Enable writing xattr from BPF programs #8335
Open
+740
−63
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: bfaac2a |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
21a4297 to
36a754d
Compare
|
Upstream branch: e8ec1c9 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
a10bc84 to
f59d967
Compare
|
Upstream branch: e8ec1c9 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
f59d967 to
52a22c8
Compare
|
Upstream branch: e8ec1c9 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
52a22c8 to
576f9bc
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
36a754d to
b27feb5
Compare
|
Upstream branch: e8ec1c9 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
576f9bc to
cf8b1e0
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
b27feb5 to
ffc879e
Compare
|
Upstream branch: a43796b |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
cf8b1e0 to
a90db9c
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
ffc879e to
77d4ead
Compare
|
Upstream branch: defac89 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
a90db9c to
4cbcc20
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
77d4ead to
483693f
Compare
|
Upstream branch: 95ad526 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
4cbcc20 to
8ead5ae
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
2327693 to
e4fef02
Compare
|
Upstream branch: 87c5441 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
d7e1d0e to
68153e7
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
e4fef02 to
70e4b2e
Compare
|
Upstream branch: a8d1c48 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
68153e7 to
f0528cf
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
70e4b2e to
a20eb62
Compare
|
Upstream branch: 556a399 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
f0528cf to
b57faac
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
a20eb62 to
1332909
Compare
|
Upstream branch: 556a399 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
b57faac to
9d8fb9c
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
1332909 to
075d2f1
Compare
|
Upstream branch: b53b63d |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
9d8fb9c to
63160c3
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
075d2f1 to
cfe4aae
Compare
|
Upstream branch: f8a0569 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
63160c3 to
498c1a4
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf-next_base
branch
from
cfe4aae to
c120dfb
Compare
Introduct new xattr name prefix security.bpf., and enable reading these xattrs from bpf kfuncs bpf_get_[file|dentry]_xattr(). As we are on it, correct the comments for return value of bpf_get_[file|dentry]_xattr(), i.e. return length the xattr value on success. Signed-off-by: Song Liu <song@kernel.org> Acked-by: Christian Brauner <brauner@kernel.org> Reviewed-by: Jan Kara <jack@suse.cz>
Extend test_progs fs_kfuncs to cover different xattr names. Specifically: xattr name "user.kfuncs" and "security.bpf.xxx" can be read from BPF program with kfuncs bpf_get_[file|dentry]_xattr(); while "security.bpf" and "security.selinux" cannot be read. Signed-off-by: Song Liu <song@kernel.org>
Add bpf_lsm_inode_removexattr and bpf_lsm_inode_post_removexattr to list sleepable_lsm_hooks. These two hooks are always called from sleepable context. Signed-off-by: Song Liu <song@kernel.org>
Polymorphism exists in kernel functions, BPF helpers, as well as kfuncs. When called from different contexts, it is necessary to pick the right version of a kfunc. One of such example is bpf_dynptr_from_skb vs. bpf_dynptr_from_skb_rdonly. To avoid the burden on the users, the verifier can inspect the calling context and select the right version of kfunc. However, with more kfuncs being added to the kernel, it is not scalable to push all these logic to the verifiler. Extend btf_kfunc_id_set to handle kfunc polymorphism. Specifically, a list of kfuncs, "hidden_set", and a new method "remap" is added to btf_kfunc_id_set. kfuncs in hidden_set do not have BTF_SET8_KFUNCS flag, and are not exposed in vmlinux.h. The remap method is used to inspect the calling context, and when necessary, remap the user visible kfuncs (for example, bpf_dynptr_from_skb), to its hidden version (for example, bpf_dynptr_from_skb_rdonly). The verifier calls in these remap logic via the new btf_kfunc_id_remap() API, and picks the right kfuncs for the context. Signed-off-by: Song Liu <song@kernel.org>
btf_kfunc_id_set.remap can pick proper version of a kfunc for the calling context. Use this logic to select bpf_dynptr_from_skb or bpf_dynptr_from_skb_rdonly. This will make the verifier simpler. Unfortunately, btf_kfunc_id_set.remap cannot cover the DYNPTR_TYPE_SKB logic in check_kfunc_args(). This can be addressed later. Signed-off-by: Song Liu <song@kernel.org>
Add the following kfuncs to set and remove xattrs from BPF programs: bpf_set_dentry_xattr bpf_remove_dentry_xattr bpf_set_dentry_xattr_locked bpf_remove_dentry_xattr_locked The _locked version of these kfuncs are called from hooks where dentry->d_inode is already locked. Instead of requiring the user to know which version of the kfuncs to use, the verifier will pick the proper kfunc based on the calling hook. Signed-off-by: Song Liu <song@kernel.org>
Two sets of tests are added to exercise the not _locked and _locked version of the kfuncs. For both tests, user space accesses xattr security.bpf.foo on a testfile. The BPF program is triggered by user space access (on LSM hook inode_[set|get]_xattr) and sets or removes xattr security.bpf.bar. Then user space then validates that xattr security.bpf.bar is set or removed as expected. Note that, in both tests, the BPF programs use the not _locked kfuncs. The verifier picks the proper kfuncs based on the calling context. Signed-off-by: Song Liu <song@kernel.org>
|
Upstream branch: e055a46 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/916534=>bpf-next
branch
from
498c1a4 to
0417639
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Enable writing xattr from BPF programs
version: 8
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=923532