On Fri, Mar 8, 2024 at 2:36 AM Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > These exports are specifically for an out-of-tree BPF LSM program that > is not accessible to the public. The question in the other mail stands. The question was already answered. You just don't like the answer. bpf progs are not equivalent to kernel modules. They have completely different safety and visibility properties. The safety part I already talked about. Sounds like the visibility has to be explained. Kernel modules are opaque binary blobs. bpf programs are fully transparent. The intent is known to the verifier and to anyone with understanding of bpf assembly. Those that cannot read bpf asm can read C source code that is embedded in the bpf program in kernel memory. It's not the same as "llvm-dwarfdump module.ko" on disk. The bpf prog source code is loaded into the kernel at program verification time for debugging and visibility reasons. If there is a verifier bug and bpf manages to crash the kernel vmcore will have relevant lines of program C source code right there. Hence out-of-tree or in-tree bpf makes no practical difference. The program cannot hide its meaning and doesn't hamper debugging. Hence adding EXPORT_SYMBOL == Brace for impact! Expect crashes, api misuse and what not. While adding bpf_kfunc is a nop for kernel development. If kfunc is in the way of code refactoring it can be removed (as we demonstrated several times). A kfunc won't cause headaches for the kernel code it is calling (assuming no verifier bugs). If there is a bug it's on us to fix it as we demonstrated in the past. For example: bpf_probe_read_kernel(). It's a wrapper of copy_from_kernel_nofault() and over the years bpf users hit various bugs in copy_from_kernel_nofault(), reported them, and _bpf developers_ fixed them. Though copy_from_kernel_nofault() is as generic as it can get and the same bugs could have been reproduced without bpf we took care of fixing these parts of the kernel. Look at path_put(). It's EXPORT_SYMBOL and any kernel module can easily screw up reference counting, so that sooner or later distro folks will experience debug pains due to out-of-tree drivers. kfunc that calls path_put() won't have such consequences. The verifier will prevent path_put() on a pointer that wasn't acquired by the same bpf program. No support pains. It's a nop for vfs folks. > > First of all, there is no such thing as get_task_fs_pwd/root > > in the kernel. > > Yeah, we'd need specific helpers for a never seen before out-of-tree BPF > LSM. I don't see how that's different from an out-of-tree kernel module. Sorry, but you don't seem to understand what bpf can and cannot do, hence they look similar. > > One can argue that get_mm_exe_file() is not exported, > > but it's nothing but rcu_lock-wrap plus get_file_rcu() > > which is EXPORT_SYMBOL. > > Oh, good spot. That's an accident. get_file_rcu() definitely shouldn't > be exported. So that'll be removed asap. So, just to make a point that "Included in that set are functions that aren't currently even exported to modules" you want to un-export get_file_rcu() ? Because as the patch stands today everything that these kfuncs are calling is EXPORT_SYMBOL.
