Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory

[RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 01/12] seccomp: Move no_new_privs check to after prepare_filter · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 02/12] bpf, seccomp: Add eBPF filter capabilities · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 03/12] seccomp, ptrace: Add a mechanism to retrieve attached eBPF seccomp filters · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 04/12] libbpf: recognize section "seccomp" · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 06/12] lsm: New hook seccomp_extended · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 05/12] samples/bpf: Add eBPF seccomp sample programs · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 07/12] bpf/verifier: allow restricting direct map access · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 08/12] seccomp-ebpf: restrict filter to almost cBPF if LSM request such · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 09/12] yama: (concept) restrict seccomp-eBPF with ptrace_scope · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · YiFei Zhu <hidden> · 2021-05-10
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · Alexei Starovoitov <hidden> · 2021-05-11
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · YiFei Zhu <hidden> · 2021-05-11
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · Alexei Starovoitov <hidden> · 2021-05-12
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · YiFei Zhu <hidden> · 2021-05-13
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · Andy Lutomirski <luto@amacapital.net> · 2021-05-13
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · YiFei Zhu <hidden> · 2021-05-13
Re: [RFC PATCH bpf-next seccomp 10/12] seccomp-ebpf: Add ability to read user memory · Andy Lutomirski <luto@kernel.org> · 2021-05-13
[RFC PATCH bpf-next seccomp 11/12] bpf/verifier: support NULL-able ptr to BTF ID as helper argument · YiFei Zhu <hidden> · 2021-05-10
[RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader · YiFei Zhu <hidden> · 2021-05-10
Re: [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader · Alexei Starovoitov <hidden> · 2021-05-11
Re: [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader · YiFei Zhu <hidden> · 2021-05-11
Re: [RFC PATCH bpf-next seccomp 12/12] seccomp-ebpf: support task storage from BPF-LSM, defaulting to group leader · Alexei Starovoitov <hidden> · 2021-05-12
Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Andy Lutomirski <luto@kernel.org> · 2021-05-10
Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · YiFei Zhu <hidden> · 2021-05-11
Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Andy Lutomirski <luto@kernel.org> · 2021-05-15
Re: [RFC PATCH bpf-next seccomp 00/12] eBPF seccomp filters · Christian Brauner <hidden> · 2021-05-20

From: Alexei Starovoitov <hidden>
Date: 2021-05-11 02:04:31
Also in: linux-security-module

On Mon, May 10, 2021 at 12:22:47PM -0500, YiFei Zhu wrote:

 
+BPF_CALL_3(bpf_probe_read_user_dumpable, void *, dst, u32, size,
+	   const void __user *, unsafe_ptr)
+{
+	int ret = -EPERM;
+
+	if (get_dumpable(current->mm))
+		ret = copy_from_user_nofault(dst, unsafe_ptr, size);

Could you explain a bit more how dumpable flag makes it safe for unpriv?
The unpriv prog is attached to the children tasks only, right?
and dumpable gets cleared if euid changes?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help