| Message ID | 20220711083220.2175036-3-asavkov@redhat.com (mailing list archive) |
|---|---|
| State | RFC |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf_panic() helper | expand |
| Context | Check | Description |
|---|---|---|
| bpf/vmtest-bpf-next-PR | fail | merge-conflict |
| netdev/tree_selection | success | Clearly marked for bpf-next, async |
| netdev/apply | fail | Patch does not apply to bpf-next |
On Mon, Jul 11, 2022 at 10:32:18AM +0200, Artem Savkov wrote: > Add a BPF_F_DESTRUCTIVE will be required to be supplied to > BPF_PROG_LOAD for programs to utilize destructive helpers such as > bpf_panic(). I'd think that having kernel.destructive_bpf_enabled sysctl knob enabled would be enough to enable that helper from any program, not sure having extra load flag adds more security jirka > > Signed-off-by: Artem Savkov <asavkov@redhat.com> > --- > include/linux/bpf.h | 1 + > include/uapi/linux/bpf.h | 6 ++++++ > kernel/bpf/syscall.c | 4 +++- > tools/include/uapi/linux/bpf.h | 6 ++++++ > 4 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 77972724bed7..43c008e3587a 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -1041,6 +1041,7 @@ struct bpf_prog_aux { > bool sleepable; > bool tail_call_reachable; > bool xdp_has_frags; > + bool destructive; > bool use_bpf_prog_pack; > /* BTF_KIND_FUNC_PROTO for valid attach_btf_id */ > const struct btf_type *attach_func_proto; > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index e81362891596..4423874b5da4 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -1121,6 +1121,12 @@ enum bpf_link_type { > */ > #define BPF_F_XDP_HAS_FRAGS (1U << 5) > > +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program > + * will be able to perform destructive operations such as calling bpf_panic() > + * helper. > + */ > +#define BPF_F_DESTRUCTIVE (1U << 6) > + > /* link_create.kprobe_multi.flags used in LINK_CREATE command for > * BPF_TRACE_KPROBE_MULTI attach type to create return probe. > */ > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 1ce6541d90e1..779feac2dc7d 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -2449,7 +2449,8 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) > BPF_F_TEST_STATE_FREQ | > BPF_F_SLEEPABLE | > BPF_F_TEST_RND_HI32 | > - BPF_F_XDP_HAS_FRAGS)) > + BPF_F_XDP_HAS_FRAGS | > + BPF_F_DESTRUCTIVE)) > return -EINVAL; > > if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && > @@ -2536,6 +2537,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) > prog->aux->offload_requested = !!attr->prog_ifindex; > prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE; > prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS; > + prog->aux->destructive = attr->prog_flags & BPF_F_DESTRUCTIVE; > > err = security_bpf_prog_alloc(prog->aux); > if (err) > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > index e81362891596..4423874b5da4 100644 > --- a/tools/include/uapi/linux/bpf.h > +++ b/tools/include/uapi/linux/bpf.h > @@ -1121,6 +1121,12 @@ enum bpf_link_type { > */ > #define BPF_F_XDP_HAS_FRAGS (1U << 5) > > +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program > + * will be able to perform destructive operations such as calling bpf_panic() > + * helper. > + */ > +#define BPF_F_DESTRUCTIVE (1U << 6) > + > /* link_create.kprobe_multi.flags used in LINK_CREATE command for > * BPF_TRACE_KPROBE_MULTI attach type to create return probe. > */ > -- > 2.35.3 >
On Mon, Jul 11, 2022 at 12:56:28PM +0200, Jiri Olsa wrote: > On Mon, Jul 11, 2022 at 10:32:18AM +0200, Artem Savkov wrote: > > Add a BPF_F_DESTRUCTIVE will be required to be supplied to > > BPF_PROG_LOAD for programs to utilize destructive helpers such as > > bpf_panic(). > > I'd think that having kernel.destructive_bpf_enabled sysctl knob enabled > would be enough to enable that helper from any program, not sure having > extra load flag adds more security I agree it doesn't add more security. The idea was to have a way for a developer to explicitly state he understand this will be dangerous. This flag can also translate well into something like a --destructive option for bpftrace without needing to keep a list of destructive helpers on their side.
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 77972724bed7..43c008e3587a 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1041,6 +1041,7 @@ struct bpf_prog_aux { bool sleepable; bool tail_call_reachable; bool xdp_has_frags; + bool destructive; bool use_bpf_prog_pack; /* BTF_KIND_FUNC_PROTO for valid attach_btf_id */ const struct btf_type *attach_func_proto; diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index e81362891596..4423874b5da4 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1121,6 +1121,12 @@ enum bpf_link_type { */ #define BPF_F_XDP_HAS_FRAGS (1U << 5) +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program + * will be able to perform destructive operations such as calling bpf_panic() + * helper. + */ +#define BPF_F_DESTRUCTIVE (1U << 6) + /* link_create.kprobe_multi.flags used in LINK_CREATE command for * BPF_TRACE_KPROBE_MULTI attach type to create return probe. */ diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 1ce6541d90e1..779feac2dc7d 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2449,7 +2449,8 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) BPF_F_TEST_STATE_FREQ | BPF_F_SLEEPABLE | BPF_F_TEST_RND_HI32 | - BPF_F_XDP_HAS_FRAGS)) + BPF_F_XDP_HAS_FRAGS | + BPF_F_DESTRUCTIVE)) return -EINVAL; if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && @@ -2536,6 +2537,7 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr) prog->aux->offload_requested = !!attr->prog_ifindex; prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE; prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS; + prog->aux->destructive = attr->prog_flags & BPF_F_DESTRUCTIVE; err = security_bpf_prog_alloc(prog->aux); if (err) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index e81362891596..4423874b5da4 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1121,6 +1121,12 @@ enum bpf_link_type { */ #define BPF_F_XDP_HAS_FRAGS (1U << 5) +/* If BPF_F_DESTRUCTIVE is used in BPF_PROG_LOAD command, the loaded program + * will be able to perform destructive operations such as calling bpf_panic() + * helper. + */ +#define BPF_F_DESTRUCTIVE (1U << 6) + /* link_create.kprobe_multi.flags used in LINK_CREATE command for * BPF_TRACE_KPROBE_MULTI attach type to create return probe. */
Add a BPF_F_DESTRUCTIVE will be required to be supplied to BPF_PROG_LOAD for programs to utilize destructive helpers such as bpf_panic(). Signed-off-by: Artem Savkov <asavkov@redhat.com> --- include/linux/bpf.h | 1 + include/uapi/linux/bpf.h | 6 ++++++ kernel/bpf/syscall.c | 4 +++- tools/include/uapi/linux/bpf.h | 6 ++++++ 4 files changed, 16 insertions(+), 1 deletion(-)