[bpf-next,v4,1/3] bpf: add destructive kfunc flag

Message ID	20220809105317.436682-2-asavkov@redhat.com (mailing list archive)
State	Superseded
Delegated to:	BPF
Headers	show Return-Path: <netdev-owner@kernel.org> From: Artem Savkov <asavkov@redhat.com> To: Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, Andrii Nakryiko <andrii@kernel.org>, bpf@vger.kernel.org, netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Andrea Arcangeli <aarcange@redhat.com>, Daniel Vacek <dvacek@redhat.com>, Jiri Olsa <olsajiri@gmail.com>, Song Liu <song@kernel.org>, Daniel Xu <dxu@dxuuu.xyz>, Kumar Kartikeya Dwivedi <memxor@gmail.com>, Artem Savkov <asavkov@redhat.com> Subject: [PATCH bpf-next v4 1/3] bpf: add destructive kfunc flag Date: Tue, 9 Aug 2022 12:53:15 +0200 Message-Id: <20220809105317.436682-2-asavkov@redhat.com> In-Reply-To: <20220809105317.436682-1-asavkov@redhat.com> References: <20220809105317.436682-1-asavkov@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	destructive bpf_kfuncs \| expand [bpf-next,v4,0/3] destructive bpf_kfuncs [bpf-next,v4,1/3] bpf: add destructive kfunc flag [bpf-next,v4,2/3] bpf: export crash_kexec() as destructive kfunc [bpf-next,v4,3/3] selftests/bpf: add destructive kfunc test

Message ID

20220809105317.436682-2-asavkov@redhat.com (mailing list archive)

State

Superseded

Delegated to:

BPF

Headers

From: Artem Savkov <asavkov@redhat.com>
To: Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>, bpf@vger.kernel.org,
        netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
        Andrea Arcangeli <aarcange@redhat.com>,
        Daniel Vacek <dvacek@redhat.com>,
        Jiri Olsa <olsajiri@gmail.com>, Song Liu <song@kernel.org>,
        Daniel Xu <dxu@dxuuu.xyz>,
        Kumar Kartikeya Dwivedi <memxor@gmail.com>,
        Artem Savkov <asavkov@redhat.com>
Subject: [PATCH bpf-next v4 1/3] bpf: add destructive kfunc flag
Date: Tue,  9 Aug 2022 12:53:15 +0200
Message-Id: <20220809105317.436682-2-asavkov@redhat.com>
In-Reply-To: <20220809105317.436682-1-asavkov@redhat.com>
References: <20220809105317.436682-1-asavkov@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

destructive bpf_kfuncs | expand

Context	Check	Description
netdev/tree_selection	success	Clearly marked for bpf-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	success	Link
netdev/cover_letter	success	Series has a cover letter
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 1401 this patch: 1401
netdev/cc_maintainers	warning	9 maintainers not CCed: john.fastabend@gmail.com sdf@google.com martin.lau@linux.dev corbet@lwn.net linux-doc@vger.kernel.org kpsingh@kernel.org jolsa@kernel.org haoluo@google.com yhs@fb.com
netdev/build_clang	success	Errors and warnings before: 163 this patch: 163
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 1393 this patch: 1393
netdev/checkpatch	warning	CHECK: Prefer using the BIT macro WARNING: line length of 92 exceeds 80 columns
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-1	success	Logs for Kernel LATEST on ubuntu-latest with gcc
bpf/vmtest-bpf-next-VM_Test-2	success	Logs for Kernel LATEST on ubuntu-latest with llvm-16
bpf/vmtest-bpf-next-VM_Test-3	success	Logs for Kernel LATEST on z15 with gcc
bpf/vmtest-bpf-next-PR	success	PR summary

Context

Check

Description

netdev/tree_selection

success

Clearly marked for bpf-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/subject_prefix

success

Link

netdev/cover_letter

success

Series has a cover letter

netdev/patch_count

success

Link

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 1401 this patch: 1401

netdev/cc_maintainers

warning

9 maintainers not CCed: john.fastabend@gmail.com sdf@google.com martin.lau@linux.dev corbet@lwn.net linux-doc@vger.kernel.org kpsingh@kernel.org jolsa@kernel.org haoluo@google.com yhs@fb.com

netdev/build_clang

success

Errors and warnings before: 163 this patch: 163

netdev/module_param

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 1393 this patch: 1393

netdev/checkpatch

warning

CHECK: Prefer using the BIT macro WARNING: line length of 92 exceeds 80 columns

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

bpf/vmtest-bpf-next-VM_Test-1

success

Logs for Kernel LATEST on ubuntu-latest with gcc

bpf/vmtest-bpf-next-VM_Test-2

success

Logs for Kernel LATEST on ubuntu-latest with llvm-16

bpf/vmtest-bpf-next-VM_Test-3

success

Logs for Kernel LATEST on z15 with gcc

bpf/vmtest-bpf-next-PR

success

PR summary

Commit Message

Artem Savkov Aug. 9, 2022, 10:53 a.m. UTC

Add KF_DESTRUCTIVE flag for destructive functions. Functions with this
flag set will require CAP_SYS_BOOT capabilities.

Signed-off-by: Artem Savkov <asavkov@redhat.com>
---
 Documentation/bpf/kfuncs.rst | 9 +++++++++
 include/linux/btf.h          | 1 +
 kernel/bpf/verifier.c        | 5 +++++
 3 files changed, 15 insertions(+)

Comments

Kumar Kartikeya Dwivedi Aug. 9, 2022, 12:40 p.m. UTC | #1

On Tue, 9 Aug 2022 at 12:53, Artem Savkov <asavkov@redhat.com> wrote:
>
> Add KF_DESTRUCTIVE flag for destructive functions. Functions with this
> flag set will require CAP_SYS_BOOT capabilities.
>
> Signed-off-by: Artem Savkov <asavkov@redhat.com>
> ---
>  Documentation/bpf/kfuncs.rst | 9 +++++++++
>  include/linux/btf.h          | 1 +
>  kernel/bpf/verifier.c        | 5 +++++
>  3 files changed, 15 insertions(+)
>
> diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> index c0b7dae6dbf5..2e97e08be7de 100644
> --- a/Documentation/bpf/kfuncs.rst
> +++ b/Documentation/bpf/kfuncs.rst
> @@ -146,6 +146,15 @@ that operate (change some property, perform some operation) on an object that
>  was obtained using an acquire kfunc. Such kfuncs need an unchanged pointer to
>  ensure the integrity of the operation being performed on the expected object.
>
> +2.4.5 KF_DESTRUCTIVE flag

This should be 2.4.6.

> +--------------------------
> +
> +The KF_DESTRUCTIVE flag is used to indicate functions calling which is
> +destructive to the system. For example such a call can result in system
> +rebooting or panicking. Due to this additional restrictions apply to these
> +calls. At the moment they only require CAP_SYS_BOOT capability, but more can be
> +added later.
> +
>  2.5 Registering the kfuncs
>  --------------------------
>
> diff --git a/include/linux/btf.h b/include/linux/btf.h
> index cdb376d53238..51a0961c84e3 100644
> --- a/include/linux/btf.h
> +++ b/include/linux/btf.h
> @@ -49,6 +49,7 @@
>   * for this case.
>   */
>  #define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */
> +#define KF_DESTRUCTIVE  (1 << 5) /* kfunc performs destructive actions */
>
>  struct btf;
>  struct btf_member;
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 843a966cd02b..163cc0a2dc5a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -7598,6 +7598,11 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
>                         func_name);
>                 return -EACCES;
>         }
> +       if (*kfunc_flags & KF_DESTRUCTIVE && !capable(CAP_SYS_BOOT)) {
> +               verbose(env, "destructive kfunc calls require CAP_SYS_BOOT capabilities\n");
> +               return -EACCES;
> +       }
> +
>         acq = *kfunc_flags & KF_ACQUIRE;
>
>         /* Check the arguments */
> --
> 2.37.1
>

diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
index c0b7dae6dbf5..2e97e08be7de 100644
--- a/Documentation/bpf/kfuncs.rst
+++ b/Documentation/bpf/kfuncs.rst
@@ -146,6 +146,15 @@  that operate (change some property, perform some operation) on an object that
 was obtained using an acquire kfunc. Such kfuncs need an unchanged pointer to
 ensure the integrity of the operation being performed on the expected object.
 
+2.4.5 KF_DESTRUCTIVE flag
+--------------------------
+
+The KF_DESTRUCTIVE flag is used to indicate functions calling which is
+destructive to the system. For example such a call can result in system
+rebooting or panicking. Due to this additional restrictions apply to these
+calls. At the moment they only require CAP_SYS_BOOT capability, but more can be
+added later.
+
 2.5 Registering the kfuncs
 --------------------------
 
diff --git a/include/linux/btf.h b/include/linux/btf.h
index cdb376d53238..51a0961c84e3 100644
--- a/include/linux/btf.h
+++ b/include/linux/btf.h
@@ -49,6 +49,7 @@ 
  * for this case.
  */
 #define KF_TRUSTED_ARGS (1 << 4) /* kfunc only takes trusted pointer arguments */
+#define KF_DESTRUCTIVE  (1 << 5) /* kfunc performs destructive actions */
 
 struct btf;
 struct btf_member;
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 843a966cd02b..163cc0a2dc5a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7598,6 +7598,11 @@  static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
 			func_name);
 		return -EACCES;
 	}
+	if (*kfunc_flags & KF_DESTRUCTIVE && !capable(CAP_SYS_BOOT)) {
+		verbose(env, "destructive kfunc calls require CAP_SYS_BOOT capabilities\n");
+		return -EACCES;
+	}
+
 	acq = *kfunc_flags & KF_ACQUIRE;
 
 	/* Check the arguments */

[bpf-next,v4,1/3] bpf: add destructive kfunc flag

Checks

Commit Message

Comments

Patch