Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-01-01 15:51:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
cb8edce280
linux/tools
History
Andrii Nakryiko cb8edce280 bpf: Support O_PATH FDs in BPF_OBJ_PIN and BPF_OBJ_GET commands 
Current UAPI of BPF_OBJ_PIN and BPF_OBJ_GET commands of bpf() syscall
forces users to specify pinning location as a string-based absolute or
relative (to current working directory) path. This has various
implications related to security (e.g., symlink-based attacks), forces
BPF FS to be exposed in the file system, which can cause races with
other applications.

One of the feedbacks we got from folks working with containers heavily
was that inability to use purely FD-based location specification was an
unfortunate limitation and hindrance for BPF_OBJ_PIN and BPF_OBJ_GET
commands. This patch closes this oversight, adding path_fd field to
BPF_OBJ_PIN and BPF_OBJ_GET UAPI, following conventions established by
*at() syscalls for dirfd + pathname combinations.

This now allows interesting possibilities like working with detached BPF
FS mount (e.g., to perform multiple pinnings without running a risk of
someone interfering with them), and generally making pinning/getting
more secure and not prone to any races and/or security attacks.

This is demonstrated by a selftest added in subsequent patch that takes
advantage of new mount APIs (fsopen, fsconfig, fsmount) to demonstrate
creating detached BPF FS mount, pinning, and then getting BPF map out of
it, all while never exposing this private instance of BPF FS to outside
worlds.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/bpf/20230523170013.728457-4-andrii@kernel.org
2023-05-23 23:31:42 +02:00
..
accounting delayacct: track delays from IRQ/SOFTIRQ 2023-04-18 16:39:34 -07:00
arch Disable building BPF based features by default for v6.4. 2023-05-07 11:32:18 -07:00
bootconfig
bpf bpftool: Specify XDP Hints ifname when loading program 2023-05-23 16:55:06 +02:00
build tools build: Add a feature test for scandirat(), that is not implemented so far in musl and uclibc 2023-04-04 13:18:17 -03:00
certs
cgroup
counter
debugging
edid
firewire
firmware
gpio
hv
iio
include bpf: Support O_PATH FDs in BPF_OBJ_PIN and BPF_OBJ_GET commands 2023-05-23 23:31:42 +02:00
io_uring
kvm/kvm_stat tools/kvm_stat: use canonical ftrace path 2023-03-29 06:52:08 -04:00
laptop
leds
lib libbpf: Start v1.3 development cycle 2023-05-23 21:39:12 +02:00
memory-model LKMM scripting updates for v6.4 2023-04-24 12:02:25 -07:00
mm slab changes for 6.4 2023-04-25 13:00:41 -07:00
net/ynl tools: ynl: Rename ethtool to ethtool.py 2023-04-13 22:18:29 -07:00
objtool Objtool changes for v6.4: 2023-04-28 14:02:54 -07:00
pci
pcmcia
perf Disable building BPF based features by default for v6.4. 2023-05-07 11:32:18 -07:00
power Power management updates for 6.4-rc1 2023-04-25 18:44:10 -07:00
rcu
scripts sh updates for v6.4 2023-04-27 17:41:23 -07:00
spi
testing selftests/bpf: Add xdp_feature selftest for bond device 2023-05-23 16:22:25 +02:00
thermal
time
tracing rtla/timerlat: Fix "Previous IRQ" auto analysis' line 2023-04-25 19:26:59 -04:00
usb
verification rv: Fix addition on an uninitialized variable 'run' 2023-04-25 17:02:13 -04:00
virtio tools/virtio: fix build caused by virtio_ring changes 2023-04-21 03:02:35 -04:00
wmi
Makefile tools/Makefile: do missed s/vm/mm/ 2023-04-18 14:22:12 -07:00