On Sun, Nov 20, 2022 at 3:32 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Sun, Nov 20, 2022 at 2:34 PM Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: > > > > On Mon, Nov 21, 2022 at 02:19:30AM +0530, Kumar Kartikeya Dwivedi wrote: > > > On Mon, Nov 21, 2022 at 01:46:04AM IST, Alexei Starovoitov wrote: > > > > On Sun, Nov 20, 2022 at 11:57 AM Yonghong Song <yhs@xxxxxx> wrote: > > > > > > > > > > @@ -8938,6 +8941,24 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn, > > > > > regs[BPF_REG_0].type = PTR_TO_BTF_ID | PTR_TRUSTED; > > > > > regs[BPF_REG_0].btf = desc_btf; > > > > > regs[BPF_REG_0].btf_id = meta.ret_btf_id; > > > > > + } else if (meta.func_id == special_kfunc_list[KF_bpf_rdonly_cast]) { > > > > > + if (!capable(CAP_PERFMON)) { > > > > > + verbose(env, > > > > > + "kfunc bpf_rdonly_cast requires CAP_PERFMON capability\n"); > > > > > + return -EACCES; > > > > > + } > > > > > > > > Just realized that bpf_cast_to_kern_ctx() has to be > > > > gated by cap_perfmon as well. > > > > > > > > Also the direct capable(CAP_PERFMON) is not quite correct. > > > > It should at least be perfmon_capable(). > > > > But even better to use env->allow_ptr_leaks here. > > > > > > Based on this, I wonder if this needs to be done for bpf_obj_new as well? It > > > doesn't zero initialize the memory it returns (except special fields, which is > > > required for correctness), so technically it allows leaking kernel addresses > > > with just CAP_BPF (apart from capabilities needed for the specific program types > > > it is available to). > > > > > > Should that also have a env->allow_ptr_leaks check? > > > > Yeah. Good point. > > My first reaction was to audit everything where the verifier produces > > PTR_TO_BTF_ID and gate it with allow_ptr_leaks. > > But then it looks simpler to gate it once in check_ptr_to_btf_access(). > > Then bpf_rdonly_cast and everything wouldn't need those checks. > > Noticed that check_ptr_to_map_access is doing > "Simulate access to a PTR_TO_BTF_ID" > and has weird allow_ptr_to_map_access bool > which is the same as allow_ptr_leaks. > So I'm thinking we can remove allow_ptr_to_map_access > and add allow_ptr_leaks check to btf_struct_access() > which will cover all these cases. > > Also since bpf_cast_to_kern_ctx() is expected to be used out of > networking progs and those progs are not always GPL we should add > env->prog->gpl_compatible to btf_struct_access() too. Since that follow up will cover bpf_rdonly_cast too I've removed cap_perfmon check from this commit and will push this series shortly.