Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3589943pxj; Mon, 21 Jun 2021 02:06:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXacBuaDVly1gYNKAqfPeoPRoeXJk/qltLEDT1HTEIufoDo4HWbEgmV9acIRb7g2FDldhx X-Received: by 2002:a05:6402:111a:: with SMTP id u26mr19680045edv.260.1624266375229; Mon, 21 Jun 2021 02:06:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624266375; cv=none; d=google.com; s=arc-20160816; b=NDDpMsykzwM7eXwAkFfnauZC84KiZS597VcB60546+ak4DMFAoccTJF7db/9MR4c9H 0qSMOf1cwaiU566GvkkDAJi0GWpBgjj4XYUBKfjcbapos8MmH7plpIB7Se3a0dE6dRC8 DXdzNMUCc8K0DLYeDKEx6I23yHzWfqBDAdcevOeXScIBbAhasGLCM63EeZZJaUa6DlNd S4kGQJNvMDmQgqmeUlxJ2tl9vXc9mHGb7TqWQKr2I/82T/d3g6emJGh4vi2+x4HjoBzA q2/i3T2JuomtPQjDsj8Su6+9msqgnX3egnqW1aoL64LiMGlw/eVvHjC/APbPHwEJXJMq g6LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Nq3WNLZDD5TUkqUq2T7xdTTFqt8QZMxPPek1GdjMl5o=; b=cT+9ZSE3VlzbpDqAG4oxkBV80WnNonWuf8Mt74p0vJfXq8cgdiEzLc+Ph6Nc6RiwBk TVLwGBAtjDWxMuMMLdw7DyTtOAp8X8D/XV30OTTZ30AHRL0CDG3PpP21FyZb9MbuK2Ap MtVFOLgmATv+kgMfPXYmAAmTRVBlMG4CHQgWkxl4zbcMOsckR5XHFYVE3eWI3QK/CK0V aCgJZ/RwYITejC/Vbt+xnMcrLIXzaSkKhbbHUsxB48c6sbRIdmaAJAmmA3B+NESZJ/39 3xhBu0HjY86t57Za28YsaZpXl4zCETNHU8/ygT90/YeGNoUcjsmGMfP/dqzfSmqdErRS RCXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=M6jGMhTN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 23si10578653ejg.6.2021.06.21.02.05.53; Mon, 21 Jun 2021 02:06:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=M6jGMhTN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230296AbhFUJFJ (ORCPT + 99 others); Mon, 21 Jun 2021 05:05:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230334AbhFUJFF (ORCPT ); Mon, 21 Jun 2021 05:05:05 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36A8DC06175F for ; Mon, 21 Jun 2021 02:02:25 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id d16so21464059lfn.3 for ; Mon, 21 Jun 2021 02:02:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Nq3WNLZDD5TUkqUq2T7xdTTFqt8QZMxPPek1GdjMl5o=; b=M6jGMhTNj9uXP03+2FLYoJLxmCiNYeikOTKx0N7ZrSDZyxsqQdxOC7rkXs54sDRIdm yoIJJG3F8BL77ZJ4/2ZkgOiO5HNRyaucEN8krsvqMkgPOpX981SQ5CFKXHbf0vxDoLrw 3s4gxG6ELt5enw3rmAJ1aVHwLGjDDkuZ1xiSk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Nq3WNLZDD5TUkqUq2T7xdTTFqt8QZMxPPek1GdjMl5o=; b=LqOFA8mW84aY4cA468f1IoVxPON8fVX9Hkyi4SCQFo2NJsKn2aQV9msCElD0xBowF/ KW2rX8F2N5ynDwJYJHfDCw/MUb6IetHzFP9R1VU+ts5iH4teMCrI347lD+MM3tmXZovU 2btb680eodULTSYu7Yy7D5Uw0tNGd4d8xJFjkvRUQF3hjGLHn716b2b8cT8DuGC2Dt32 GhGorynxn9g7iofHUDd0nPxrPvpucNdG8hFlMZJwgOGLLa2/qP5cfjzACvkbsgkDDMrb pZ2lnM29AsMxTCid+Qf6u3gUvhXJrv7SboTVmPu7ifHx8JEeSjUIKg3/4Lr3+PDzkVPK DLIg== X-Gm-Message-State: AOAM5312eVvDzsswEYUCy+82Ot67TqxFTpjLrWKkhnGPsULU8ZdEKTtd OiDH9pdI+OmgaeUNj4lJZAy0yiZUQ8rn4cbZ+2nDYw== X-Received: by 2002:a19:ae0b:: with SMTP id f11mr3223902lfc.13.1624266143342; Mon, 21 Jun 2021 02:02:23 -0700 (PDT) MIME-Version: 1.0 References: <20210618105526.265003-1-zenczykowski@gmail.com> In-Reply-To: From: Lorenz Bauer Date: Mon, 21 Jun 2021 10:02:12 +0100 Message-ID: Subject: Re: [PATCH bpf] Revert "bpf: program: Refuse non-O_RDWR flags in BPF_OBJ_GET" To: =?UTF-8?Q?Maciej_=C5=BBenczykowski?= Cc: Alexei Starovoitov , Daniel Borkmann , Linux Network Development Mailing List , Linux Kernel Mailing List , BPF Mailing List , "David S . Miller" , Andrii Nakryiko , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 18 Jun 2021 at 19:30, Maciej =C5=BBenczykowski wrote: > > On Fri, Jun 18, 2021 at 4:55 AM Lorenz Bauer wrote: > > > > On Fri, 18 Jun 2021 at 11:55, Maciej =C5=BBenczykowski > > wrote: > > > > > > This reverts commit d37300ed182131f1757895a62e556332857417e5. > > > > > > This breaks Android userspace which expects to be able to > > > fetch programs with just read permissions. > > > > Sorry about this! I'll defer to the maintainers what to do here. > > Reverting leaves us with a gaping hole for access control of pinned > > programs. > > Not sure what hole you're referring to. Could you provide more details/e= xplanation? > > It seems perfectly reasonable to be able to get a program with just read = privs. > After all, you're not modifying it, just using it. Agreed, if that was what the kernel is doing. What you get with BPF_F_RDONLY is a fully read-write fd, since the rest of the BPF subsystem doesn't check program fd flags. Hence my fix to only allow O_RDWR, which matches what the kernel actually does. Otherwise any user with read-only access can get a R/W fd. > AFAIK there is no way to modify a program after it was loaded, has this c= hanged? You can't modify the program, but you can detach it, for example. Any program related bpf command that takes a program fd basically. > if so, the checks should be on the modifications not the fd fetch. True, unfortunately that code doesn't exist. It's also not straightforward to write and probably impossible to backport. > I guess one could argue fetching with write only privs doesn't make sense= ? > > Anyway... userspace is broken... so revert is the answer. > > In Android the process loading/pinning bpf maps/programs is a different > process (the 'bpfloader') to the users (which are far less privileged) If the revert happens you need to make sure that all of your pinned state is only readable by the bpfloader user. And everybody else, realistically. --=20 Lorenz Bauer | Systems Engineer 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK www.cloudflare.com