Re: [PATCH bpf-next] BPF: helpers: New helper to obtain namespace data from current task

[Jesper Dangaard Brouer <brouer@redhat.com>]

On Thu,  9 Aug 2018 09:18:00 -0400
Carlos Neira <cneirabustos@gmail.com> wrote:

> From: cneira <cneirabustos@gmail.com>
> 
> This helper obtains the active namespace from current and returns pid, tgid,
> device and namespace id as seen from that namespace, allowing to instrument
> a process inside a container.
> Device is read from /proc/self/ns/pid, as in the future it's possible that
> different pid_ns files may belong to different devices, according
> to the discussion between Eric Biederman and Yonghong in 2017 linux plumbers
> conference.
> 
> Currently bpf_get_current_pid_tgid(), is used to do pid filtering in bcc's
> scripts but this helper returns the pid as seen by the root namespace which is
> fine when a bcc script is not executed inside a container.
> When the process of interest is inside a container, pid filtering will not work
> if bpf_get_current_pid_tgid() is used. This helper addresses this limitation
> returning the pid as it's seen by the current namespace where the script is
> executing.
> 
> This helper has the same use cases as bpf_get_current_pid_tgid() as it can be
> used to do pid filtering even inside a container.
> 
> For example a bcc script using bpf_get_current_pid_tgid() (tools/funccount.py):
> 
> 	u32 pid = bpf_get_current_pid_tgid() >> 32;
> 	if (pid != <pid_arg_passed_in>)
> 		return 0;
> 
> Could be modified to use bpf_get_current_pidns_info() as follows:
> 
> 	struct bpf_pidns pidns;
> 	bpf_get_current_pid_tgid(&pidns, sizeof(struct bpf_pidns));
        ^^^^^^^^^^^^^^^^^^^^^^^^

Shouldn't this be:
        bpf_get_current_pidns_info(...)

> 	u32 pid = pidns.tgid;
> 	u32 nsid = pidns.nsid;
> 	if ((pid != <pid_arg_passed_in>) && (nsid != <nsid_arg_passed_in>))
> 		return 0;
> 

[...]

> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index dd5758dc35d3..031e7d9dba09 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -2113,6 +2113,18 @@ union bpf_attr {
>   *		the shared data.
>   *	Return
>   *		Pointer to the local storage area.
> + *
> + * int bpf_get_current_pidns(struct bpf_pidns_info *pidns, u32 size_of_pidns)

Should this be:
          bpf_get_current_pidns_info(...)

> + *	Description
> + *		Copies into *pidns* pid, namespace id and tgid as seen by the
> + *		current namespace and also device from /proc/self/ns/pid.
> + *		*size_of_pidns* must be the size of *pidns*
> + *
> + *		This helper is used when pid filtering is needed inside a
> + *		container as bpf_get_current_tgid() helper returns always the
> + *		pid id as seen by the root namespace.
> + *	Return
> + *		0 on success -EINVAL on error.
>   */
>  #define __BPF_FUNC_MAPPER(FN)		\
>  	FN(unspec),			\
> @@ -2196,7 +2208,8 @@ union bpf_attr {
>  	FN(rc_keydown),			\
>  	FN(skb_cgroup_id),		\
>  	FN(get_current_cgroup_id),	\
> -	FN(get_local_storage),
> +	FN(get_local_storage),		\
> +	FN(get_current_pidns_info),

-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer