Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1399472ybi; Wed, 17 Jul 2019 14:42:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvzglcKAKbVukse2A/n7hBicDrWxkTdgV7qlbFPnqM6tWwlVA73S2SvKt5J9vliiI+NgNU X-Received: by 2002:a17:902:7686:: with SMTP id m6mr45721005pll.239.1563399753579; Wed, 17 Jul 2019 14:42:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563399753; cv=none; d=google.com; s=arc-20160816; b=V+92H4ORDd0YfqxYIq4OAPDZ40BVBVKEanxNwyU52SA7qQWadlA4hiu7lYH6Nd/q2U NrvTshMZgCo4zshMc/nmYYclFmlWwcurBwAVlatYkaTtDgOi97GlapAX2zOTspnPKgWY 05zsqgYYibP30sk/BZxCZUtJMWvZwWRncEa25xWBZ1H9wENLbHhP4KE5r+1cihGM+tx0 g86B2wNxy3BBcOXLSAm86S2rTm+qQlGassyyhUuEp6CNUK2jU75s8d1oCWhbZTHFTjIA ZHG0oa1jBwkmaZNgwrLt6QmNaRNRtPv4O88H9wubObJ7jZg70RZgVszQeU8aZpdOAiGe A0Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=AUNlCsTwwbO9HSCCZ59q/nRyBLJZ8Uq2qfPS4sjf2bw=; b=vdZPteTZO+gqIwZcrV2q/A5X8YLr2AfwH03SRBnxLofoSq++wbE3alH7r/ehD/HpAu KF7E426myrlau2bJf2p5lIZsIHasEE9Kcu9AoPKoePK5wmdAtG0UEbV7jWymFyph6Hck Aaj2K/wdKxAdSMZZa+Z6U8p+zwCUqP7Xd8fY4AMKnrbqIrdVwNIFDGD0ppBwJiDrf8qf 5etGgJZXaVJnRAhQ6W4LcL3L3X5jh3JkwAkqPDa2zxgeAHqHhH6aIUui/mERR48LanYn sNyRaSmBKdLf0w61eD98tbDrifOEqcAGjfxhJIlK5+LNO/85QRnUDLpWswl0ii0OfOsG Nf6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PvVtUppY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3si177689pgo.241.2019.07.17.14.42.17; Wed, 17 Jul 2019 14:42:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PvVtUppY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729151AbfGQVk6 (ORCPT + 99 others); Wed, 17 Jul 2019 17:40:58 -0400 Received: from mail-lf1-f66.google.com ([209.85.167.66]:41383 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727205AbfGQVk5 (ORCPT ); Wed, 17 Jul 2019 17:40:57 -0400 Received: by mail-lf1-f66.google.com with SMTP id 62so12704321lfa.8; Wed, 17 Jul 2019 14:40:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AUNlCsTwwbO9HSCCZ59q/nRyBLJZ8Uq2qfPS4sjf2bw=; b=PvVtUppYSVSwPllMj/jefCGyUXmYsbq6cX8TAneIQFzhUiVapI8hru8mlyNoC1u5cY kX0Fh/e0s20T4TxxryeP7pGijakb1+2YdLXRE836V7aR5S8LhCEEkiQoN0qYmYcwMnko /0S8dTbyNZsgIWvBArjoqFlsuFw2Lc3AsiWZz2bAcMQWXq7U57KwuOtNibxmbR60yDUl Eyc7EU4tm4scELD6aH/zUdw+yvK+WWBqrywcxkxbaS4egkHu9G1CxgDtOpKE83fwjjFP I/It7qlp21yZ4EYrAlzZ4zRz/eH4Z55hmQ+JQm5z0gURy7ijBQytnqwnQ88yGsJ5pmHz 1gLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AUNlCsTwwbO9HSCCZ59q/nRyBLJZ8Uq2qfPS4sjf2bw=; b=m5o9QuO1H7TfMswqt524XohYFRr8D4xXAxdeLspAxujKvnNCDmubYsFXTZ7TbrB4Nr 0qzO8VP5YQ42cQzeyZVNssPeL0ngPpdN9QvuVtNM+STWg6bqOW0E5I61UOBfPIkGjH7P 9EJco8AKarsgbwHT5qn4VvcGXcgtGCKBsA7OtVpRNwAdA6fdTS5mmlIuJzyypacpY4Rm knm8SdXq8gjou/04TULQFu7IbboUr9EN7AG4WNs36/uFe5dv5u1N/gQ4E6cX73xtgca/ yCouP9gcTkQ69Y3xUCZQtxjOQDWnC0SPDaMLr4JZmpafEweyryZpEI6kdPgj/Y5IT+e1 p5kA== X-Gm-Message-State: APjAAAUKPuRCfLaAKoalqRSxXI6wCazuiNix7Lzfrgkfj6UIAolg2VQt wRd5y/45rHWW8hAeRe1vcGXoWvQHd3oSniPsbIBMjbSx X-Received: by 2002:ac2:4351:: with SMTP id o17mr18944366lfl.100.1563399654721; Wed, 17 Jul 2019 14:40:54 -0700 (PDT) MIME-Version: 1.0 References: <20190710141548.132193-1-joel@joelfernandes.org> <20190716205455.iimn3pqpvsc3k4ry@ast-mbp.dhcp.thefacebook.com> <20190716213050.GA161922@google.com> <20190716222650.tk2coihjtsxszarf@ast-mbp.dhcp.thefacebook.com> <20190716224150.GC172157@google.com> <20190716235500.GA199237@google.com> <20190717012406.lugqemvubixfdd6v@ast-mbp.dhcp.thefacebook.com> <20190717130119.GA138030@google.com> In-Reply-To: <20190717130119.GA138030@google.com> From: Alexei Starovoitov Date: Wed, 17 Jul 2019 14:40:42 -0700 Message-ID: Subject: Re: [PATCH RFC 0/4] Add support to directly attach BPF program to ftrace To: Joel Fernandes Cc: LKML , bpf , Daniel Borkmann , Android Kernel Team , Network Development , Steven Rostedt Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 17, 2019 at 6:01 AM Joel Fernandes wrote: I trimmed cc. some emails were bouncing. > > I think allowing one tracepoint and disallowing another is pointless > > from security point of view. Tracing bpf program can do bpf_probe_read > > of anything. > > I think the assumption here is the user controls the program instructions at > runtime, but that's not the case. The BPF program we are loading is not > dynamically generated, it is built at build time and it is loaded from a > secure verified partition, so even though it can do bpf_probe_read, it is > still not something that the user can change. so you're saying that by having a set of signed bpf programs which instructions are known to be non-malicious and allowed set of tracepoints to attach via selinux whitelist, such setup will be safe? Have you considered how mix and match will behave? > And, we are planning to make it > even more secure by making it kernel verify the program at load time as well > (you were on some discussions about that a few months ago). It sounds like api decisions for this sticky raw_tp feature are driven by security choices which are not actually secure. I'm suggesting to avoid bringing up point of security as a reason for this api design, since it's making the opposite effect.