Re: [PATCH RFC v2 net-next 05/16] bpf: introduce syscall(BPF, ...) and BPF maps

From: Alexei Starovoitov
Date: Wed Jul 23 2014 - 15:30:33 EST

Next message: Oleg Nesterov: "[PATCH 1/2] ftrace: Kill tracing_{start,stop}_sched_switch_record() and tracing_sched_switch_assign_trace()"
Previous message: Andy Lutomirski: "[PATCH v2] x86_64,entry: Use lret to return to userspace when possible"
In reply to: Kees Cook: "Re: [PATCH RFC v2 net-next 05/16] bpf: introduce syscall(BPF, ...) and BPF maps"
Next in thread: Alexei Starovoitov: "[PATCH RFC v2 net-next 11/16] bpf: allow eBPF programs to use maps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 23, 2014 at 11:02 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> --- a/Documentation/networking/filter.txt
>> +++ b/Documentation/networking/filter.txt
>>
>> +eBPF maps
>> +---------
>> +'maps' is a generic storage of different types for sharing data between kernel
>> +and userspace.
>> +
>> +The maps are accessed from user space via BPF syscall, which has commands:
>> +- create a map with given id, type and attributes
>> + map_id = bpf_map_create(int map_id, map_type, struct nlattr *attr, int len)
>> + returns positive map id or negative error
>
> Looks like these docs need updating for the fd-based approach instead
> of the map_id approach?

ohh, yes. updated it in srcs and in commit log, but forgot in docs.

>> +SYSCALL_DEFINE5(bpf, int, cmd, unsigned long, arg2, unsigned long, arg3,
>> + unsigned long, arg4, unsigned long, arg5)
>> +{
>> + if (!capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>
> It might be valuable to have a comment here describing why this is
> currently limited to CAP_SYS_ADMIN.

makes sense.
There are several reasons it should be limited to root initially:
- to phase changes in gradually
- verifier is not detecting pointer leaks yet
- full security audit wasn't performed
- tracing and network analytics are root only anyway
Currently eBPF is safe (non-crashing), since safety is relatively easy
to enforce by static analysis. For somebody with compiler background
it's natural to think about bounds, alignments, uninitialized access, etc.
So I'm confident that I didn't miss anything big in 'safety' aspect.
'Non-root security' is harder. I'll add pointer leak detection first
and will ask for more suggestions.

>> + switch (cmd) {
>> + case BPF_MAP_CREATE:
>> + return map_create((enum bpf_map_type) arg2,
>> + (struct nlattr __user *) arg3, (int) arg4);
>
> I'd recommend requiring arg5 == 0 here, just for future flexibility.

Though I expect all extensions to go through nlattr attributes,
it's indeed cleaner to enforce arg5==0 here and for all other cmds.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oleg Nesterov: "[PATCH 1/2] ftrace: Kill tracing_{start,stop}_sched_switch_record() and tracing_sched_switch_assign_trace()"
Previous message: Andy Lutomirski: "[PATCH v2] x86_64,entry: Use lret to return to userspace when possible"
In reply to: Kees Cook: "Re: [PATCH RFC v2 net-next 05/16] bpf: introduce syscall(BPF, ...) and BPF maps"
Next in thread: Alexei Starovoitov: "[PATCH RFC v2 net-next 11/16] bpf: allow eBPF programs to use maps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]