From: Roberto Sassu Sent: Friday, June 24, 2022 5:33 PM
From: Alexei Starovoitov [mailto:alexei.starovoitov@gmail.com] Sent: Thursday, June 23, 2022 10:54 PM On Thu, Jun 23, 2022 at 5:36 AM Roberto Sassu roberto.sassu@huawei.com wrote:
From: Roberto Sassu [mailto:roberto.sassu@huawei.com] Sent: Wednesday, June 22, 2022 9:12 AM
From: Alexei Starovoitov [mailto:alexei.starovoitov@gmail.com] Sent: Wednesday, June 22, 2022 12:33 AM On Tue, Jun 21, 2022 at 06:37:54PM +0200, Roberto Sassu wrote:
Add the bpf_lookup_user_key() and bpf_key_put() helpers, to
respectively
search a key with a given serial, and release the reference count of the found key.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com
include/uapi/linux/bpf.h | 16 ++++++++++++ kernel/bpf/bpf_lsm.c | 46
++++++++++++++++++++++++++++++++++
kernel/bpf/verifier.c | 6 +++-- scripts/bpf_doc.py | 2 ++ tools/include/uapi/linux/bpf.h | 16 ++++++++++++ 5 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index e81362891596..7bbcf2cd105d 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -5325,6 +5325,20 @@ union bpf_attr {
**-EACCES** if the SYN cookie is not valid.**-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
- struct key *bpf_lookup_user_key(u32 serial, unsigned long flags)
Description
Search a key with a given *serial* and the provided *flags*,and
increment the reference count of the key.Why passing 'flags' is ok to do? Please think through every line of the patch.
To be honest, I thought about it. Probably yes, I should do some sanitization, like I did for the keyring ID. When I checked lookup_user_key(), I saw that flags are checked individually, so an arbitrary value passed to the helper should not cause harm. Will do sanitization, if you prefer. It is just that we have to keep the eBPF code in sync with key flag definition (unless we have a 'last' flag).
I'm not sure that having a helper for lookup_user_key() alone is correct. By having separate helpers for lookup and usage of the key, nothing would prevent an eBPF program to ask for a permission to pass the access control check, and then use the key for something completely different from what it requested.
Looking at how lookup_user_key() is used in security/keys/keyctl.c, it seems clear that it should be used together with the operation that needs to be performed. Only in this way, the key permission would make sense.
lookup is roughly equivalent to open when all permission checks are done. And using the key is read/write.
For bpf_verify_pkcs7_signature(), we need the search permission on the keyring containing the key used for signature verification.
Thanks
Roberto
(I was not told otherwise, I use my corporate email to send work to outside, so I have to keep the notice)
I can remove it. Just to let you know.
Roberto