Received: by 10.192.165.148 with SMTP id m20csp803240imm; Fri, 4 May 2018 21:49:09 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoLTQ4/1LKm/aQXiSvXtggh+LRcXqURHFV8SPpw8t+A17rFGo7zPUKxAupFbdZreEnXNhNc X-Received: by 2002:a63:5fd1:: with SMTP id t200-v6mr24818589pgb.246.1525495749325; Fri, 04 May 2018 21:49:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525495749; cv=none; d=google.com; s=arc-20160816; b=eqBuy3a+INqxVsT40EFugfwa9PotPsFNjRJmow/DarSae+9IONDYcfdiQwJnyNBE7l 3jwDZjY9KFtARj63HZzT3CRhqo+bzzUdMAlOSlzpPC/lA4+VHoKvJq+Gg9ObaOei14lI gDArBdFH3vUGACgSRk3t9SYxu5gHx+9pYyQFuHnmqIrZBQkbHhajHqABalZb2sKLEkD+ n6wLS1ADzK7261Q3S5Wn/DXH87M1y0LjQ+cMv+FK7FPuBquD3wiWgLBtTojCgzohJtz7 /LlRPWMJ9I7GLOQmGY3N7hZTQ7FWrVfBnNe90YkVB32FVKmEl9I1KZGH9zGM28H7gyPo NLKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=hCkhHmb+llL4+j2cXiIusDBCpytyec57sQ6h2J/br6A=; b=ADp297kDWtowX168MAJItpL0U6x+IM3uMYED8x9kCEpt3rz7BnE/OTnKBMDiWZjrkB a7UWj+1sHVxW3w6vhCJbn89oNgOanxoCPCaWIm3rwIcmk9qX97aXielrbGsCg+Kc8ziu 73eNSmML0ySmCgXhMMKqpBKvpiET4MeFcsBKQnN9E/sCI59e+5+eH3c0zfetVu1M9FNW GN/hjEqYTJh57rsHU8ZRKFnf9SJNvuAtTwz0PyXI/2cSvJFS8e8vcasLp8t71j2VGc6a 5Qor72/jsXzx4395FdECafksg002TA87pCxxSoiE/Riel1Y81AyVgdOgMkmyGPZYqTV9 fRCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jGs+AHnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o4-v6si8135281plk.321.2018.05.04.21.48.53; Fri, 04 May 2018 21:49:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=jGs+AHnD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751270AbeEEEsr (ORCPT + 99 others); Sat, 5 May 2018 00:48:47 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:41292 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750764AbeEEEsp (ORCPT ); Sat, 5 May 2018 00:48:45 -0400 Received: by mail-oi0-f68.google.com with SMTP id 11-v6so20909342ois.8 for ; Fri, 04 May 2018 21:48:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hCkhHmb+llL4+j2cXiIusDBCpytyec57sQ6h2J/br6A=; b=jGs+AHnDu5GkBuSw082AJWDctELXPAuRPA8HTVMdJpD+Oh6uaARDQKC10b220sfK2r WxAZwDXQGyc7wSDso89e4CBTLIX1/qXR+1Ol0TEz593T9s9sxiIExa43DYE13mtlsiJY +yoiTUdW51XceT3Gsa2ThhWt8g8w4iX2FfvGC4AvO14C1ZlqT7CTY8R8ZkvEm/9OrQdR mQcgX1JCj6//+snv/Um4SZ518uICptB40KX2BBUm81lzjsMBtPWq7L6pIgdhrsxmQNrR OG80+zCWjEB6HGIKXK7LcoJRY21IbCnsaTNmO7vXfJB3FH5z4pixoIzc6H66E0F6C63n hLbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hCkhHmb+llL4+j2cXiIusDBCpytyec57sQ6h2J/br6A=; b=nfdi1zNEyzHNFD54DGviYEsgT1T9OBRvi9f1Ym3gCX5sEgF/TIjCrH1vCsD99z8o3c DW7fs9xv9A/sjTk61V8XUyVdqFb9omd7nrOUjY3NeHdidfd+nOZxuD/P+MA55PLk+Dnv nhwCeI9MK5JNmTOktrsHkCfCk0yeU8GDSDKkgtMCcuXbCxXZ7x0xz1+8hRWbgvwxc56t Kt12mfryAs7fGe5qa+OiToybu+hHKJIzrEVl5AjDTpYIwqediiIRwKqVooPZVaiNWEyk MioxN7KDVnhAR8n3Sqf4zgp+a2ZOTe3JQzO9ZEf40jnga0VaSrLVZ7SSfru4qPVKEK3+ QMvQ== X-Gm-Message-State: ALQs6tCAshQvEyLdNuhPfi60NPJBbx43VQV60i8eqE2IvDp8PQgaj9rY m+56DLBvMrcdzsYhCYloCuVuaT7iqPzYS4fIdlMTHw== X-Received: by 2002:aca:ab46:: with SMTP id u67-v6mr19228728oie.272.1525495724747; Fri, 04 May 2018 21:48:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.145.144 with HTTP; Fri, 4 May 2018 21:48:24 -0700 (PDT) In-Reply-To: <20180503043604.1604587-2-ast@kernel.org> References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-2-ast@kernel.org> From: Jann Horn Date: Sat, 5 May 2018 00:48:24 -0400 Message-ID: Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper To: Alexei Starovoitov Cc: "David S. Miller" , Daniel Borkmann , Linus Torvalds , Greg Kroah-Hartman , Andy Lutomirski , Network Development , kernel list , kernel-team@fb.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 3, 2018 at 12:36 AM, Alexei Starovoitov wrote: > Introduce helper: > int fork_usermode_blob(void *data, size_t len, struct umh_info *info); > struct umh_info { > struct file *pipe_to_umh; > struct file *pipe_from_umh; > pid_t pid; > }; > > that GPLed kernel modules (signed or unsigned) can use it to execute part > of its own data as swappable user mode process. > > The kernel will do: > - mount "tmpfs" > - allocate a unique file in tmpfs > - populate that file with [data, data + len] bytes > - user-mode-helper code will do_execve that file and, before the process > starts, the kernel will create two unix pipes for bidirectional > communication between kernel module and umh > - close tmpfs file, effectively deleting it > - the fork_usermode_blob will return zero on success and populate > 'struct umh_info' with two unix pipes and the pid of the user process > > As the first step in the development of the bpfilter project > the fork_usermode_blob() helper is introduced to allow user mode code > to be invoked from a kernel module. The idea is that user mode code plus > normal kernel module code are built as part of the kernel build > and installed as traditional kernel module into distro specified location, > such that from a distribution point of view, there is > no difference between regular kernel modules and kernel modules + umh code. > Such modules can be signed, modprobed, rmmod, etc. The use of this new helper > by a kernel module doesn't make it any special from kernel and user space > tooling point of view. [...] > +static struct vfsmount *umh_fs; > + > +static int init_tmpfs(void) > +{ > + struct file_system_type *type; > + > + if (umh_fs) > + return 0; > + type = get_fs_type("tmpfs"); > + if (!type) > + return -ENODEV; > + umh_fs = kern_mount(type); > + if (IS_ERR(umh_fs)) { > + int err = PTR_ERR(umh_fs); > + > + put_filesystem(type); > + umh_fs = NULL; > + return err; > + } > + return 0; > +} Should init_tmpfs() be holding some sort of mutex if it's fiddling with `umh_fs`? The current code only calls it in initcall context, but if that ever changes and two processes try to initialize the tmpfs at the same time, a few things could go wrong. I guess Luis' suggestion (putting a call to init_tmpfs() in do_basic_setup()) might be the easiest way to get rid of that problem. > +static int alloc_tmpfs_file(size_t size, struct file **filp) > +{ > + struct file *file; > + int err; > + > + err = init_tmpfs(); > + if (err) > + return err; > + file = shmem_file_setup_with_mnt(umh_fs, "umh", size, VM_NORESERVE); > + if (IS_ERR(file)) > + return PTR_ERR(file); > + *filp = file; > + return 0; > +}