Re: [PATCH bpf] bpf: link: refuse non-zero file_flags in BPF_OBJ_GET
From: Andrii Nakryiko
Date: Fri Mar 26 2021 - 00:54:58 EST
On Thu, Mar 25, 2021 at 8:22 AM Lorenz Bauer <lmb@xxxxxxxxxxxxxx> wrote:
>
> Invoking BPF_OBJ_GET on a pinned bpf_link checks the path access
> permissions based on file_flags, but the returned fd ignores flags.
> This means that any user can acquire a "read-write" fd for a pinned
> link with mode 0664 by invoking BPF_OBJ_GET with BPF_F_RDONLY in
> file_flags. The fd can be used to invoke BPF_LINK_DETACH, etc.
>
> Fix this by refusing non-zero flags in BPF_OBJ_GET. Since zero flags
> imply O_RDWR this requires users to have read-write access to the
> pinned file, which matches the behaviour of the link primitive.
>
> libbpf doesn't expose a way to set file_flags for links, so this
> change is unlikely to break users.
>
> Fixes: 70ed506c3bbc ("bpf: Introduce pinnable bpf_link abstraction")
> Signed-off-by: Lorenz Bauer <lmb@xxxxxxxxxxxxxx>
> ---
Makes sense, but see below about details.
Also, should we do the same for BPF programs as well? I guess they
don't have a "write operation", once loaded, but still...
> kernel/bpf/inode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
> index 1576ff331ee4..2f9e8115ad58 100644
> --- a/kernel/bpf/inode.c
> +++ b/kernel/bpf/inode.c
> @@ -547,7 +547,7 @@ int bpf_obj_get_user(const char __user *pathname, int flags)
> else if (type == BPF_TYPE_MAP)
> ret = bpf_map_new_fd(raw, f_flags);
> else if (type == BPF_TYPE_LINK)
> - ret = bpf_link_new_fd(raw);
> + ret = (flags) ? -EINVAL : bpf_link_new_fd(raw);
nit: unnecessary ()
I wonder if EACCESS would make more sense here? And check f_flags, not flags:
if (f_flags != O_RDWR)
ret = -EACCESS;
else
ret = bpf_link_new_fd(raw);
?
> else
> return -ENOENT;
>
> --
> 2.27.0
>