mbox series

[v3,bpf-next,0/6] Enable writing xattr from BPF programs

Message ID 20241210220627.2800362-1-song@kernel.org (mailing list archive)
Headers show
Series Enable writing xattr from BPF programs | expand

Message

Song Liu Dec. 10, 2024, 10:06 p.m. UTC
Add support to set and remove xattr from BPF program. Also add
security.bpf. xattr name prefix.

kfuncs are added to set and remove xattrs with security.bpf. name
prefix. Update kfuncs bpf_get_[file|dentry]_xattr to read xattrs
with security.bpf. name prefix. Note that BPF programs can read
user. xattrs, but not write and remove them.

Cover letter of v1 and v2:

Follow up discussion in LPC 2024 [1], that we need security.bpf xattr
prefix. This set adds "security.bpf." xattr name prefix, and allows
bpf kfuncs bpf_get_[file|dentry]_xattr() to read these xattrs.

[1] https://lpc.events/event/18/contributions/1940/

Changes v2 => v3
1. Add kfuncs to set and remove xattr from BPF programs.

v2: https://lore.kernel.org/bpf/20241016070955.375923-1-song@kernel.org/

Changes v1 => v2
1. Update comment of bpf_get_[file|dentry]_xattr. (Jiri Olsa)
2. Fix comment for return value of bpf_get_[file|dentry]_xattr.

v1: https://lore.kernel.org/bpf/20241002214637.3625277-1-song@kernel.org/

Song Liu (6):
  fs/xattr: bpf: Introduce security.bpf. xattr name prefix
  selftests/bpf: Extend test fs_kfuncs to cover security.bpf. xattr
    names
  bpf: lsm: Add two more sleepable hooks
  bpf: fs/xattr: Add BPF kfuncs to set and remove xattrs
  selftests/bpf: Test kfuncs that set and remove xattr from BPF programs
  selftests/bpf: Add __failure tests for set/remove xattr kfuncs

 fs/bpf_fs_kfuncs.c                            | 258 +++++++++++++++++-
 include/uapi/linux/xattr.h                    |   4 +
 kernel/bpf/bpf_lsm.c                          |   2 +
 tools/testing/selftests/bpf/bpf_kfuncs.h      |  10 +
 .../selftests/bpf/prog_tests/fs_kfuncs.c      | 165 ++++++++++-
 .../selftests/bpf/progs/test_get_xattr.c      |  28 +-
 .../bpf/progs/test_set_remove_xattr.c         | 129 +++++++++
 .../bpf/progs/test_set_remove_xattr_failure.c |  56 ++++
 8 files changed, 632 insertions(+), 20 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/test_set_remove_xattr.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_set_remove_xattr_failure.c

--
2.43.5

Comments

Theodore Ts'o Dec. 11, 2024, 1:18 p.m. UTC | #1
On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote:
> Add support to set and remove xattr from BPF program. Also add
> security.bpf. xattr name prefix.

If the system allows for the execution of unprivileged BPF programs
(e.g., ones where a random user can load their own BPF programs), will
they have hte ability to set and remove security.bpf.* xattrs?  If the
answer is yes, should this be disallowed?

I note that one of the use cases seems to be BPF-based LSM's, so we
may want to have something even more restrictive since otherwise any
BPF program could potentially have the same power as the LSM?

    	    	  	      	       	    - Ted
Song Liu Dec. 11, 2024, 4:48 p.m. UTC | #2
Hi Ted, 

> On Dec 11, 2024, at 5:18 AM, Theodore Ts'o <tytso@mit.edu> wrote:
> 
> On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote:
>> Add support to set and remove xattr from BPF program. Also add
>> security.bpf. xattr name prefix.
> 
> If the system allows for the execution of unprivileged BPF programs
> (e.g., ones where a random user can load their own BPF programs), will
> they have hte ability to set and remove security.bpf.* xattrs?  If the
> answer is yes, should this be disallowed?
> 
> I note that one of the use cases seems to be BPF-based LSM's, so we
> may want to have something even more restrictive since otherwise any
> BPF program could potentially have the same power as the LSM?

These kfuncs are only allowed in BPF LSM programs. Therefore, other
program types (tracing, XDP, etc.) cannot use these kfuncs. 

Thanks,
Song
Andrii Nakryiko Dec. 12, 2024, 7:39 p.m. UTC | #3
On Wed, Dec 11, 2024 at 5:18 AM Theodore Ts'o <tytso@mit.edu> wrote:
>
> On Tue, Dec 10, 2024 at 02:06:21PM -0800, Song Liu wrote:
> > Add support to set and remove xattr from BPF program. Also add
> > security.bpf. xattr name prefix.
>
> If the system allows for the execution of unprivileged BPF programs
> (e.g., ones where a random user can load their own BPF programs), will
> they have hte ability to set and remove security.bpf.* xattrs?  If the
> answer is yes, should this be disallowed?

It's not 100% clear from Song's reply, but the answer is "no". You
can't use this from unprivileged BPF programs (BPF LSM is privileged
and requires root, effectively).

>
> I note that one of the use cases seems to be BPF-based LSM's, so we
> may want to have something even more restrictive since otherwise any
> BPF program could potentially have the same power as the LSM?
>
>                                             - Ted