Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: YiFei Zhu <zhuyifei1999@xxxxxxxxx>
Subject: Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory
From: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
Date: Mon, 10 May 2021 19:04:25 -0700
Cc: containers@xxxxxxxxxxxxxxx, bpf@xxxxxxxxxxxxxxx, YiFei Zhu <yifeifz2@xxxxxxxxxxxx>, linux-security-module@xxxxxxxxxxxxxxx, Alexei Starovoitov <ast@xxxxxxxxxx>, Andrea Arcangeli <aarcange@xxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxxxxxx>, Austin Kuo <hckuo2@xxxxxxxxxxxx>, Claudio Canella <claudio.canella@xxxxxxxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, Daniel Gruss <daniel.gruss@xxxxxxxxxxxxxx>, Dimitrios Skarlatos <dskarlat@xxxxxxxxxx>, Giuseppe Scrivano <gscrivan@xxxxxxxxxx>, Hubertus Franke <frankeh@xxxxxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, Jinghao Jia <jinghao7@xxxxxxxxxxxx>, Josep Torrellas <torrella@xxxxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Sargun Dhillon <sargun@xxxxxxxxx>, Tianyin Xu <tyxu@xxxxxxxxxxxx>, Tobin Feldman-Fitzthum <tobin@xxxxxxx>, Tom Hromatka <tom.hromatka@xxxxxxxxxx>, Will Drewry <wad@xxxxxxxxxxxx>
In-reply-to: <53db70ed544928d227df7e3f3a1f8c53e3665c65.1620499942.git.yifeifz2@illinois.edu>
References: <cover.1620499942.git.yifeifz2@illinois.edu> <53db70ed544928d227df7e3f3a1f8c53e3665c65.1620499942.git.yifeifz2@illinois.edu>

On Mon, May 10, 2021 at 12:22:47PM -0500, YiFei Zhu wrote:
>  
> +BPF_CALL_3(bpf_probe_read_user_dumpable, void *, dst, u32, size,
> +	   const void __user *, unsafe_ptr)
> +{
> +	int ret = -EPERM;
> +
> +	if (get_dumpable(current->mm))
> +		ret = copy_from_user_nofault(dst, unsafe_ptr, size);

Could you explain a bit more how dumpable flag makes it safe for unpriv?
The unpriv prog is attached to the children tasks only, right?
and dumpable gets cleared if euid changes?

Follow-Ups:
- Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory
  - From: YiFei Zhu

References:
- [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters
  - From: YiFei Zhu
- [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory
  - From: YiFei Zhu

Prev by Date: Re: [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader
Next by Date: Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters
Previous by thread: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory
Next by thread: Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory
Index(es):
- Date
- Thread

[Index of Archives] [Cgroups] [Netdev] [Linux Wireless] [Kernel Newbies] [Security] [Linux for Hams] [Netfilter] [Bugtraq] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux RAID] [Linux Admin] [Samba]