3674224wrg;
        Tue, 6 Mar 2018 03:08:05 -0800 (PST)
X-Google-Smtp-Source: AG47ELtteIoX3DkSt9KFhF3qVf3AuFSIFJvbG7hfjqSZPiBWbj2qg3taCSrga/dPgLzoUGfMYo22
X-Received: by 10.99.170.73 with SMTP id x9mr14852228pgo.393.1520334485568;
        Tue, 06 Mar 2018 03:08:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520334485; cv=none;
        d=google.com; s=arc-20160816;
        b=YIolZhZ1cOlpGtFSx5HiMOaT6OAqoEimmY+Ro9ajhAzcdMTpUdjzfry4097657Nahv
         juNdCOkqrv2yN4uTJDFPBjadwi1Yq6IHs2kRvx9+WZ5ZrLw61Nb4cOvrNaKed2O/djap
         Oa6ncoHUKnHNq8laQsS35keEPkfzYB/LPdP4qvY67sUzk1QOdyoX7rJ6TEVtzfFTQyR2
         zSDT/L5l5Wyv6vH5Y3IE7tS5mGUyO5a9NV2dr5ARsn9496sEXf6SQn43+keNDFT5Cwnx
         alcnto7VtVlLPiCBo7/LbPTjde/Q0BuxG6oPGStkkuudkOcFa1/eCJoAcY7hNj9t6aTB
         +adQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=2YD0491dWCOEFf+rf0CH4JtVpWX+EeNXkdX/TiF+geo=;
        b=ayo81XG8FyWNCiXmArpLidByl6ZinTDcReze7UkH+ZyknPjiJFQzL1D2sud2qIojec
         P6KZZh88DE9eqxTO2rKtL3JvXtfaSTfJD6wQJgIIOJVma+LCirVwlJTmZGLBYzKT994N
         sDmXHvFex07IIt+rMArGip3XdmSeHh+vfolm4BUrjhZVRFtdi2hRlZ++TT+A4Nynwvyg
         2Adqos2f1EpWNH3TYfz2VDimJbxmXCsm8eMdPVKGTjcFy6hGDyLsO0LIrS/Zq/RRQDsY
         wYzi30NKGzA2820nOKBiBZztHGHpzsTicquWEXsi/uaLjbRQ0hB8hy0p3QWsugPgI9DK
         4Chg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f62-v6si10847940plb.313.2018.03.06.03.07.51;
        Tue, 06 Mar 2018 03:08:05 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753517AbeCFLFt (ORCPT <rfc822;huangleihappily@gmail.com>
        + 99 others); Tue, 6 Mar 2018 06:05:49 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:47362 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753236AbeCFLFr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Mar 2018 06:05:47 -0500
Received: from localhost (unknown [185.236.200.248])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 68E15F8E;
        Tue,  6 Mar 2018 11:05:46 +0000 (UTC)
Date:   Tue, 6 Mar 2018 03:05:49 -0800
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Alexei Starovoitov <ast@kernel.org>
Cc:     davem@davemloft.net, daniel@iogearbox.net,
        torvalds@linux-foundation.org, mcgrof@kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@fb.com, linux-api@vger.kernel.org
Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf
 binaries
Message-ID: <20180306110549.GB31087@kroah.com>
References: <20180306013457.1955486-1-ast@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180306013457.1955486-1-ast@kernel.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 05, 2018 at 05:34:57PM -0800, Alexei Starovoitov wrote:
> As the first step in development of bpfilter project [1] the request_module()
> code is extended to allow user mode helpers to be invoked. Idea is that
> user mode helpers are built as part of the kernel build and installed as
> traditional kernel modules with .ko file extension into distro specified
> location, such that from a distribution point of view, they are no different
> than regular kernel modules. Thus, allow request_module() logic to load such
> user mode helper (umh) modules via:
> 
>   request_module("foo") ->
>     call_umh("modprobe foo") ->
>       sys_finit_module(FD of /lib/modules/.../foo.ko) ->
>         call_umh(struct file)
> 
> Such approach enables kernel to delegate functionality traditionally done
> by kernel modules into user space processes (either root or !root) and
> reduces security attack surface of such new code, meaning in case of
> potential bugs only the umh would crash but not the kernel. Another
> advantage coming with that would be that bpfilter.ko can be debugged and
> tested out of user space as well (e.g. opening the possibility to run
> all clang sanitizers, fuzzers or test suites for checking translation).
> Also, such architecture makes the kernel/user boundary very precise:
> control plane is done by the user space while data plane stays in the kernel.
> 
> It's easy to distinguish "umh module" from traditional kernel module:
> 
> $ readelf -h bld/net/bpfilter/bpfilter.ko|grep Type
>   Type:                              EXEC (Executable file)
> $ readelf -h bld/net/ipv4/netfilter/iptable_filter.ko |grep Type
>   Type:                              REL (Relocatable file)

Any chance you can add a field to your "umh module" type such that a
normal 'modinfo' program will be able to notice it is different easily?

> Since umh can crash, can be oom-ed by the kernel, killed by admin,
> the subsystem that uses them (like bpfilter) need to manage life
> time of umh on its own, so module infra doesn't do any accounting
> of them. They don't appear in "lsmod" and cannot be "rmmod".
> Multiple request_module("umh") will load multiple umh.ko processes.
> 
> Similar to kernel modules the kernel will be tainted if "umh module"
> has invalid signature.

Shouldn't we fail to load the "module" if the signature is not valid if
CONFIG_MODULE_SIG_FORCE=y is enabled, like we do for modules?  I run my
systems like that, and just "warning" isn't probably a good idea for
systems that want to enforce that everything is signed properly?

Other than that, one minor question:

> @@ -1745,7 +1745,9 @@ static int do_execveat_common(int fd, struct filename *filename,
>  	sched_exec();
>  
>  	bprm->file = file;
> -	if (fd == AT_FDCWD || filename->name[0] == '/') {
> +	if (!filename) {
> +		bprm->filename = "/dev/null";

Why the use of "/dev/null" for the filename here, and elsewhere in the
code?  While I'm "sure" that everyone really does have /dev/null/
mounted in the root namespace, what is the use of it here?

Also, what "namespace" does this usermode helper run in?  I'm guessing
the "root" one, which is fine with me, but note that people have
complained in the past about other UMH running in that namespace and not
in the specific namespace of the "container" that they wanted it to run
in.

Anyway, this is crazy stuff, but I like the idea and have no objection
to it overall :)

thanks,

greg k-h