lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220727184903.4d24a00a@kernel.org>
Date:   Wed, 27 Jul 2022 18:49:03 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Martin KaFai Lau <kafai@...com>
Cc:     Stanislav Fomichev <sdf@...gle.com>, bpf@...r.kernel.org,
        netdev@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
        Andrii Nakryiko <andrii@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        David Miller <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>, kernel-team@...com,
        Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH bpf-next 02/14] bpf: net: Avoid sock_setsockopt() taking
 sk lock when called from bpf

On Wed, 27 Jul 2022 17:45:46 -0700 Martin KaFai Lau wrote:
> > bool setsockopt_capable(struct user_namespace *ns, int cap)
> > {
> >        if (!in_task()) {
> >              /* Running in irq/softirq -> setsockopt invoked by bpf program.
> >               * [not sure, is it safe to assume no regular path leads
> > to setsockopt from sirq?]
> >               */
> >              return true;
> >        }
> > 
> >        /* Running in process context, task has bpf_ctx set -> invoked
> > by bpf program. */
> >        if (current->bpf_ctx != NULL)
> >              return true;
> > 
> >        return ns_capable(ns, cap);
> > }
> > 
> > And then do /ns_capable/setsockopt_capable/ in net/core/sock.c
> > 
> > But that might be more fragile than passing the flag, idk.  
> I think it should work.  From a quick look, all bpf_setsockopt usage has
> bpf_ctx.  The one from bpf_tcp_ca (struct_ops) and bpf_iter is trampoline
> which also has bpf_ctx.  Not sure about the future use cases.
> 
> To be honest, I am not sure if I have missed cases and also have similar questions
> your have in the above sample code.  This may deserve a separate patch
> set for discussion.  Using a bit in sockptr is mostly free now.
> WDYT ?

Sorry to chime in but I vote against @in_bpf. I had to search the git
history recently to figure out what SK_USER_DATA_BPF means. It's not
going to be obvious to a networking person what semantics to attribute
to "in bpf".

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ