Netdev Archive on lore.kernel.org help / color / mirror / Atom feed
* [PATCH bpf-next v2 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
@ 2021-08-12 15:30 Stanislav Fomichev
2021-08-12 15:30 ` [PATCH bpf-next v2 1/2] " Stanislav Fomichev
2021-08-12 15:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: verify " Stanislav Fomichev
0 siblings, 2 replies; 5+ messages in thread
From: Stanislav Fomichev @ 2021-08-12 15:30 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev
We'd like to be able to identify netns from setsockopt hooks
to be able to do the enforcement of some options only in the
"initial" netns (to give users the ability to create clear/isolated
sandboxes if needed without any enforcement by doing unshare(net)).
v2:
- add missing CONFIG_NET
Stanislav Fomichev (2):
bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
selftests/bpf: verify bpf_get_netns_cookie in
BPF_PROG_TYPE_CGROUP_SOCKOPT
kernel/bpf/cgroup.c | 19 ++++++++++++++++
tools/testing/selftests/bpf/verifier/ctx.c | 25 ++++++++++++++++++++++
2 files changed, 44 insertions(+)
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH bpf-next v2 1/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT 2021-08-12 15:30 [PATCH bpf-next v2 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev @ 2021-08-12 15:30 ` Stanislav Fomichev 2021-08-13 19:58 ` Martin KaFai Lau 2021-08-12 15:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: verify " Stanislav Fomichev 1 sibling, 1 reply; 5+ messages in thread From: Stanislav Fomichev @ 2021-08-12 15:30 UTC (permalink / raw) To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev This is similar to existing BPF_PROG_TYPE_CGROUP_SOCK and BPF_PROG_TYPE_CGROUP_SOCK_ADDR. Signed-off-by: Stanislav Fomichev <sdf@google.com> --- kernel/bpf/cgroup.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index b567ca46555c..ca5af8852260 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -1846,11 +1846,30 @@ const struct bpf_verifier_ops cg_sysctl_verifier_ops = { const struct bpf_prog_ops cg_sysctl_prog_ops = { }; +#ifdef CONFIG_NET +BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, ctx) +{ + struct sock *sk = ctx ? ctx->sk : NULL; + const struct net *net = sk ? sock_net(sk) : &init_net; + + return net->net_cookie; +} + +static const struct bpf_func_proto bpf_get_netns_cookie_sockopt_proto = { + .func = bpf_get_netns_cookie_sockopt, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX_OR_NULL, +}; +#endif + static const struct bpf_func_proto * cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) { switch (func_id) { #ifdef CONFIG_NET + case BPF_FUNC_get_netns_cookie: + return &bpf_get_netns_cookie_sockopt_proto; case BPF_FUNC_sk_storage_get: return &bpf_sk_storage_get_proto; case BPF_FUNC_sk_storage_delete: -- 2.33.0.rc1.237.g0d66db33f3-goog ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT 2021-08-12 15:30 ` [PATCH bpf-next v2 1/2] " Stanislav Fomichev @ 2021-08-13 19:58 ` Martin KaFai Lau 2021-08-13 21:23 ` sdf 0 siblings, 1 reply; 5+ messages in thread From: Martin KaFai Lau @ 2021-08-13 19:58 UTC (permalink / raw) To: Stanislav Fomichev; +Cc: netdev, bpf, ast, daniel, andrii On Thu, Aug 12, 2021 at 08:30:10AM -0700, Stanislav Fomichev wrote: > This is similar to existing BPF_PROG_TYPE_CGROUP_SOCK > and BPF_PROG_TYPE_CGROUP_SOCK_ADDR. > > Signed-off-by: Stanislav Fomichev <sdf@google.com> > --- > kernel/bpf/cgroup.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > index b567ca46555c..ca5af8852260 100644 > --- a/kernel/bpf/cgroup.c > +++ b/kernel/bpf/cgroup.c > @@ -1846,11 +1846,30 @@ const struct bpf_verifier_ops cg_sysctl_verifier_ops = { > const struct bpf_prog_ops cg_sysctl_prog_ops = { > }; > > +#ifdef CONFIG_NET > +BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, ctx) > +{ > + struct sock *sk = ctx ? ctx->sk : NULL; > + const struct net *net = sk ? sock_net(sk) : &init_net; A nit. ctx->sk can not be NULL here, so it only depends on ctx is NULL or not. If I read it correctly, would it be less convoluted to directly test ctx and use ctx->sk here, like: const struct net *net = ctx ? sock_net(ctx->sk) : &init_net; and the previous "struct sock *sk = ctx ? ctx->sk : NULL;" statement can also be removed. > + > + return net->net_cookie; > +} > + ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT 2021-08-13 19:58 ` Martin KaFai Lau @ 2021-08-13 21:23 ` sdf 0 siblings, 0 replies; 5+ messages in thread From: sdf @ 2021-08-13 21:23 UTC (permalink / raw) To: Martin KaFai Lau; +Cc: netdev, bpf, ast, daniel, andrii On 08/13, Martin KaFai Lau wrote: > On Thu, Aug 12, 2021 at 08:30:10AM -0700, Stanislav Fomichev wrote: > > This is similar to existing BPF_PROG_TYPE_CGROUP_SOCK > > and BPF_PROG_TYPE_CGROUP_SOCK_ADDR. > > > > Signed-off-by: Stanislav Fomichev <sdf@google.com> > > --- > > kernel/bpf/cgroup.c | 19 +++++++++++++++++++ > > 1 file changed, 19 insertions(+) > > > > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c > > index b567ca46555c..ca5af8852260 100644 > > --- a/kernel/bpf/cgroup.c > > +++ b/kernel/bpf/cgroup.c > > @@ -1846,11 +1846,30 @@ const struct bpf_verifier_ops > cg_sysctl_verifier_ops = { > > const struct bpf_prog_ops cg_sysctl_prog_ops = { > > }; > > > > +#ifdef CONFIG_NET > > +BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, > ctx) > > +{ > > + struct sock *sk = ctx ? ctx->sk : NULL; > > + const struct net *net = sk ? sock_net(sk) : &init_net; > A nit. > ctx->sk can not be NULL here, so it only depends on ctx is NULL or not. > If I read it correctly, would it be less convoluted to directly test ctx > and use ctx->sk here, like: > const struct net *net = ctx ? sock_net(ctx->sk) : &init_net; > and the previous "struct sock *sk = ctx ? ctx->sk : NULL;" statement > can also be removed. Agreed, makes sense. Let me also add bpf_get_netns_cookie to some existing BPF prog to make sure it's executed. That ctx.c isn't really running the prog.. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf-next v2 2/2] selftests/bpf: verify bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT 2021-08-12 15:30 [PATCH bpf-next v2 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev 2021-08-12 15:30 ` [PATCH bpf-next v2 1/2] " Stanislav Fomichev @ 2021-08-12 15:30 ` Stanislav Fomichev 1 sibling, 0 replies; 5+ messages in thread From: Stanislav Fomichev @ 2021-08-12 15:30 UTC (permalink / raw) To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev Add verifier ctx test to call bpf_get_netns_cookie from cgroup/setsockopt. #269/p pass ctx or null check, 1: ctx Did not run the program (not supported) OK #270/p pass ctx or null check, 2: null Did not run the program (not supported) OK #271/p pass ctx or null check, 3: 1 OK #272/p pass ctx or null check, 4: ctx - const OK #273/p pass ctx or null check, 5: null (connect) Did not run the program (not supported) OK #274/p pass ctx or null check, 6: null (bind) Did not run the program (not supported) OK #275/p pass ctx or null check, 7: ctx (bind) Did not run the program (not supported) OK #276/p pass ctx or null check, 8: null (bind) OK #277/p pass ctx or null check, 9: ctx (cgroup/setsockopt) Did not run the program (not supported) OK #278/p pass ctx or null check, 10: null (cgroup/setsockopt) Did not run the program (not supported) OK Signed-off-by: Stanislav Fomichev <sdf@google.com> --- tools/testing/selftests/bpf/verifier/ctx.c | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/ctx.c b/tools/testing/selftests/bpf/verifier/ctx.c index 23080862aafd..3e7fdbf898b1 100644 --- a/tools/testing/selftests/bpf/verifier/ctx.c +++ b/tools/testing/selftests/bpf/verifier/ctx.c @@ -195,3 +195,28 @@ .result = REJECT, .errstr = "R1 type=inv expected=ctx", }, +{ + "pass ctx or null check, 9: ctx (cgroup/setsockopt)", + .insns = { + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_get_netns_cookie), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_CGROUP_SOCKOPT, + .expected_attach_type = BPF_CGROUP_SETSOCKOPT, + .result = ACCEPT, +}, +{ + "pass ctx or null check, 10: null (cgroup/setsockopt)", + .insns = { + BPF_MOV64_IMM(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_get_netns_cookie), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_CGROUP_SOCKOPT, + .expected_attach_type = BPF_CGROUP_SETSOCKOPT, + .result = ACCEPT, +}, -- 2.33.0.rc1.237.g0d66db33f3-goog ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-08-13 21:23 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-12 15:30 [PATCH bpf-next v2 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev 2021-08-12 15:30 ` [PATCH bpf-next v2 1/2] " Stanislav Fomichev 2021-08-13 19:58 ` Martin KaFai Lau 2021-08-13 21:23 ` sdf 2021-08-12 15:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: verify " Stanislav Fomichev
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).