Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp962908ybm; Wed, 27 May 2020 12:17:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBjYD3pFlA36KmkGO0Z71Cwe2ui81EEjUf9KU69HmzBU74XKOnw3l63UekpbT2H9etkWuP X-Received: by 2002:a17:906:d7ab:: with SMTP id pk11mr7342816ejb.280.1590607073023; Wed, 27 May 2020 12:17:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590607073; cv=none; d=google.com; s=arc-20160816; b=PuW+VBCPzAO1HyFHD0RRobcfxLHUbcN6T8IgDqwmleDywJ2jH1v+wmR1owTe6J2dY4 fjtBI1aEupiWUlbN5+xvfhfX/FjVVMs2vpTK7rXU4n9E4Vx+kegofKTDG18GPSkByuUY YraOd166Gn/VPdPy2LcOzzQ1TT6NoWOxHAmc5CVhqy7ZmS+MVTTMU695ElU9n5FhC1NZ HL1YdnJ+P5CWCXPpOMKJeM7EQiLy+5GyPjQXf+IeeK9NSc8l1bhAMePtqtDcknG/CR1N oD0UPxPBrQhLv8jV5guAtgEWZTs2/62CaUnM4NhpHPySwPsMKFosnOp6gSn5hVvUuVfK 1J3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=N7BcF2YbmFlnYsgsgnhG+rP4MiM9BYbCfVaOcHA0CmE=; b=rJxa5LAamuMpEugXMrPBSyWBxPb21eA44ru3E0rqGRJtwafdpVG0Xjss8rPox3Xh/h gh2F8iuu5iCHTGQf4Dy6VikQarGFSwl/rPcVQzCD+qzZyjrawgLuT8FVPg5SonmCGiac 9CSaDJ20tS2ehHRoCN+khAT56t7rAmfCpRB+NFyNDOpjS7V03uRoHRoFX1wGH9+rPjqf iIJEaXifRYgqMayyXqr1ctwYuSbKFV8xekdHSH+2ZXqRtrR4ft8TpRbUCSUSCBcaxbWP KM88HbLYvU/NsEtQ5s19JGt2hg5INP35kgNIcG5wne+UUQnzatdhIF6Ib0+0I/eFzLF9 Y9iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Qtq4RcWn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g11si2778010ejf.82.2020.05.27.12.17.29; Wed, 27 May 2020 12:17:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Qtq4RcWn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729711AbgE0RJS (ORCPT + 98 others); Wed, 27 May 2020 13:09:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41242 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731167AbgE0RJR (ORCPT ); Wed, 27 May 2020 13:09:17 -0400 Received: from mail-wr1-x443.google.com (mail-wr1-x443.google.com [IPv6:2a00:1450:4864:20::443]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D861C08C5C2 for ; Wed, 27 May 2020 10:09:17 -0700 (PDT) Received: by mail-wr1-x443.google.com with SMTP id x13so10142403wrv.4 for ; Wed, 27 May 2020 10:09:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N7BcF2YbmFlnYsgsgnhG+rP4MiM9BYbCfVaOcHA0CmE=; b=Qtq4RcWnFirDNuZdCyVBt5tPFqmhvzYSUFkVjQjHkQBc6IkA+WeniGp5LmnT8OVVfB UE9q1ImGpjLTJce6qJy6hzRVPiHuV5AmS4EJxRkfHzrKJ9QHTdXlw8wjGUt2+zXOLkZn Se1DyUC2fMvdHcPa6G5vi/3874MVikhkzprOA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N7BcF2YbmFlnYsgsgnhG+rP4MiM9BYbCfVaOcHA0CmE=; b=sRp3mEwEaAkV+HKpQjUuQvsp7BcvN4xpea9eepvvJa1/MO3gSwEz5nQ4FUK1i32c3W uv4umPI7U7l38eJtBl5dOfdiE9FJyCgAXkDsBPts8lkmunlTzf8zAE28bbPLsHckr1Kp j+gwPmuN9BLTJcbZU7YHscRKS5EG1HDh7dUn+cYT7qzTld8TVHrVQoikUodx3HaNaYBT IKssBJwBHG7XY6zm6bwAZlWFCRLnq9uHTknOzLIYUZ0K7k8BcbMJnRP7pnW1vmNfuRef NvP2UncOnBwvyvO8fOOaqyKY3BJ9tzp7qUqkrcmt0+dCVPCq8+X0rxUqxWlDbjeZ2MBp OkoQ== X-Gm-Message-State: AOAM531JM+rKGd+W/dqPc6LKrvHrgNJHbnQu3jUf4zJk8feS7urNITsj 1Rr1+UlBKpmp/SKxs/okQHw38BnOqyzlyOc28vFRGQ== X-Received: by 2002:a5d:4e88:: with SMTP id e8mr14770779wru.188.1590599356306; Wed, 27 May 2020 10:09:16 -0700 (PDT) MIME-Version: 1.0 References: <20200526163336.63653-1-kpsingh@chromium.org> <20200526163336.63653-3-kpsingh@chromium.org> <20200527050823.GA31860@infradead.org> <20200527123840.GA12958@google.com> In-Reply-To: From: KP Singh Date: Wed, 27 May 2020 19:09:05 +0200 Message-ID: Subject: Re: [PATCH bpf-next 2/4] bpf: Implement bpf_local_storage for inodes To: Casey Schaufler Cc: Christoph Hellwig , open list , linux-fsdevel@vger.kernel.org, bpf , Linux Security Module list , Alexei Starovoitov , Daniel Borkmann , James Morris , Alexander Viro , Martin KaFai Lau , Florent Revest Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 27, 2020 at 6:41 PM Casey Schaufler wrote: > > On 5/27/2020 5:38 AM, KP Singh wrote: > > On 26-May 22:08, Christoph Hellwig wrote: > >> On Tue, May 26, 2020 at 06:33:34PM +0200, KP Singh wrote: > >>> From: KP Singh > >>> > >>> Similar to bpf_local_storage for sockets, add local storage for inodes. > >>> The life-cycle of storage is managed with the life-cycle of the inode. > >>> i.e. the storage is destroyed along with the owning inode. > >>> > >>> Since, the intention is to use this in LSM programs, the destruction is > >>> done after security_inode_free in __destroy_inode. > >> NAK onbloating the inode structure. Please find an out of line way > >> to store your information. > > The other alternative is to use lbs_inode (security blobs) and we can > > do this without adding fields to struct inode. > > This is the correct approach, and always has been. This isn't the > first ( or second :( ) case where the correct behavior for an LSM > has been pretty darn obvious, but you've taken a different approach > for no apparent reason. > > > Here is a rough diff (only illustrative, won't apply cleanly) of the > > changes needed to this patch: > > > > https://gist.github.com/sinkap/1d213d17fb82a5e8ffdc3f320ec37d79 > > To do just a little nit-picking, please use bpf_inode() instead of > bpf_inode_storage(). This is in keeping with the convention used by > the other security modules. Sticking with the existing convention > makes it easier for people (and tools) that work with multiple > security modules. > > > Once tracing has gets a whitelist based access to inode storage, I > > guess it, too, can use bpf_local_storage for inodes > > Only within the BPF module. Your sentence above is slightly garbled, > so I'm not really sure what you're saying, but if you're suggesting > that tracing code outside of the BPF security module can use the > BPF inode data, the answer is a resounding "no". This is why I wanted to add a separate pointer in struct inode so that we could share the implementation with tracing. bpf_local_storage is managed (per-program+per-type of storage) with separate BPF maps. So, it can be easily shared between two programs (and program types) without them clobbering over each other. I guess we can have separate pointers for tracing, use the pointer in the security blob for the LSM and discuss this separately if and when we use this for tracing and keep this series patches scoped to BPF_PROG_TYPE_LSM. - KP > > > if CONFIG_BPF_LSM > > is enabled. Does this sound reasonable to the BPF folks? > > > > - KP > > > > >