Re: [PATCH bpf] Revert "bpf: program: Refuse non-O_RDWR flags in BPF_OBJ_GET"

[Maciej Żenczykowski]

On Fri, Jun 18, 2021 at 4:55 AM Lorenz Bauer <lmb@xxxxxxxxxxxxxx> wrote:
>
> On Fri, 18 Jun 2021 at 11:55, Maciej Żenczykowski
> <zenczykowski@xxxxxxxxx> wrote:
> >
> > This reverts commit d37300ed182131f1757895a62e556332857417e5.
> >
> > This breaks Android userspace which expects to be able to
> > fetch programs with just read permissions.
>
> Sorry about this! I'll defer to the maintainers what to do here.
> Reverting leaves us with a gaping hole for access control of pinned
> programs.


Not sure what hole you're referring to.  Could you provide more
details/explanation?

It seems perfectly reasonable to be able to get a program with just read privs.
After all, you're not modifying it, just using it.

AFAIK there is no way to modify a program after it was loaded, has this changed?
if so, the checks should be on the modifications not the fd fetch.

I guess one could argue fetching with write only privs doesn't make sense?

Anyway... userspace is broken... so revert is the answer.

In Android the process loading/pinning bpf maps/programs is a different
process (the 'bpfloader') to the users (which are far less privileged)