Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code

From: Odin Ugedal
Date: Fri Apr 03 2020 - 14:06:02 EST

Next message: Alexey Gladkov: "[PATCH v11 0/8] proc: modernize proc to support multiple private instances"
Previous message: Joe Lawrence: "Re: [POC 22/23] livepatch/module: Remove obsolete copy_module_elf()"
In reply to: Odin Ugedal: "[PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
Next in thread: Roman Gushchin: "Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi (patch author here),

This is my first "real" patch, so looking forward to some feedback! I
am not sure if this behavior is the "best one", or if we should
require CONFIG_CGROUP_DEVICE to be set to yes. In that case we can
just abandon this patch and replace the original "#if
defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)" with a
simple "#ifdef CONFIG_CGROUP_DEVICE" and update the docs and the
config.

It is also another alternative to keep the code in this patch and move
some of it into a separate file in order to avoid all the ifdefs, and
to make the split between cgroup v1 and cgroup v2 code cleaner.

As a reference, only Fedora is currently shipping with cgroup v2 as
default (afaik.) and their kernel is compiled (5.3.7-301.fc31.x86_64)
with CONFIG_CGROUP_DEVICE=y and CONFIG_CGROUP_BPF=y, so this will not
affect them.

Odin Ugedal

fre. 3. apr. 2020 kl. 19:55 skrev Odin Ugedal <odin@xxxxxxxxxx>:
>
> Original cgroup v2 eBPF code for filtering device access made it
> possible to compile with CONFIG_CGROUP_DEVICE=n and still use the eBPF
> filtering. Change
> commit 4b7d4d453fc4 ("device_cgroup: Export devcgroup_check_permission")
> reverted this, making it required to set it to y.
>
> Since the device filtering (and all the docs) for cgroup v2 is no longer
> a "device controller" like it was in v1, someone might compile their
> kernel with CONFIG_CGROUP_DEVICE=n. Then (for linux 5.5+) the eBPF
> filter will not be invoked, and all processes will be allowed access
> to all devices, no matter what the eBPF filter says.
>
> Signed-off-by: Odin Ugedal <odin@xxxxxxxxxx>
> ---
> drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 2 +-
> include/linux/device_cgroup.h | 14 +++++---------
> security/Makefile | 2 +-
> security/device_cgroup.c | 19 ++++++++++++++++---
> 4 files changed, 23 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
> index 4a3049841086..c24cad3c64ed 100644
> --- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
> @@ -1050,7 +1050,7 @@ void kfd_dec_compute_active(struct kfd_dev *dev);
> /* Check with device cgroup if @kfd device is accessible */
> static inline int kfd_devcgroup_check_permission(struct kfd_dev *kfd)
> {
> -#if defined(CONFIG_CGROUP_DEVICE)
> +#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> struct drm_device *ddev = kfd->ddev;
>
> return devcgroup_check_permission(DEVCG_DEV_CHAR, ddev->driver->major,
> diff --git a/include/linux/device_cgroup.h b/include/linux/device_cgroup.h
> index fa35b52e0002..9a72214496e5 100644
> --- a/include/linux/device_cgroup.h
> +++ b/include/linux/device_cgroup.h
> @@ -1,6 +1,5 @@
> /* SPDX-License-Identifier: GPL-2.0 */
> #include <linux/fs.h>
> -#include <linux/bpf-cgroup.h>
>
> #define DEVCG_ACC_MKNOD 1
> #define DEVCG_ACC_READ 2
> @@ -11,16 +10,10 @@
> #define DEVCG_DEV_CHAR 2
> #define DEVCG_DEV_ALL 4 /* this represents all devices */
>
> -#ifdef CONFIG_CGROUP_DEVICE
> -int devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access);
> -#else
> -static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> - short access)
> -{ return 0; }
> -#endif
>
> #if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> +int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access);
> static inline int devcgroup_inode_permission(struct inode *inode, int mask)
> {
> short type, access = 0;
> @@ -61,6 +54,9 @@ static inline int devcgroup_inode_mknod(int mode, dev_t dev)
> }
>
> #else
> +static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
> + short access)
> +{ return 0; }
> static inline int devcgroup_inode_permission(struct inode *inode, int mask)
> { return 0; }
> static inline int devcgroup_inode_mknod(int mode, dev_t dev)
> diff --git a/security/Makefile b/security/Makefile
> index 22e73a3482bd..3baf435de541 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -30,7 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/
> obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
> obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
> obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
> -obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> +obj-$(CONFIG_CGROUPS) += device_cgroup.o
> obj-$(CONFIG_BPF_LSM) += bpf/
>
> # Object integrity file lists
> diff --git a/security/device_cgroup.c b/security/device_cgroup.c
> index 7d0f8f7431ff..43ab0ad45c1b 100644
> --- a/security/device_cgroup.c
> +++ b/security/device_cgroup.c
> @@ -15,6 +15,8 @@
> #include <linux/rcupdate.h>
> #include <linux/mutex.h>
>
> +#ifdef CONFIG_CGROUP_DEVICE
> +
> static DEFINE_MUTEX(devcgroup_mutex);
>
> enum devcg_behavior {
> @@ -792,7 +794,7 @@ struct cgroup_subsys devices_cgrp_subsys = {
> };
>
> /**
> - * __devcgroup_check_permission - checks if an inode operation is permitted
> + * devcgroup_legacy_check_permission - checks if an inode operation is permitted
> * @dev_cgroup: the dev cgroup to be tested against
> * @type: device type
> * @major: device major number
> @@ -801,7 +803,7 @@ struct cgroup_subsys devices_cgrp_subsys = {
> *
> * returns 0 on success, -EPERM case the operation is not permitted
> */
> -static int __devcgroup_check_permission(short type, u32 major, u32 minor,
> +static int devcgroup_legacy_check_permission(short type, u32 major, u32 minor,
> short access)
> {
> struct dev_cgroup *dev_cgroup;
> @@ -825,6 +827,10 @@ static int __devcgroup_check_permission(short type, u32 major, u32 minor,
> return 0;
> }
>
> +#endif /* CONFIG_CGROUP_DEVICE */
> +
> +#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
> +
> int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
> {
> int rc = BPF_CGROUP_RUN_PROG_DEVICE_CGROUP(type, major, minor, access);
> @@ -832,6 +838,13 @@ int devcgroup_check_permission(short type, u32 major, u32 minor, short access)
> if (rc)
> return -EPERM;
>
> - return __devcgroup_check_permission(type, major, minor, access);
> + #ifdef CONFIG_CGROUP_DEVICE
> + return devcgroup_legacy_check_permission(type, major, minor, access);
> +
> + #else /* CONFIG_CGROUP_DEVICE */
> + return 0;
> +
> + #endif /* CONFIG_CGROUP_DEVICE */
> }
> EXPORT_SYMBOL(devcgroup_check_permission);
> +#endif /* defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF) */
> --
> 2.26.0
>

Next message: Alexey Gladkov: "[PATCH v11 0/8] proc: modernize proc to support multiple private instances"
Previous message: Joe Lawrence: "Re: [POC 22/23] livepatch/module: Remove obsolete copy_module_elf()"
In reply to: Odin Ugedal: "[PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
Next in thread: Roman Gushchin: "Re: [PATCH] device_cgroup: Cleanup cgroup eBPF device filter code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]