On Tue, Nov 1, 2022 at 11:11 AM David Vernet <void@xxxxxxxxxxxxx> wrote: > > > What kind of bpf prog will be able to pass 'struct nf_conn___init *' into these bpf_ct_* ? > > We've introduced / vs nf_conf specifically to express the relationship > > between allocated nf_conn and other nf_conn-s via different types. > > Why is this not enough? > > Kumar should have more context here (he originally suggested this in > [0]), Quoting: " Unfortunately a side effect of this change is that now since PTR_TO_BTF_ID without ref_obj_id is considered trusted, the bpf_ct_* functions would begin working with tp_btf args. " I couldn't find any tracepoint that has nf_conn___init as an argument. The whole point of that new type was to return it to bpf prog, so the verifier type matches it when it's passed into bpf_ct_* in turn. So I don't see a need for a new OWNED flag still. If nf_conn___init is passed into tracepoint it's a bug and we gotta fix it. > but AFAICT you're correct that this should be sufficient. I added > a negative test case that correctly fails if a BPF program tries to call > these helpers with a struct nf_conn* rather than a struct > nf_conn__init*. > > [0]: https://lore.kernel.org/all/CAP01T77PTK+bD2mBrxJShKNPhEypT2+nSHcr3=uuJbrghv_wFg@xxxxxxxxxxxxxx/ > > > I prefer to keep only one flag KF_TRUSTED_ARGS that kfunc-s need to use > > and eventually make all kfuncs KF_TRUSTED_ARGS by default and remove that flag. > > Yes, KF_TRUSTED_ARGS really should be the default. As Kumar describes in > [1], we'll have to figure out how to avoid trace progs with unsafe args > from calling these kfuncs. Maybe the right thing to do is allow-listing > rather than deny-listing, as you pointed out. > > [1]: https://lore.kernel.org/bpf/CAP01T77goGbF3GVithEuJ7yMQR9PxHNA9GXFODq_nfA66G=F9g@xxxxxxxxxxxxxx/ That is still the plan. more or less. > > Separately... > > I think there was a plan to strengthen PTR_TO_BTF_ID and apply PTR_UNTRUSTED. > > That would be nice if we could do it. I assume that the issue is we're > breaking backwards compat if we do, so I'd be curious to hear what the > plan was if you're aware. The only plan that I've seen so far is what > Kumar spelled out above in [1] above. Right. Backward compat with existing usage of PTR_TO_BTF_ID is the main issue. > > > This PTR_WALKED looks like new thing. > > If we really need it PTR_TO_BTF_ID should be allowlisted instead of denylisted > > as PTR_WALKED is doing. > > I mean we can introduce PTR_TRUSTED and add this flag to return value > > of bpf_get_current_task_btf() and arguments of tracepoints. > > As soon as any ptr walking is done we can clear PTR_TRUSTED to keep > > backward compat behavior of PTR_TO_BTF_ID. > > PTR_WALKED is sort-of doing the same, but not conservative enough. > > Too many things produce PTR_TO_BTF_ID. Auditing it all is challenging. > > I very much prefer the idea of allowlisting instead of denylisting, > though I wish we'd taken that approach from the start rather than going > with PTR_UNTRUSTED. It feels wrong to have both PTR_UNTRUSTED and > PTR_TRUSTED as type modifiers, as the absence of PTR_UNTRUSTED should > (and currently does) imply PTR_TRUSTED. I kind agree, but we gotta have both because of backward compat. We cannot change PTR_TO_BTF_ID as a whole right now. Note PTR_TO_BTF_ID appears in kfuncs too. I'm proposing to use PTR_TO_BTF_ID | PTR_TRUSTED only in tracepoint args and as return value from certain helpers like bpf_get_current_task_btf(). afaik it's all safe. There is no uaf here. uaf is for kfunc. Especially fexit. Those will stay PTR_TO_BTF_ID. Without PTR_TRUSTED. > > If we're going to go with an allowlist approach, then I think we should > just get rid of PTR_UNTRUSTED altogether. Is that what you're > suggesting? Otherwise, if we don't get rid of PTR_UNTRUSTED, then > PTR_WALKED seems like a more natural type modifier addition. Eventually either PTR_TRUSTED or PTR_UNTRUSTED will be removed. > > I might have missed earlier discussions on this patch set. Apologies if so. > > Just FYI, the main initial thread where this was all discussed was [2]. > > [2]: https://lore.kernel.org/all/CAP01T76OR3J_P8YMq4ZgKHBpuZyA0zgsPy+tq9htbX=j6AVyOg@xxxxxxxxxxxxxx/
