Thread (12 messages) 12 messages, 4 authors, 2021-10-08

Re: [RFC PATCH bpf-next 0/2] bpf: keep track of prog verification stats

From: Dave Marchevsky <hidden>
Date: 2021-10-07 09:07:03
Also in: bpf

On 9/27/21 9:33 PM, John Fastabend wrote:   
Andrii Nakryiko wrote:
quoted
On Mon, Sep 27, 2021 at 11:20 AM John Fastabend
[off-list ref] wrote:
quoted
Dave Marchevsky wrote:
quoted
On 9/23/21 10:02 PM, Andrii Nakryiko wrote:
quoted
On Thu, Sep 23, 2021 at 6:27 PM Dave Marchevsky [off-list ref] wrote:
quoted
On 9/23/21 4:51 PM, Alexei Starovoitov wrote:
quoted
On Mon, Sep 20, 2021 at 08:11:10AM -0700, Dave Marchevsky wrote:
quoted
The verifier currently logs some useful statistics in
print_verification_stats. Although the text log is an effective feedback
tool for an engineer iterating on a single application, it would also be
useful to enable tracking these stats in a more structured form for
fleetwide or historical analysis, which this patchset attempts to do.
[...] 
quoted
quoted
quoted
Seems reasonable to me - and attaching a BPF program to the tracepoint to
grab data is delightfully meta :)

I'll do a pass on alternate implementation with _just_ tracepoint, no
prog_info or fdinfo, can add minimal or full stats to those later if
necessary.
Actually I ended up pushing a simple add of insn_processed to prog_info, 
fdinfo instead of bare tracepoint. The more general discussion here is
interesting - if we can inject some custom logic into various points in
verification process, can gather arbitrary stats or make policy decisions
from the same attach points.
quoted
quoted
We can also use a hook point here to enforce policy on allowing the
BPF program to load or not using the stats here. For now basic
insn is a good start to allow larger/smaller programs to be loaded,
but we might add other info like call bitmask, features, types, etc.
If one of the arguments is the bpf_attr struct we can just read
lots of useful program info out directly.

We would need something different from a tracepoint though to let
it return a reject|accept code. How about a new hook type that
has something similar to sockops that lets us just return an
accept or reject code?

By doing this we can check loader signatures here to be sure the
loader is signed or otherwise has correct permissions to be loading
whatever type of bpf program is here.
For signing and generally preventing some BPF programs from loading
(e.g., if there is some malicious BPF program that takes tons of
memory to be validated), wouldn't you want to check that before BPF
verifier spent all those resources on verification? So maybe there
will be another hook before BPF prog is validated for that? Basically,
if you don't trust any BPF program unless it is signed, I'd expect you
check signature before BPF verifier does its heavy job.
Agree, for basic sig check or anything that just wants to look at
the task_struct storage for some attributes before we verify is
more efficient. The only reason I suggested after is if we wanted
to start auditing/enforcing on calls or map read/writes, etc. these
we would need the verifier to help tabulate.
This is the "Bob isn't signed, so ensure that Bob can only read from 
Alice's maps" case from your recent talk, right? 

I'd like to add another illustrative usecase: "progs of type X can 
use 4k of stack, while type Y can only use 128 bytes of stack". For
the 4k case, a single attach point after verification is complete 
wouldn't work as the prog would've been eagerly rejected.

Alexei suggested adding some empty noinline functions with 
ALLOW_ERROR_INJECTION at potential attach points, then attaching 
BPF_MODIFY_RETURN progs to inject custom logic. This would allow 
arbitrarily digging around while optionally affecting return result.

WDYT?
When I hacked it in for experimenting I put the hook in the sys
bpf load path before the verifier runs. That seemed to work for
the simpler sig check cases I was running.

OTOH though if we have a system with lots of BPF failed loads this
would indicate a more serious problem that an admin should fix
so might be nicer code-wise to just have a single hook after verifier
vs optimizing to two one in front and one after. 
quoted
quoted
Thanks,
John
  
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help