Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks

From: Daniel Borkmann
Date: Fri Nov 08 2019 - 09:35:07 EST

Next message: Colin King: "[PATCH][next] drm/amd/display: fix dereference of pointer aconnector when it is null"
Previous message: Quentin Perret: "Re: [PATCH 4/7] sched: Optimize pick_next_task()"
In reply to: MickaÃl SalaÃn: "Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks"
Next in thread: MickaÃl SalaÃn: "Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/8/19 3:08 PM, MickaÃl SalaÃn wrote:

On 06/11/2019 22:45, KP Singh wrote:

On 06-Nov 17:55, MickaÃl SalaÃn wrote:

On 06/11/2019 11:06, KP Singh wrote:

On 05-Nov 11:34, Alexei Starovoitov wrote:

On Tue, Nov 05, 2019 at 07:01:41PM +0100, MickaÃl SalaÃn wrote:

On 05/11/2019 18:18, Alexei Starovoitov wrote:

[...]

* Use a single BPF program type; this is necessary for a key requirement
of KRSI, i.e. runtime instrumentation. The upcoming prototype should
illustrate how this works for KRSI - note that itâs possible to vary
the context types exposed by different hooks.

Why a single BPF program type? Do you mean *attach* types? Landlock only
use one program type, but will use multiple attach types.

Why do you think it is necessary for KRSI or for runtime instrumentation?

If it is justified, it could be a dedicated program attach type (e.g.
BPF_LANDLOCK_INTROSPECTION).

What is the advantage to have the possibility to vary the context types
over dedicated *typed* contexts? I don't see any advantages, but at
least one main drawback: to require runtime checks (when helpers use
this generic context) instead of load time checks (thanks to static type
checking of the context).

Lets take security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
as one specific example here: the running kernel has its own internal
btf_vmlinux and therefore a complete description of itself. From verifier
side we can retrieve & introspect the security_sock_rcv_skb signatue and
thus know that the given BPF attachment point has struct sock and struct
sk_buff as input arguments which can then be accessed generically by the
prog in order to allow sk_filter_trim_cap() to pass or to drop the skb.
The same generic approach can be done for many of the other lsm hooks, so
single program type would be enough there and context is derived automatically,
no dedicated extra context per attach type would be needed and no runtime
checks as you mentioned above since its still all asserted at verification
time.

Thanks,
Daniel

Next message: Colin King: "[PATCH][next] drm/amd/display: fix dereference of pointer aconnector when it is null"
Previous message: Quentin Perret: "Re: [PATCH 4/7] sched: Optimize pick_next_task()"
In reply to: MickaÃl SalaÃn: "Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks"
Next in thread: MickaÃl SalaÃn: "Re: [PATCH bpf-next v13 4/7] landlock: Add ptrace LSM hooks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]