Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3234178imw; Mon, 11 Jul 2022 04:53:52 -0700 (PDT) X-Google-Smtp-Source: AGRyM1spLYXri0k58dfxOBpHVAyQMhcjH6iLhCzFh0yRhbo2bjw+7LrtcURdI81lha7GmafUTSJO X-Received: by 2002:a17:907:270e:b0:72a:b476:95a with SMTP id w14-20020a170907270e00b0072ab476095amr18631834ejk.648.1657540432015; Mon, 11 Jul 2022 04:53:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657540432; cv=none; d=google.com; s=arc-20160816; b=try919RCLimndNXrwU1A6+F+of7xzGkD3U4mkzR1xgSrh76m5k6hNZWH8DHKayo1hN g/W8TuF3k2S5M9YWBLOBoi7bOEX+wWaQGAdQ7PrUWc32MUlneYKieXH5BwJxywRtxPUc BDJ6OMpUFp/lvw0bvZSOefnzTpYLAgjBVRdcX+qYMi/W5Znz3spz5Iok8kXFJr6hJP2P e2OnHAdGEhOvRVfY3+5oYBWcPum2pHREW73xfMvosd47ko74jRz0zNr3HSLigLiAo/Gi HfqStML28b1QEfoexRqfU+k/qjk/xOvueFn4iDSL0XFA0kykE18B+DT/ddWUfkNg61A8 TTaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:date:from:dkim-signature; bh=iMqIn8DONeCRuyNwWf4Kg7ANcVQQQZs13SNcKa6q92Q=; b=Li6o6wVUKurxTenEpue0/Akn0Xdu4/1cnVhsCfV2CRa1S9MTWrSPdFeG4c09KpWaJp bQ6KnwEYje+5weVlZv0W7Hj8Pb40SyFu/CqRFxnoFgWc9uscw/AqrtU2flheYBZKwaZb RHRTOlgROrlts7PJXIpB2SNnGsKc9gv/zZ65/D/+HAE4f57I51R3c1J40ZKI8OCs98og e+g2jDFvhwtIXot++o1DqRlqXkM2a2Qw+ko+2Z68oD/yXeAdulkpgspvFU+kLUIo1A/D InuQC+XMAqzQueEHlIbXmacahOGEx3F5HADqFjBzAYVMOwTGjALSjcUhbj1vqzxks+0v XNbQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=oA3VrB2y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h22-20020a056402281600b0043a77a6a338si12815355ede.400.2022.07.11.04.53.26; Mon, 11 Jul 2022 04:53:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=oA3VrB2y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229987AbiGKLZe (ORCPT + 99 others); Mon, 11 Jul 2022 07:25:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229718AbiGKLZJ (ORCPT ); Mon, 11 Jul 2022 07:25:09 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 74D1F77A43; Mon, 11 Jul 2022 03:56:33 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id t3so5492699edd.0; Mon, 11 Jul 2022 03:56:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=iMqIn8DONeCRuyNwWf4Kg7ANcVQQQZs13SNcKa6q92Q=; b=oA3VrB2ys9UGrJKpk+qnmiCqv+TF3R18mgz4TYXGJOnv7yAPx6Z/M1M5cBFqlCus4E PcytroyDjHNx7q/vmZQVdxzPh0WkTX1oPD29sFqY0sTy1yfK4J1vg6WJN6F2LepJwh9D ugA1N1KAjvNQ6O/RFTqpXUxG//wz6SnssCWz2NHAieWug0IRJ6cERMZlTXwW3cY4DiN7 5pkxox6hEYodHlw6vl/YrD2rRcBB9ZFi42gIlM85OYRKWZUNkGJp6d+jNsryi3irilX/ alEBFdapzJh4vHuxCk+oZDMgc44DMKzBfl54ZC8U78eCs6lq+EZDBx4c0BXbI8h8n6Rb Q0VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=iMqIn8DONeCRuyNwWf4Kg7ANcVQQQZs13SNcKa6q92Q=; b=dSg1MYkvoU6fn8UOVmQBV633slmABDEeuTNN4wKOmL9hMIJPHzyMMU+OWZE7L2NN2+ /Koz6IfxF8cUAassUh4YvvEVqpGKE0Jwm+69fs+sCi36yBNT4sJxqATnLv2ChksIXOZQ y5ORDWo9K1rhiD2x58nGfr5D0vee9hnEdsEWXJE/NZ4/qPnarQLlcS8v7Vz0jGJ9YPiR bK7jM09ILWSUzQhJPQZgTZp04XknjU+vyGyv9n4PwmGOULPqgxNWDlz5y93pEVTvZHmK 8VuDwqP+oOcsJaKY3F+sLFp+oOq2iyHK4DIkrlMOVE/ocVx/X2vGncdxN1f1gTyncbTq hF2Q== X-Gm-Message-State: AJIora/7eb2zDfmFzK0nO/lleq1VThSISqZKArhmVM2j/w8NmBbgF0bK elfIcBofTmsxugjhQK5hSYI= X-Received: by 2002:a05:6402:510c:b0:43a:e041:a371 with SMTP id m12-20020a056402510c00b0043ae041a371mr1570379edd.424.1657536991960; Mon, 11 Jul 2022 03:56:31 -0700 (PDT) Received: from krava ([151.14.22.253]) by smtp.gmail.com with ESMTPSA id fn15-20020a1709069d0f00b006fecf74395bsm2565875ejc.8.2022.07.11.03.56.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jul 2022 03:56:31 -0700 (PDT) From: Jiri Olsa X-Google-Original-From: Jiri Olsa Date: Mon, 11 Jul 2022 12:56:28 +0200 To: Artem Savkov Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Andrea Arcangeli Subject: Re: [RFC PATCH bpf-next 2/4] bpf: add BPF_F_DESTRUCTIVE flag for BPF_PROG_LOAD Message-ID: References: <20220711083220.2175036-1-asavkov@redhat.com> <20220711083220.2175036-3-asavkov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220711083220.2175036-3-asavkov@redhat.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 11, 2022 at 10:32:18AM +0200, Artem Savkov wrote: > Add a BPF_F_DESTRUCTIVE will be required to be supplied to > BPF_PROG_LOAD for programs to utilize destructive helpers such as > bpf_panic(). I'd think that having kernel.destructive_bpf_enabled sysctl knob enabled would be enough to enable that helper from any program, not sure having extra load flag adds more security jirka > > Signed-off-by: Artem Savkov > --- > include/linux/bpf.h | 1 + > include/uapi/linux/bpf.h | 6 ++++++ > kernel/bpf/syscall.c | 4 +++- > tools/include/uapi/linux/bpf.h | 6 ++++++ > 4 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 77972724bed7..43c008e3587a 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -1041,6 +1041,7 @@ struct bpf_prog_aux { > bool sleepable; > bool tail_call_reachable; > bool xdp_has_frags; > + bool destructive; > bool use_bpf_prog_pack; > /* BTF_KIND_FUNC_PROTO for valid attach_btf_id */ > const struct btf_type *attach_func_proto; > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index e81362891596..4423874b5da4 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -1121,6 +1121,12 @@ enum bpf_link_type { > */ > #define BPF_F_XDP_HAS_FRAGS (1U << 5) > > +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program > + * will be able to perform destructive operations such as calling bpf_panic() > + * helper. > + */ > +#define BPF_F_DESTRUCTIVE (1U << 6) > + > /* link_create.kprobe_multi.flags used in LINK_CREATE command for > * BPF_TRACE_KPROBE_MULTI attach type to create return probe. > */ > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 1ce6541d90e1..779feac2dc7d 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -2449,7 +2449,8 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) > BPF_F_TEST_STATE_FREQ | > BPF_F_SLEEPABLE | > BPF_F_TEST_RND_HI32 | > - BPF_F_XDP_HAS_FRAGS)) > + BPF_F_XDP_HAS_FRAGS | > + BPF_F_DESTRUCTIVE)) > return -EINVAL; > > if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && > @@ -2536,6 +2537,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) > prog->aux->offload_requested = !!attr->prog_ifindex; > prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE; > prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS; > + prog->aux->destructive = attr->prog_flags & BPF_F_DESTRUCTIVE; > > err = security_bpf_prog_alloc(prog->aux); > if (err) > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > index e81362891596..4423874b5da4 100644 > --- a/tools/include/uapi/linux/bpf.h > +++ b/tools/include/uapi/linux/bpf.h > @@ -1121,6 +1121,12 @@ enum bpf_link_type { > */ > #define BPF_F_XDP_HAS_FRAGS (1U << 5) > > +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program > + * will be able to perform destructive operations such as calling bpf_panic() > + * helper. > + */ > +#define BPF_F_DESTRUCTIVE (1U << 6) > + > /* link_create.kprobe_multi.flags used in LINK_CREATE command for > * BPF_TRACE_KPROBE_MULTI attach type to create return probe. > */ > -- > 2.35.3 >