Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp7369672yba;
        Thu, 2 May 2019 08:43:29 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy/dyRg6FK0l4NHWMefEjo6sTZ0I6E0B74CZOyKXDVu9UhvCFephSOC/HR0bfCuGwbdzlSP
X-Received: by 2002:aa7:8096:: with SMTP id v22mr4939257pff.94.1556811809126;
        Thu, 02 May 2019 08:43:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556811809; cv=none;
        d=google.com; s=arc-20160816;
        b=PiEzw2hU6sG+iwEwMgvlUsVA5wHYQnLsUcwu0x5l88zeAuaRgw8Xb2zNjvo8S4dw7e
         VSs9hcS2U7N3tNdaIOLB4Vi+6WkB+RdzegAS7GjizzB/Oe6GVLDXWkPNiBSlPlyZrYIj
         CUhH3ORHKdlE0pkPKRbaToR8YEz2FIFeSZbTquZvGSvSwIqtQg6Lb2s5qGKDtfRV1ffS
         X6hdPZdpJo1mQXhczXGl8CP6hWrTqxNi7OW0lagNC4F/6QWv7znqBbBAf0gUYraldxLP
         dfrvxjaLvVdbe9xfsxW4/JWguh8EOSdX0OrAEheLvrWFA9yN7/QvmbYWqvjKf0CivaBX
         jCew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id;
        bh=AawFKGVCXye5esD+afIUiVsD/uHjkrsFSjjsH8P+V1U=;
        b=H+R3RVpjU+K1byABmzevjoSBOjWLjAtaVvzDdmLDzwfDox0fLIXdtT6Tg02xQ/MXKJ
         0IdBN+y7uj1uvhCmvhX0rLxatnN7WvoA+jVa9+qHhgjfBS+86YRf705YNWOnTtUO1SwV
         zUyFhewmT3Dzy0EKa7AHWT7BZb6SGO7OWlqQ82dlXfKuA6paNcLSz7BkNYm+A5AkVJi/
         mMxvQqdqNXiboe2aYwndkAs3xntYp1/P9izv4kd73MQmuv5/foYGxg1EEjdmeC3BxCb7
         7+sIqLsLsIELbKa9JAxpN0upGiGsfmKnxYOoqTqs5/8jrmbWBXId0CL2Mkf+AztB1Nru
         noNA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id cj5si40350621plb.76.2019.05.02.08.43.14;
        Thu, 02 May 2019 08:43:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728692AbfEBPkq (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Thu, 2 May 2019 11:40:46 -0400
Received: from s3.sipsolutions.net ([144.76.43.62]:59304 "EHLO
        sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728322AbfEBP3E (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 May 2019 11:29:04 -0400
Received: by sipsolutions.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <johannes@sipsolutions.net>)
        id 1hMDdr-0006zB-2J; Thu, 02 May 2019 17:28:59 +0200
Message-ID: <d0cfa4c1a17c336f1ad48a31897787469c302092.camel@sipsolutions.net>
Subject: Re: [PATCH net-next 1/3] genetlink: do not validate dump requests
 if there is no policy
From:   Johannes Berg <johannes@sipsolutions.net>
To:     David Ahern <dsahern@gmail.com>, Michal Kubecek <mkubecek@suse.cz>
Cc:     "David S. Miller" <davem@davemloft.net>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Date:   Thu, 02 May 2019 17:28:57 +0200
In-Reply-To: <fd3b0c89-2475-166d-e2b8-1479af7b79bc@gmail.com> (sfid-20190502_153641_028378_FAA2A3FF)
References: <cover.1556798793.git.mkubecek@suse.cz>
         <0a54a4db49c20e76a998ea3e4548b22637fbad34.1556798793.git.mkubecek@suse.cz>
         <031933f3fc4b26e284912771b480c87483574bea.camel@sipsolutions.net>
         <20190502131023.GD21672@unicorn.suse.cz>
         <ab9b48a0e21d0a9e5069045c23db36f43e4356e3.camel@sipsolutions.net>
         <20190502133231.GF21672@unicorn.suse.cz>
         <fd3b0c89-2475-166d-e2b8-1479af7b79bc@gmail.com>
         (sfid-20190502_153641_028378_FAA2A3FF)
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5 (3.28.5-2.fc28) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2019-05-02 at 07:36 -0600, David Ahern wrote:
> On 5/2/19 7:32 AM, Michal Kubecek wrote:
> > Wouldn't it mean effecitvely ending up with only one command (in
> > genetlink sense) and having to distinguish actual commands with
> > atributes? Even if I wanted to have just "get" and "set" command, common
> > policy wouldn't allow me to say which attributes are allowed for each of
> > them.
> 
> yes, I have been stuck on that as well.
> 
> There are a number of RTA attributes that are only valid for GET
> requests or only used in the response or only valid in NEW requests.
> Right now there is no discriminator when validating policies and the
> patch set to expose the policies to userspace

Yeah. As I've been discussing with Pablo in various threads recently,
this is definitely something we're missing.

As I said there though, I think it's something we should treat as
orthogonal to the policies.

I haven't looked at your ethtool patches really now (if you have a git
tree that'd be nice), but I saw e.g.

+When appropriate, network device is identified by a nested attribute named
+ETHA_*_DEV. This attribute can contain
+
+    ETHA_DEV_INDEX	(u32)		device ifindex
+    ETHA_DEV_NAME	(string)	device name

Presumably, this is valid for each and every command, right?

I'm not sure I understand the "ETHA_*_DEV" part, but splitting the
policy per command means that things like this that are available/valid
for each command need to be stated over and over again. This opens up
the very easy possibility that you have one command that takes an
ETHA_DEV_INDEX as u32, and another that - for some reason - takes a u64
for example, or similar confusion between the same attribute stated in
different policies.

This is why I believe that when we have a flat namespace for attributes,
like ETHA_*, we should also have a flat policy for those attributes, and
that's why I made the genetlink to have a single policy.

At the same time, I do realize that this is not ideal. So far I've sort
of pushed this to be something that we should treat orthogonally to the
validation for the above reasons, i.e. *not* state this specifically in
the policy.

If we were able to express this in C, I'd probably say we should have
something like

static const struct genl_ops ops[] = {
        {
                .cmd = MY_CMD,
                .doit = my_cmd_doit,
		.valid_attrs = { MY_ATTR_A, MY_ATTR_B },
        },

	...
};

However, there's no way to express this in C code, except for

static const u16 my_cmd_valid_attrs[] = { MY_ATTR_A, MY_ATTR_B, 0 };

static const struct genl_ops ops[] = {
        {
                .cmd = MY_CMD,
                .doit = my_cmd_doit,
		.valid_attrs = my_cmd_valid_attrs,
        },

	...
};

which is clearly ugly to write. We could generate this code from a
domain-specific language like Pablo suggested, but I'm not really sure
that's ideal either.


Regardless, I think we should solve this problem orthogonally from the
policy, given that otherwise we can end up with the same attribute
meaning different things in different commands.

johannes