RE: [PATCH bpf-next v1 1/2] bpf: Add support for per-parameter trusted args

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Roberto Sassu [mailto:roberto.sassu@xxxxxxxxxx]
> Sent: Thursday, July 28, 2022 9:46 AM
> > From: Kumar Kartikeya Dwivedi [mailto:memxor@xxxxxxxxx]
> > Sent: Wednesday, July 27, 2022 10:16 AM
> > Similar to how we detect mem, size pairs in kfunc, teach verifier to
> > treat __ref suffix on argument name to imply that it must be a trusted
> > arg when passed to kfunc, similar to the effect of KF_TRUSTED_ARGS flag
> > but limited to the specific parameter. This is required to ensure that
> > kfunc that operate on some object only work on acquired pointers and not
> > normal PTR_TO_BTF_ID with same type which can be obtained by pointer
> > walking. Release functions need not specify such suffix on release
> > arguments as they are already expected to receive one referenced
> > argument.
> 
> Thanks, Kumar. I will try it.

Uhm. I realized that I was already using another suffix,
__maybe_null, to indicate that a caller can pass NULL as
argument.

Wouldn't probably work well with two suffixes.

Have you considered to extend BTF_ID_FLAGS to take five
extra arguments, to set flags for each kfunc parameter?

Thanks

Roberto

> Roberto
> 
> > Cc: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > ---
> >  Documentation/bpf/kfuncs.rst | 18 +++++++++++++++++
> >  kernel/bpf/btf.c             | 39 ++++++++++++++++++++++++------------
> >  net/bpf/test_run.c           |  9 +++++++--
> >  3 files changed, 51 insertions(+), 15 deletions(-)
> >
> > diff --git a/Documentation/bpf/kfuncs.rst b/Documentation/bpf/kfuncs.rst
> > index c0b7dae6dbf5..41dff6337446 100644
> > --- a/Documentation/bpf/kfuncs.rst
> > +++ b/Documentation/bpf/kfuncs.rst
> > @@ -72,6 +72,24 @@ argument as its size. By default, without __sz
> annotation,
> > the size of the type
> >  of the pointer is used. Without __sz annotation, a kfunc cannot accept a void
> >  pointer.
> >
> > +2.2.2 __ref Annotation
> > +----------------------
> > +
> > +This annotation is used to indicate that the argument is trusted, i.e. it will
> > +be a pointer from an acquire function (defined later), and its offset will be
> > +zero. This annotation has the same effect as the KF_TRUSTED_ARGS kfunc
> flag
> > but
> > +only on the parameter it is applied to. An example is shown below::
> > +
> > +        void bpf_task_send_signal(struct task_struct *task__ref, int signal)
> > +        {
> > +        ...
> > +        }
> > +
> > +Here, bpf_task_send_signal will only act on trusted task_struct pointers, and
> > +cannot be used on pointers obtained using pointer walking. This ensures that
> > +caller always calls this kfunc on a task whose lifetime is guaranteed for the
> > +duration of the call.
> > +
> >  .. _BPF_kfunc_nodef:
> >
> >  2.3 Using an existing kernel function
> > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> > index 7ac971ea98d1..3ce9b2deef9c 100644
> > --- a/kernel/bpf/btf.c
> > +++ b/kernel/bpf/btf.c
> > @@ -6141,18 +6141,13 @@ static bool __btf_type_is_scalar_struct(struct
> > bpf_verifier_log *log,
> >  	return true;
> >  }
> >
> > -static bool is_kfunc_arg_mem_size(const struct btf *btf,
> > -				  const struct btf_param *arg,
> > -				  const struct bpf_reg_state *reg)
> > +static bool btf_param_match_suffix(const struct btf *btf,
> > +				   const struct btf_param *arg,
> > +				   const char *suffix)
> >  {
> > -	int len, sfx_len = sizeof("__sz") - 1;
> > -	const struct btf_type *t;
> > +	int len, sfx_len = strlen(suffix);
> >  	const char *param_name;
> >
> > -	t = btf_type_skip_modifiers(btf, arg->type, NULL);
> > -	if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
> > -		return false;
> > -
> >  	/* In the future, this can be ported to use BTF tagging */
> >  	param_name = btf_name_by_offset(btf, arg->name_off);
> >  	if (str_is_empty(param_name))
> > @@ -6161,10 +6156,26 @@ static bool is_kfunc_arg_mem_size(const struct
> btf
> > *btf,
> >  	if (len < sfx_len)
> >  		return false;
> >  	param_name += len - sfx_len;
> > -	if (strncmp(param_name, "__sz", sfx_len))
> > +	return !strncmp(param_name, suffix, sfx_len);
> > +}
> > +
> > +static bool is_kfunc_arg_ref(const struct btf *btf,
> > +			     const struct btf_param *arg)
> > +{
> > +	return btf_param_match_suffix(btf, arg, "__ref");
> > +}
> > +
> > +static bool is_kfunc_arg_mem_size(const struct btf *btf,
> > +				  const struct btf_param *arg,
> > +				  const struct bpf_reg_state *reg)
> > +{
> > +	const struct btf_type *t;
> > +
> > +	t = btf_type_skip_modifiers(btf, arg->type, NULL);
> > +	if (!btf_type_is_scalar(t) || reg->type != SCALAR_VALUE)
> >  		return false;
> >
> > -	return true;
> > +	return btf_param_match_suffix(btf, arg, "__sz");
> >  }
> >
> >  static int btf_check_func_arg_match(struct bpf_verifier_env *env,
> > @@ -6174,7 +6185,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> >  				    u32 kfunc_flags)
> >  {
> >  	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
> > -	bool rel = false, kptr_get = false, trusted_arg = false;
> > +	bool rel = false, kptr_get = false, kf_trusted_args = false;
> >  	struct bpf_verifier_log *log = &env->log;
> >  	u32 i, nargs, ref_id, ref_obj_id = 0;
> >  	bool is_kfunc = btf_is_kernel(btf);
> > @@ -6211,7 +6222,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> >  		/* Only kfunc can be release func */
> >  		rel = kfunc_flags & KF_RELEASE;
> >  		kptr_get = kfunc_flags & KF_KPTR_GET;
> > -		trusted_arg = kfunc_flags & KF_TRUSTED_ARGS;
> > +		kf_trusted_args = kfunc_flags & KF_TRUSTED_ARGS;
> >  	}
> >
> >  	/* check that BTF function arguments match actual types that the
> > @@ -6221,6 +6232,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> >  		enum bpf_arg_type arg_type = ARG_DONTCARE;
> >  		u32 regno = i + 1;
> >  		struct bpf_reg_state *reg = &regs[regno];
> > +		bool trusted_arg = false;
> >
> >  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
> >  		if (btf_type_is_scalar(t)) {
> > @@ -6239,6 +6251,7 @@ static int btf_check_func_arg_match(struct
> > bpf_verifier_env *env,
> >  		/* Check if argument must be a referenced pointer, args + i has
> >  		 * been verified to be a pointer (after skipping modifiers).
> >  		 */
> > +		trusted_arg = kf_trusted_args || is_kfunc_arg_ref(btf, args + i);
> >  		if (is_kfunc && trusted_arg && !reg->ref_obj_id) {
> >  			bpf_log(log, "R%d must be referenced\n", regno);
> >  			return -EINVAL;
> > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> > index cbc9cd5058cb..247bfe52e585 100644
> > --- a/net/bpf/test_run.c
> > +++ b/net/bpf/test_run.c
> > @@ -691,7 +691,11 @@ noinline void
> bpf_kfunc_call_test_mem_len_fail2(u64
> > *mem, int len)
> >  {
> >  }
> >
> > -noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p)
> > +noinline void bpf_kfunc_call_test_trusted(struct prog_test_ref_kfunc *p)
> > +{
> > +}
> > +
> > +noinline void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p__ref)
> >  {
> >  }
> >
> > @@ -718,7 +722,8 @@ BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3)
> >  BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_pass1)
> >  BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail1)
> >  BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail2)
> > -BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS)
> > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_trusted, KF_TRUSTED_ARGS)
> > +BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref)
> >  BTF_SET8_END(test_sk_check_kfunc_ids)
> >
> >  static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size,
> > --
> > 2.34.1




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux