Re: [PATCH bpf-next v1 1/2] bpf: Add support for per-parameter trusted args

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 2, 2022 at 3:07 AM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote:
>
> > From: Alexei Starovoitov [mailto:alexei.starovoitov@xxxxxxxxx]
> > Sent: Tuesday, August 2, 2022 6:46 AM
> >
> > On Thu, Jul 28, 2022 at 2:02 AM Kumar Kartikeya Dwivedi
> > <memxor@xxxxxxxxx> wrote:
> > >
> > > On Thu, 28 Jul 2022 at 10:45, Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > wrote:
> > > >
> > > > On Thu, 28 Jul 2022 at 10:18, Roberto Sassu <roberto.sassu@xxxxxxxxxx>
> > wrote:
> > > > >
> > > > > > From: Roberto Sassu [mailto:roberto.sassu@xxxxxxxxxx]
> > > > > > Sent: Thursday, July 28, 2022 9:46 AM
> > > > > > > From: Kumar Kartikeya Dwivedi [mailto:memxor@xxxxxxxxx]
> > > > > > > Sent: Wednesday, July 27, 2022 10:16 AM
> > > > > > > Similar to how we detect mem, size pairs in kfunc, teach verifier to
> > > > > > > treat __ref suffix on argument name to imply that it must be a trusted
> > > > > > > arg when passed to kfunc, similar to the effect of KF_TRUSTED_ARGS
> > flag
> > > > > > > but limited to the specific parameter. This is required to ensure that
> > > > > > > kfunc that operate on some object only work on acquired pointers and
> > not
> > > > > > > normal PTR_TO_BTF_ID with same type which can be obtained by
> > pointer
> > > > > > > walking. Release functions need not specify such suffix on release
> > > > > > > arguments as they are already expected to receive one referenced
> > > > > > > argument.
> > > > > >
> > > > > > Thanks, Kumar. I will try it.
> > > > >
> > > > > Uhm. I realized that I was already using another suffix,
> > > > > __maybe_null, to indicate that a caller can pass NULL as
> > > > > argument.
> > > > >
> > > > > Wouldn't probably work well with two suffixes.
> > > > >
> > > >
> > > > Then you can maybe extend it to parse two suffixes at most (for now
> > atleast)?
> > > >
> > > > > Have you considered to extend BTF_ID_FLAGS to take five
> > > > > extra arguments, to set flags for each kfunc parameter?
> > > > >
> > > >
> > > > I didn't understand this. Flags parameter is an OR of the flags you
> > > > set, why would we want to extend it to take 5 args?
> > > > You can just or f1 | f2 | f3 | f4 | f5, as many as you want.
> > >
> > > Oh, so you mean having 5 more args to indicate flags on each
> > > parameter? It is possible, but I think the scheme for now works ok. If
> > > you extend it to parse two suffixes, it should be fine. Yes, the
> > > variable name would be ugly, but you can just make a copy into a
> > > properly named one. This is the best we can do without switching to
> > > BTF tags. We can revisit this when we start having 4 or 5 tags on a
> > > single parameter.
> > >
> > > To make it a bit less verbose you could probably call maybe_null just null?
> >
> > Thank you for posting the patch.
> > It still feels that this extra flexibility gets convoluted.
> > I'm not sure Roberto's kfunc actually needs __ref.
> > All pointers should be pointers. Hacking -1 and -2 into a pointer
> > is something that key infra did, but it doesn't mean that
> > we have to carry over it into bpf kfunc.
>
> There is a separate parameter for the keyring IDs that only
> verify_pkcs7_signature() understands. Type casting is done
> internally in the bpf_verify_pkcs7_signature() kfunc.
>
> The other is always a valid struct key pointer or NULL, coming
> from bpf_lookup_user_key() (acquire function). I extended
> Kumar's patch further to annotate the struct key parameter
> with the _ref_null suffix, to accept a referenced pointer or NULL,
> instead of just referenced.

I don't think it's a good tradeoff complexity wise.
!=null check can be done in runtime by the helper.
The type cast is a sign of something fishy in the design.



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux