Re: using verifier to ensure a BPF program uses certain metadata?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johannes Berg <johannes@sipsolutions.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: netdev <netdev@vger.kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: using verifier to ensure a BPF program uses certain metadata?
Date: Wed, 18 Oct 2017 08:56:31 +0200	[thread overview]
Message-ID: <1508309791.2674.1.camel@sipsolutions.net> (raw)
In-Reply-To: <20171017225806.b5xubolkyocfgnjc@ast-mbp> (sfid-20171018_005813_040290_4671FB34)

Hi Alexei,

> > https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
> > .git/log/?h=bpf
> 
> bpf bits looks pretty straightforward.

Thanks for looking at this!

> attach looks fine too. I'm assuming there is some rtnl or other lock,
> so multiple assigns cannot race?

Yes.

> It's missing query interface though.
> Please add support to return prog_id.

Good point, this is about half a year old, so ... :)

[...]
> > Now, I realize that people could trivially just work around this in
> > their program if they wanted, but I think most will take the
> > reminder
> > and just implement
> > 
> >     if (ctx->is_data_ethernet)
> >         return DROP_FRAME;
> > 
> > instead, since mostly data frames will not be very relevant to
> > them.
> > 
> > What do you think?
> 
> sounds fine and considering new verifier ops after Jakub refactoring
> a check that is_data_ethernet was accessed would fit nicely.
> Without void** hack.

Ok, thanks! I'll have to check what Jakub is doing there, do you have a
pointer to that refactoring?

johannes

WARNING: multiple messages have this Message-ID (diff)

From: Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>
To: Alexei Starovoitov
	<alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
	linux-wireless
	<linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: using verifier to ensure a BPF program uses certain metadata?
Date: Wed, 18 Oct 2017 08:56:31 +0200	[thread overview]
Message-ID: <1508309791.2674.1.camel@sipsolutions.net> (raw)
In-Reply-To: <20171017225806.b5xubolkyocfgnjc@ast-mbp> (sfid-20171018_005813_040290_4671FB34)

Hi Alexei,

> > https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
> > .git/log/?h=bpf
> 
> bpf bits looks pretty straightforward.

Thanks for looking at this!

> attach looks fine too. I'm assuming there is some rtnl or other lock,
> so multiple assigns cannot race?

Yes.

> It's missing query interface though.
> Please add support to return prog_id.

Good point, this is about half a year old, so ... :)

[...]
> > Now, I realize that people could trivially just work around this in
> > their program if they wanted, but I think most will take the
> > reminder
> > and just implement
> > 
> >     if (ctx->is_data_ethernet)
> >         return DROP_FRAME;
> > 
> > instead, since mostly data frames will not be very relevant to
> > them.
> > 
> > What do you think?
> 
> sounds fine and considering new verifier ops after Jakub refactoring
> a check that is_data_ethernet was accessed would fit nicely.
> Without void** hack.

Ok, thanks! I'll have to check what Jakub is doing there, do you have a
pointer to that refactoring?

johannes

next prev parent reply	other threads:[~2017-10-18  6:56 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-16  7:38 using verifier to ensure a BPF program uses certain metadata? Johannes Berg
2017-10-17 22:58 ` Alexei Starovoitov
2017-10-18  6:56   ` Johannes Berg [this message]
2017-10-18  6:56     ` Johannes Berg
2017-10-18 17:42     ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1508309791.2674.1.camel@sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=alexei.starovoitov@gmail.com \
    --cc=daniel@iogearbox.net \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.