[PATCH v5 bpf-next 4/5] bpf: fs/xattr: Add BPF kfuncs to set and remove xattrs

Song Liu songliubraving at meta.com
Thu Dec 19 06:59:44 UTC 2024 

> On Dec 18, 2024, at 4:17 PM, Alexei Starovoitov <alexei.starovoitov at gmail.com> wrote:

[...]

>>> This part is not necessary.
>>> _locked() shouldn't be exposed and it should be an error
>>> if bpf prog attempts to use invalid kfunc.
>> 
>> I was implementing this in different way than the solution you and Kumar
>> suggested. Instead of updating this in add_kfunc_call, check_kfunc_call,
>> and fixup_kfunc_call, remap_kfunc_locked_func_id happens before
>> add_kfunc_call. Then, for the rest of the process, the verifier handles
>> _locked version and not _locked version as two different kfuncs. This is
>> why we need the _locked version in bpf_fs_kfunc_set_ids. I personally
>> think this approach is a lot cleaner.
> 
> I see. Blind rewrite in add_kfunc_call() looks simpler,
> but allowing progs call _locked() version directly is not clean.

Agreed. 

> 
> See specialize_kfunc() as an existing approach that does polymorphism.
> 
> _locked() doesn't need to be __bpf_kfunc annotated.
> It can be just like bpf_dynptr_from_skb_rdonly.

I am thinking about a more modular approach. Instead of pushing the
polymorphism logic to verifer.c, we can have each btf_kfunc_id_set 
handle the remap of its kfuncs. Specifically, we can extend 
btf_kfunc_id_set as:

typedef u32 (*btf_kfunc_remap_t)(const struct bpf_prog *prog, u32 kfunc_id);

struct btf_kfunc_id_set {
        struct module *owner;
        struct btf_id_set8 *set;
        /* hidden_set contains kfuncs that are not marked as kfunc in
         * vmlinux.h. These kfuncs are usually a variation of a kfunc
         * in @set.
         */
        struct btf_id_set8 *hidden_set;
        btf_kfunc_filter_t filter;
        /* @remap method matches kfuncs in @set to proper version in
         * @hidden_set.
         */
        btf_kfunc_remap_t remap;
};

In this case, not_locked version of kfuncs will be added to @set;
while _locked kfuncs will be added to @hidden_set. @hidden_set 
will not be exposed in vmlinux.h. Then the new remap method is 
used to map not_locked kfuncs to _locked kfuncs for inode-locked 
context. 

We can also move bpf_dynptr_from_skb_rdonly to this model, and 
simplify specialize_kfunc(). 

I will send patch for this version for review. 

Thanks,
Song

More information about the Linux-security-module-archive mailing list