Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPF token and BPF FS-based delegation #5959

Closed
wants to merge 18 commits into from
Closed

BPF token and BPF FS-based delegation #5959

wants to merge 18 commits into from

Conversation

kernel-patches-daemon-bpf[bot]
Copy link

Pull request for series with
subject: BPF token and BPF FS-based delegation
version: 10
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 155addf
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 155addf
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 689b097
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 9241176
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: b8e3a87
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 100888f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 100888f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 727a92d
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@anakryiko
libbpf: add BPF token support to bpf_prog_load() API
3b14bb8 
Wire through token_fd into bpf_prog_load().

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
@anakryiko
selftests/bpf: add BPF token-enabled tests
c01fd84 
Add a selftest that attempts to conceptually replicate intended BPF
token use cases inside user namespaced container.

Child process is forked. It is then put into its own userns and mountns.
Child creates BPF FS context object. This ensures child userns is
captured as the owning userns for this instance of BPF FS. Given setting
delegation mount options is privileged operation, we ensure that child
cannot set them.

This context is passed back to privileged parent process through Unix
socket, where parent sets up delegation options, creates, and mounts it
as a detached mount. This mount FD is passed back to the child to be
used for BPF token creation, which allows otherwise privileged BPF
operations to succeed inside userns.

We validate that all of token-enabled privileged commands (BPF_BTF_LOAD,
BPF_MAP_CREATE, and BPF_PROG_LOAD) work as intended. They should only
succeed inside the userns if a) BPF token is provided with proper
allowed sets of commands and types; and b) namespaces CAP_BPF and other
privileges are set. Lacking a) or b) should lead to -EPERM failures.

Based on suggested workflow by Christian Brauner ([0]).

  [0] https://lore.kernel.org/bpf/20230704-hochverdient-lehne-eeb9eeef785e@brauner/

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
@anakryiko
bpf,selinux: allocate bpf_security_struct per BPF token
fc83b80 
Utilize newly added bpf_token_create/bpf_token_free LSM hooks to
allocate struct bpf_security_struct for each BPF token object in
SELinux. This just follows similar pattern for BPF prog and map.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 81427a6
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

@kernel-patches-daemon-bpf
Copy link
Author

Upstream branch: 9cea90c
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
version: 10

Pull request is NOT updated. Failed to apply https://patchwork.kernel.org/project/netdevbpf/list/?series=800113
error message:

Cmd('git') failed due to: exit code(128)
  cmdline: git am --3way
  stdout: 'Applying: bpf: align CAP_NET_ADMIN checks with bpf_capable() approach
Applying: bpf: add BPF token delegation mount options to BPF FS
Applying: bpf: introduce BPF token object
Applying: bpf: add BPF token support to BPF_MAP_CREATE command
Applying: bpf: add BPF token support to BPF_BTF_LOAD command
Applying: bpf: add BPF token support to BPF_PROG_LOAD command
Patch failed at 0006 bpf: add BPF token support to BPF_PROG_LOAD command
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".'
  stderr: 'error: sha1 information is lacking or useless (include/uapi/linux/bpf.h).
error: could not build fake ancestor
hint: Use 'git am --show-current-patch=diff' to see the failed patch'

conflict:

@kernel-patches-daemon-bpf
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=798725 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot deleted the series/783569=>bpf-next branch November 24, 2023 03:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bpf-next superseded V9-ci-pass V9
Projects
None yet
Milestone
No milestone
1 participant
@anakryiko