Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Song Liu <songliubraving@xxxxxxxx>
Subject: Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
From: Christoph Hellwig <hch@xxxxxxxxxxxxx>
Date: Wed, 30 Oct 2024 23:56:59 -0700
Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>, Christian Brauner <brauner@xxxxxxxxxx>, Jan Kara <jack@xxxxxxx>, Song Liu <song@xxxxxxxxxx>, bpf <bpf@xxxxxxxxxxxxxxx>, Linux-Fsdevel <linux-fsdevel@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Kernel Team <kernel-team@xxxxxxxx>, Andrii Nakryiko <andrii@xxxxxxxxxx>, Eduard Zingerman <eddyz87@xxxxxxxxx>, Alexei Starovoitov <ast@xxxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, Martin KaFai Lau <martin.lau@xxxxxxxxx>, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, KP Singh <kpsingh@xxxxxxxxxx>, Matt Bobrowski <mattbobrowski@xxxxxxxxxx>
In-reply-to: <41CA4718-EE8E-499B-AC3C-E22C311035E7@fb.com>

On Wed, Oct 30, 2024 at 08:44:26PM +0000, Song Liu wrote:
> Given bpf kfuncs can read user.* xattrs for almost a year now, I think we 
> cannot simply revert it. We already have some users using it. 
> 
> Instead, we can work on a plan to deprecated it. How about we add a 
> WARN_ON_ONCE as part of this patchset, and then remove user.* support 
> after some time?

As Christian mentioned having bpf access to user xattrs is probably
not a big issue.  OTOH anything that makes security decisions based
on it is probably pretty broken.  Not sure how you want to best
handle that.

Follow-Ups:
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Song Liu

References:
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christoph Hellwig
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Song Liu
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christoph Hellwig
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Song Liu
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Jan Kara
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christian Brauner
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christoph Hellwig
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christian Brauner
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Christoph Hellwig
- Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
  - From: Song Liu

Prev by Date: Re: [PATCH v6 06/10] io_uring/rw: add support to send metadata along with read/write
Next by Date: [PATCH] fs/proc: Fix compile warning about variable 'vmcore_mmap_ops'
Previous by thread: Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
Next by thread: Re: [PATCH bpf-next 2/2] selftests/bpf: Extend test fs_kfuncs to cover security.bpf xattr names
Index(es):
- Date
- Thread

[Index of Archives] [Linux Ext4 Filesystem] [Union Filesystem] [Filesystem Testing] [Ceph Users] [Ecryptfs] [NTFS 3] [AutoFS] [Kernel Newbies] [Share Photos] [Security] [Netfilter] [Bugtraq] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux Cachefs] [Reiser Filesystem] [Linux RAID] [NTFS 3] [Samba] [Device Mapper] [CEPH Development]