Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp7268945ybl; Mon, 23 Dec 2019 22:39:42 -0800 (PST) X-Google-Smtp-Source: APXvYqxRjm3z0LJelsISPGTBVeIb47N2mmhAhAOdwb3pnriABz/fgoBHNFkubDF0VlV9pGRooH0n X-Received: by 2002:a05:6830:2141:: with SMTP id r1mr37130152otd.39.1577169582652; Mon, 23 Dec 2019 22:39:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577169582; cv=none; d=google.com; s=arc-20160816; b=OLSGwX3UD/uIF3lls71W/ies2uqzf9fpRIdOTi3GCN9TnpxCI5Ex2Sh8DpB8k1plkN 75H5/qR1J/10G/jA/jZpkra9Dvb72uJzCkkP9IRZnaHYieUu03JJ58m0Qrsji7JqNyrm spwiOm1t5yUQX0MUKxoAfTttVRf0INx3f1KPpjxmgBHW23lcl1CsVahxaW/eFQb5cmUX 4apWI0t5QPQs54Gtf3xqxl9ek1pRElRhZk+V/rjuk+zlmAqI8htZHGC7Rprh56CPTLsi +zgrBOA++ldpVldJidV3I/2XAYbO9NfMPK08AeT6sPsaFN6bX8g7B9Kh8416MqYvi/+4 MrGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+8SgjfTKtbI/OsvUe4mDJhPn/RjOhvVH4HFrW8MrWgU=; b=oV0vvmm3HypN/kW7mjpB5MJxfHtfdGaqhrBs+xKMvMqPWuuQuXl/7PEKkVG1iFQUKa Q30gbIExGLZmvGmAa2dkDA3fNJ2JJVKJSnQauKiapkK7NRwIMFYHzafbIGAhKe/Dr9ll 2LGCoXaQYlXlEayhShrwmytKcIaRn1IMGc4/N+N4lgd1WsyFrSU4gn/S+FK9Ok/BIEu6 dGREsn5p3Dy1hwzomPAMcqD3DSDdhnyyoNoH58Viyh2HZ0W6q1uvMwUsJBd/dLojf2sB xFLyfQqg8no3UqqERaJCAb1tLONVtygcCmrjJ/W+IR8BxXKfv093aBx+XyHQcdInLLVe CZJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sNTmKKz7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v4si3383698oth.306.2019.12.23.22.39.30; Mon, 23 Dec 2019 22:39:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sNTmKKz7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726168AbfLXGis (ORCPT + 99 others); Tue, 24 Dec 2019 01:38:48 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:40739 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726043AbfLXGis (ORCPT ); Tue, 24 Dec 2019 01:38:48 -0500 Received: by mail-qt1-f193.google.com with SMTP id e6so17419707qtq.7; Mon, 23 Dec 2019 22:38:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+8SgjfTKtbI/OsvUe4mDJhPn/RjOhvVH4HFrW8MrWgU=; b=sNTmKKz7flm2ceZzkOzoqOS5wQkriTkJx8gt7PxuNX5V+6hxXlo1Ye1Na6xFLRf0JX s1TrQvfXI7hriHQegYNCMgFkXI0NogCAAh8+PjaCRlK8+PXMoBl5/tE17Ccz+ZaVxARj Nay1eYH1hlPPOBC0AWZ/HGxZq10sF5e4MHoJ+Ofd8j8WHyYERQFgxUxkqUtQg5eRMdcx oE3LoGlhJRxIf3InQFIyzGJJFf/DixZD3eV1A8eAAJjgQOJ5UUxsE9kQkKaYIQp6KB+J T1+jqhzYlGB36JUm8D33o81McLlDJyZuL2xPEjXOPgX9hq4ehMLCvMx6J1jXno1Dg1z9 GyeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+8SgjfTKtbI/OsvUe4mDJhPn/RjOhvVH4HFrW8MrWgU=; b=VfFDlf+ewWYraFqQAZuWRYuQYMJodZLcOJdjJL85Wr2XgN2CNQYZ0PL8zbP+tVDFb4 971sHlBocZRYUUVgzooSPpcahiPLHYs6xDSqnDMhoLpKGVqjyU//LlSBFg1ZNPe337Hs m4nOGWrjoLvm83SPdyW3YljuYz8BzL0xuIx75HXv8EInzSiOSnESNHnVPa5vQd+KDtrj lGl3K21+pQ+uSzU/ZcXMFyvScadEWHmxqhqsdmNbE6+1KkJ3DXbgulzP1gkQEQkc6Oyp 5k8Ui2TRoD3FfF/05sweA7eQguDXLjF6298Vdf1IvyABuxhO8XgcNSsO4ZUyR6J71+FJ IGLQ== X-Gm-Message-State: APjAAAV76ei0Zh1GDo4CWN8mmPyIjmohjcup7RooLzEnIsD6H5e0yJ++ jz2INwWgW/veGmeNYXyx5+VBY3MMT6vu5Ea5isE= X-Received: by 2002:ac8:4050:: with SMTP id j16mr25335033qtl.171.1577169526952; Mon, 23 Dec 2019 22:38:46 -0800 (PST) MIME-Version: 1.0 References: <20191220154208.15895-1-kpsingh@chromium.org> <20191220154208.15895-11-kpsingh@chromium.org> In-Reply-To: <20191220154208.15895-11-kpsingh@chromium.org> From: Andrii Nakryiko Date: Mon, 23 Dec 2019 22:38:36 -0800 Message-ID: Subject: Re: [PATCH bpf-next v1 10/13] bpf: lsm: Handle attachment of the same program To: KP Singh Cc: open list , bpf , linux-security-module@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , James Morris , Kees Cook , Thomas Garnier , Michael Halcrow , Paul Turner , Brendan Gregg , Jann Horn , Matthew Garrett , Christian Brauner , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Florent Revest , Brendan Jackman , Martin KaFai Lau , Song Liu , Yonghong Song , "Serge E. Hallyn" , Mauro Carvalho Chehab , "David S. Miller" , Greg Kroah-Hartman , Nicolas Ferre , Stanislav Fomichev , Quentin Monnet , Andrey Ignatov , Joe Stringer Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 20, 2019 at 7:42 AM KP Singh wrote: > > From: KP Singh > > Allow userspace to attach a newer version of a program without having > duplicates of the same program. > > If BPF_F_ALLOW_OVERRIDE is passed, the attachment logic compares the > name of the new program to the names of existing attached programs. The > names are only compared till a "__" (or '\0', if there is no "__"). If > a successful match is found, the existing program is replaced with the > newer attachment. > > ./loader Attaches "env_dumper__v1" followed by "env_dumper__v2" > to the bprm_check_security hook.. > > ./loader > ./loader > > Before: > > cat /sys/kernel/security/bpf/process_execution > env_dumper__v1 > env_dumper__v2 > > After: > > cat /sys/kernel/security/bpf/process_execution > env_dumper__v2 > > Signed-off-by: KP Singh > --- Andrey Ignatov just posted patch set few days ago solving similar problem for cgroup BPF programs. His approach was to actually also specify FD of BPF program to be replaced. This seems like a more reliable way than doing this based on name only. Please take a look at that patch and see if same approach can work for your use case. > security/bpf/ops.c | 57 +++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 56 insertions(+), 1 deletion(-) > [...]