Received: by 2002:a05:6512:e85:0:0:0:0 with SMTP id bi5csp2882675lfb;
        Thu, 23 Jun 2022 14:01:39 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1so42NQTv0tyckxtsptVxeNbJ+ParDN99VEmNxOGNbRfw6L6QOgdrPCTRlt2dKYaymBhnMa
X-Received: by 2002:a63:4853:0:b0:3fa:dc6:7ac2 with SMTP id x19-20020a634853000000b003fa0dc67ac2mr9034776pgk.298.1656018098978;
        Thu, 23 Jun 2022 14:01:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656018098; cv=none;
        d=google.com; s=arc-20160816;
        b=EOYH2KT3l55xt8mc9jDpnCqA9jN2+VbY2O2vFI1EGNRxyjFjL2gshjWDTZPvSKy1sq
         5CTTjHOU3LIA6fHf5AV+8dh3Q6w+SLY13SMqszv7h87iaECGm0BkhJF+rhgpEvxrSRRh
         zE1FaugExe7L+A/PpcBDlhGB2UXPNzBlbEYq751u7a5ETksmPQcopRfI4V5DtDr6bxG3
         Zk/R4A22L/StcCN7DWpLg4ZNmtf3k7onW/23QMdGAEHSHZXdhRtwZVgQqtjgL0uMb1Pb
         g8sMhjxPvkJi+h4nviTYKIV5XBGb2/gVRByav10pfz+pl7AogVa1suI1RFs5NLLFcVa0
         vtuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=+NeDhzIsosAc6zjoUbMznd330rNHziGlr8pP4p3fVF0=;
        b=rDJbwYrPp/p2iF805jJViZkPzbzNsH8iQDNDtz0i5T2HsMHkIiuJuEDR41yHeeb1e2
         Wa2i4ukUjgawYCiDu5eXm3qvxnRC467h8fxSrDoYliC7WhL7vInv1wV7XWjCeBWYZgRt
         WDa68wq2z65Be6RJeIbM6jjx4I7xg9MzyoB1zCYR5D73Mng3bEoZ/BDo8z/Y07IZrrN2
         cSXnNvaSAVVgAtOJudejr24cFa8KUvP54wlDR64bjgFYdaSoPBkb3K47vd6sWobzfH1u
         qebWxENVKSlLwGjl56GTzCIftR1aR7xFqDKvEao45foabtJcPxO583DSGrZR7ylG0YM6
         m20w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=fAx3pvL2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d81-20020a621d54000000b004fa3a8dffa5si275236pfd.92.2022.06.23.14.01.26;
        Thu, 23 Jun 2022 14:01:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=fAx3pvL2;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229837AbiFWUy3 (ORCPT <rfc822;alb3rt4n@gmail.com> + 99 others);
        Thu, 23 Jun 2022 16:54:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51604 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229653AbiFWUy2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jun 2022 16:54:28 -0400
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35DFB62728;
        Thu, 23 Jun 2022 13:54:27 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id lw20so695437ejb.4;
        Thu, 23 Jun 2022 13:54:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=+NeDhzIsosAc6zjoUbMznd330rNHziGlr8pP4p3fVF0=;
        b=fAx3pvL2mb1wUs/cl1pnaZOCuwao8+6SnBAODybSfO6ROi8NVo0gsKiyWCmyMbmkMF
         b9S4yoI2SKgUW/Vp2Y4iNLOKbFtK0G6tdJi2kYeqDOqZaUlXCixb5Yx09/gLwJDkX9g2
         WYGdfXOv7BKXlYhDmhz/UJrZDqvzmK5TbDKG9S39mn/+cW6tq78J/W6GZrg7aeuMCjOx
         bz6q/v5o5SuZy856wRedvW5sCeM0PJprg1hDe5IvdltJYfCPXMmnNkS8QYXRUI89g290
         AiXG2CJPs4gS2iuURPvnSXllm4vbU7SppK6KhveNTjEuGhjUDsg5v1ziIpgHh/S2n47a
         lGWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=+NeDhzIsosAc6zjoUbMznd330rNHziGlr8pP4p3fVF0=;
        b=TX766x9RN6iQgt5sl+tL+hokKmzPlBmAP4pZaJYHgH0KdjW5GXjHOrjAb4/NEnjwkR
         2HluYevT3cIFFue8Pb86QW9XdVSPgmOA4/wttBPY1QzNrNxtSMSnUp+scG4JXkaWL5ZL
         1HAteUtbh1nk2L5SQuYXpXpuwjBzo5XqWiiPNma3d8ZjeJsPRO6vDt4ArLEAnT75dZvE
         xA+xUt3OW8yQ8oqGHpjN3cd9XyxfLtpMnMoNPOSI0N3Kfw5EsY8+8Bq/rx4oISwqFij3
         e07OxdiXszyqwmmd3SwqGWDz6mvcvjyemsbwaXgsyzhf6Vd0Mv2t/DM605ZWL/uelRQS
         NsJQ==
X-Gm-Message-State: AJIora8nans6J/nKolpLjuTJFNSps6ppc1ngspxo2bxcdRJwsG1yRg3t
        JTXFZw0yABTCuwMBgdk7ESXFtQonNt4zvqX/ma0=
X-Received: by 2002:a17:907:971e:b0:71d:955c:b296 with SMTP id
 jg30-20020a170907971e00b0071d955cb296mr9639163ejc.633.1656017665626; Thu, 23
 Jun 2022 13:54:25 -0700 (PDT)
MIME-Version: 1.0
References: <20220621163757.760304-1-roberto.sassu@huawei.com>
 <20220621163757.760304-3-roberto.sassu@huawei.com> <20220621223248.f6wgyewajw6x4lgr@macbook-pro-3.dhcp.thefacebook.com>
 <796b55c79be142cab6a22dd281fdb9fa@huawei.com> <f2d3da08e7774df9b44cc648dda7d0b8@huawei.com>
In-Reply-To: <f2d3da08e7774df9b44cc648dda7d0b8@huawei.com>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Thu, 23 Jun 2022 13:54:13 -0700
Message-ID: <CAADnVQKVx9o1PcCV_F3ywJCzDTPtQG4MTKM2BmwdCwNvyxdNPg@mail.gmail.com>
Subject: Re: [PATCH v5 2/5] bpf: Add bpf_lookup_user_key() and bpf_key_put() helpers
To:     Roberto Sassu <roberto.sassu@huawei.com>
Cc:     "ast@kernel.org" <ast@kernel.org>,
        "daniel@iogearbox.net" <daniel@iogearbox.net>,
        "andrii@kernel.org" <andrii@kernel.org>,
        "kpsingh@kernel.org" <kpsingh@kernel.org>,
        "john.fastabend@gmail.com" <john.fastabend@gmail.com>,
        "songliubraving@fb.com" <songliubraving@fb.com>,
        "kafai@fb.com" <kafai@fb.com>, "yhs@fb.com" <yhs@fb.com>,
        "dhowells@redhat.com" <dhowells@redhat.com>,
        "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
        "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "linux-kselftest@vger.kernel.org" <linux-kselftest@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 23, 2022 at 5:36 AM Roberto Sassu <roberto.sassu@huawei.com> wrote:
>
> > From: Roberto Sassu [mailto:roberto.sassu@huawei.com]
> > Sent: Wednesday, June 22, 2022 9:12 AM
> > > From: Alexei Starovoitov [mailto:alexei.starovoitov@gmail.com]
> > > Sent: Wednesday, June 22, 2022 12:33 AM
> > > On Tue, Jun 21, 2022 at 06:37:54PM +0200, Roberto Sassu wrote:
> > > > Add the bpf_lookup_user_key() and bpf_key_put() helpers, to respectively
> > > > search a key with a given serial, and release the reference count of the
> > > > found key.
> > > >
> > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > > ---
> > > >  include/uapi/linux/bpf.h       | 16 ++++++++++++
> > > >  kernel/bpf/bpf_lsm.c           | 46 ++++++++++++++++++++++++++++++++++
> > > >  kernel/bpf/verifier.c          |  6 +++--
> > > >  scripts/bpf_doc.py             |  2 ++
> > > >  tools/include/uapi/linux/bpf.h | 16 ++++++++++++
> > > >  5 files changed, 84 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > > > index e81362891596..7bbcf2cd105d 100644
> > > > --- a/include/uapi/linux/bpf.h
> > > > +++ b/include/uapi/linux/bpf.h
> > > > @@ -5325,6 +5325,20 @@ union bpf_attr {
> > > >   *               **-EACCES** if the SYN cookie is not valid.
> > > >   *
> > > >   *               **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
> > > > + *
> > > > + * struct key *bpf_lookup_user_key(u32 serial, unsigned long flags)
> > > > + *       Description
> > > > + *               Search a key with a given *serial* and the provided *flags*, and
> > > > + *               increment the reference count of the key.
> > >
> > > Why passing 'flags' is ok to do?
> > > Please think through every line of the patch.
> >
> > To be honest, I thought about it. Probably yes, I should do some
> > sanitization, like I did for the keyring ID. When I checked
> > lookup_user_key(), I saw that flags are checked individually, so
> > an arbitrary value passed to the helper should not cause harm.
> > Will do sanitization, if you prefer. It is just that we have to keep
> > the eBPF code in sync with key flag definition (unless we have
> > a 'last' flag).
>
> I'm not sure that having a helper for lookup_user_key() alone is
> correct. By having separate helpers for lookup and usage of the
> key, nothing would prevent an eBPF program to ask for a
> permission to pass the access control check, and then use the
> key for something completely different from what it requested.
>
> Looking at how lookup_user_key() is used in security/keys/keyctl.c,
> it seems clear that it should be used together with the operation
> that needs to be performed. Only in this way, the key permission
> would make sense.

lookup is roughly equivalent to open when all permission checks are done.
And using the key is read/write.

> What do you think (also David)?
>
> Thanks
>
> Roberto
>
> HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063
> Managing Director: Li Peng, Yang Xi, Li He

Please use a different email server and get rid of this.