On Tue, Jun 28, 2022 at 7:23 PM Al Viro [off-list ref] wrote:

On Tue, Jun 28, 2022 at 04:19:47PM +0000, KP Singh wrote:

quoted

LSMs like SELinux store security state in xattrs. bpf_getxattr enables
BPF LSM to implement similar functionality. In combination with
bpf_local_storage, xattrs can be used to develop more complex security
policies.

This kfunc wraps around __vfs_getxattr which can sleep and is,
therefore, limited to sleepable programs using the newly added
sleepable_set for kfuncs.

"Sleepable" is nowhere near enough - for a trivial example, consider
what e.g. ext2_xattr_get() does.
        down_read(&EXT2_I(inode)->xattr_sem);
in there means that having that thing executed in anything that happens
to hold ->xattr_sem is a deadlock fodder.

We could limit this to sleepable LSM hooks:

https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/tree/kernel/bpf/bpf_lsm.c#n169

and when we have abilities to tag
kernel functions and pointers with the work Yonghong did
(e.g. https://reviews.llvm.org/D113496) we can expand the set.

"Can't use that in BPF program executed in non-blocking context" is
*not* sufficient to make it safe.