On Wed, Oct 26, 2016 at 10:03:09PM +0200, Mickaël Salaün wrote: > On 26/10/2016 21:01, Jann Horn wrote: > > On Wed, Oct 26, 2016 at 08:56:39AM +0200, Mickaël Salaün wrote: > >> This new arraymap looks like a set and brings new properties: > >> * strong typing of entries: the eBPF functions get the array type of > >> elements instead of CONST_PTR_TO_MAP (e.g. > >> CONST_PTR_TO_LANDLOCK_HANDLE_FS); > >> * force sequential filling (i.e. replace or append-only update), which > >> allow quick browsing of all entries. > >> > >> This strong typing is useful to statically check if the content of a map > >> can be passed to an eBPF function. For example, Landlock use it to store > >> and manage kernel objects (e.g. struct file) instead of dealing with > >> userland raw data. This improve efficiency and ensure that an eBPF > >> program can only call functions with the right high-level arguments. > >> > >> The enum bpf_map_handle_type list low-level types (e.g. > >> BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD) which are identified when > >> updating a map entry (handle). This handle types are used to infer a > >> high-level arraymap type which are listed in enum bpf_map_array_type > >> (e.g. BPF_MAP_ARRAY_TYPE_LANDLOCK_FS). > >> > >> For now, this new arraymap is only used by Landlock LSM (cf. next > >> commits) but it could be useful for other needs. > >> > >> Changes since v3: > >> * make handle arraymap safe (RCU) and remove buggy synchronize_rcu() > >> * factor out the arraymay walk > >> > >> Changes since v2: > >> * add a RLIMIT_NOFILE-based limit to the maximum number of arraymap > >> handle entries (suggested by Andy Lutomirski) > >> * remove useless checks > >> > >> Changes since v1: > >> * arraymap of handles replace custom checker groups > >> * simpler userland API > > [...] > >> + case BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD: > >> + handle_file = fget(handle->fd); > >> + if (IS_ERR(handle_file)) > >> + return ERR_CAST(handle_file); > >> + /* check if the FD is tied to a user mount point */ > >> + if (unlikely(handle_file->f_path.mnt->mnt_flags & MNT_INTERNAL)) { > >> + fput(handle_file); > >> + return ERR_PTR(-EINVAL); > >> + } > >> + path_get(&handle_file->f_path); > >> + ret = kmalloc(sizeof(*ret), GFP_KERNEL); > >> + ret->path = handle_file->f_path; > >> + fput(handle_file); > > > > You can use fdget() and fdput() here because the reference to > > handle_file is dropped before the end of the syscall. > > The reference to handle_file is dropped but not the reference to the > (inner) path thanks to path_get(). That's irrelevant. As long as you promise to fdput() any references acquired using fdget() before any of the following can happen, using fdget() is okay: - the syscall exits - the fd table is shared with a process that might write to it - an fd is closed by the kernel In other words, you must be able to prove that nobody can remove the struct file * from your fd table before you fdput(). Taking a long-term reference to an object pointed to by a struct file that was looked up with fdget() is fine.
Attachment:
signature.asc
Description: Digital signature