lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEf4BzaQUXGi3jA5rDUTaE5DY0JjwSZyXH190q-HWQUtYSD_Vg@mail.gmail.com>
Date: Mon, 9 Oct 2023 17:23:19 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Paul Moore <paul@...l-moore.com>
Cc: Christian Brauner <brauner@...nel.org>, Andrii Nakryiko <andrii@...nel.org>, bpf@...r.kernel.org, 
	netdev@...r.kernel.org, linux-fsdevel@...r.kernel.org, 
	linux-security-module@...r.kernel.org, keescook@...omium.org, 
	lennart@...ttering.net, kernel-team@...a.com, sargun@...gun.me
Subject: Re: [PATCH v5 bpf-next 03/13] bpf: introduce BPF token object

On Mon, Oct 9, 2023 at 3:53 PM Paul Moore <paul@...l-moore.com> wrote:
>
> On Wed, Sep 27, 2023 at 12:03 PM Andrii Nakryiko
> <andrii.nakryiko@...il.com> wrote:
> > On Wed, Sep 27, 2023 at 2:52 AM Christian Brauner <brauner@...nel.org> wrote:
>
> ...
>
> > > IOW, everything stays the same apart from the fact that bpf token fds
> > > are actually file descriptors referring to a detached bpffs file instead
> > > of an anonymous inode file. IOW, bpf tokens are actual bpffs objects
> > > tied to a bpffs instance.
> >
> > Ah, ok, this is a much smaller change than what I was about to make.
> > I'm glad I asked and thanks for elaborating! I'll use
> > alloc_file_pseudo() using bpffs mount in the next revision.
>
> Just a FYI, I'm still looking at v6 now, but moving from an anon_inode
> to a bpffs inode may mean we need to drop a LSM hook in
> bpf_token_create() to help mark the inode as a BPF token.  Not a big
> deal either way, and I think it makes sense to use a bpffs inode as
> opposed to an anonymous inode, just wanted to let you know.

Thanks for the heads up. I was about to post a new revision rebased on
the latest bpf-next and with an unrelated selftest fix, but I'll give
it a bit more time to get your feedback and incorporate it into the
next revision. Thanks!

>
> --
> paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ