Re: [PATCH bpf] Revert "bpf: program: Refuse non-O_RDWR flags in BPF_OBJ_GET"
From: Maciej Żenczykowski
Date: Fri Jun 18 2021 - 14:38:20 EST
On Fri, Jun 18, 2021 at 4:55 AM Lorenz Bauer <lmb@xxxxxxxxxxxxxx> wrote:
>
> On Fri, 18 Jun 2021 at 11:55, Maciej Żenczykowski
> <zenczykowski@xxxxxxxxx> wrote:
> >
> > This reverts commit d37300ed182131f1757895a62e556332857417e5.
> >
> > This breaks Android userspace which expects to be able to
> > fetch programs with just read permissions.
>
> Sorry about this! I'll defer to the maintainers what to do here.
> Reverting leaves us with a gaping hole for access control of pinned
> programs.
Not sure what hole you're referring to. Could you provide more
details/explanation?
It seems perfectly reasonable to be able to get a program with just read privs.
After all, you're not modifying it, just using it.
AFAIK there is no way to modify a program after it was loaded, has this changed?
if so, the checks should be on the modifications not the fd fetch.
I guess one could argue fetching with write only privs doesn't make sense?
Anyway... userspace is broken... so revert is the answer.
In Android the process loading/pinning bpf maps/programs is a different
process (the 'bpfloader') to the users (which are far less privileged)