Re: [PATCH v5 bpf-next 1/3] bpf: add bpf_descendant_of helper

[Javier Honduvilla Coto <javierhonduco@fb.com>]

On Thu, Apr 11, 2019 at 11:55:58PM +0200, Daniel Borkmann wrote:
> On 04/10/2019 10:36 PM, Javier Honduvilla Coto wrote:
> > This patch adds the bpf_descendant_of helper which accepts a PID and
> > returns 1 if the PID of the process currently being executed is a
> > descendant of it or if it's itself. Returns 0 otherwise.
> >
> > This is very useful in tracing programs when we want to filter by a
> > given PID and all the children it might spawn. The current workarounds
> > most people implement for this purpose have issues:
> >
> > - Attaching to process spawning syscalls and dynamically add those PIDs
> >   to some bpf map that would be used to filter is cumbersome and
> > potentially racy.
> > - Unrolling some loop to perform what this helper is doing consumes lots
> >   of instructions. That and the impossibility to jump backwards makes it
> > really hard to be correct in really large process chains.
> >
> > Signed-off-by: Javier Honduvilla Coto <javierhonduco@fb.com>
> > ---
> >  include/linux/bpf.h      |  1 +
> >  include/uapi/linux/bpf.h | 10 +++++++++-
> >  kernel/bpf/core.c        |  1 +
> >  kernel/bpf/helpers.c     | 27 +++++++++++++++++++++++++++
> >  kernel/trace/bpf_trace.c |  2 ++
> >  5 files changed, 40 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index 65f7094c40b4..0539999f07f3 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -967,6 +967,7 @@ extern const struct bpf_func_proto bpf_sk_redirect_map_proto;
> >  extern const struct bpf_func_proto bpf_spin_lock_proto;
> >  extern const struct bpf_func_proto bpf_spin_unlock_proto;
> >  extern const struct bpf_func_proto bpf_get_local_storage_proto;
> > +extern const struct bpf_func_proto bpf_descendant_of_proto;
> >
> >  /* Shared helpers among cBPF and eBPF. */
> >  void bpf_user_rnd_init_once(void);
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index af1cbd951f26..f707b286c21d 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -2493,6 +2493,13 @@ union bpf_attr {
> >   * 	Return
> >   * 		0 if iph and th are a valid SYN cookie ACK, or a negative error
> >   * 		otherwise.
> > + * int bpf_descendant_of(pid_t pid)
>
> Small nit: Looks good to go, but please add a newline before the new helper
> description like all the rest in there.

Thanks!

>
> > + *	Description
> > + *		This helper is useful in programs that want to filter events
> > + *		happening to a pid or to any of its descendants.
>
> One more thing that would be helpful is to add a short description here that
> this helper can be used in combination with bpf_get_current_pid_tgid(), and
> that pid here is representation from init pid namespace if I grok it correctly.

What use case do you have in mind for bpf_get_current_pid_tgid() +
bpf_descendant_of()? Most of the cases the former won't be necessary as
the latter is alredy fetching the pid of the process in the current
context, but maybe I'm missing something! :)

Not sure about the last part, sorry, are you referring that we should
maybe mention that the descendant check is performed within a pid namespace
and does not cross pid namespaces?

>
> > + *	Return
> > + *		1 if the passed pid is an ancestor of the currently executing
> > + *		process' pid or equal to it.
> >   */
> >  #define __BPF_FUNC_MAPPER(FN)		\
> >  	FN(unspec),			\
> > @@ -2595,7 +2602,8 @@ union bpf_attr {
> >  	FN(skb_ecn_set_ce),		\
> >  	FN(get_listener_sock),		\
> >  	FN(skc_lookup_tcp),		\
> > -	FN(tcp_check_syncookie),
> > +	FN(tcp_check_syncookie),	\
> > +	FN(descendant_of),
> >
> >  /* integer value in 'imm' field of BPF_CALL instruction selects which helper
> >   * function eBPF program intends to call
> > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> > index ace8c22c8b0e..df93d7157657 100644
> > --- a/kernel/bpf/core.c
> > +++ b/kernel/bpf/core.c
> > @@ -2046,6 +2046,7 @@ const struct bpf_func_proto bpf_get_current_uid_gid_proto __weak;
> >  const struct bpf_func_proto bpf_get_current_comm_proto __weak;
> >  const struct bpf_func_proto bpf_get_current_cgroup_id_proto __weak;
> >  const struct bpf_func_proto bpf_get_local_storage_proto __weak;
> > +const struct bpf_func_proto bpf_descendant_of_proto __weak;
> >
> >  const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void)
> >  {
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index a411fc17d265..d04186c69042 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -18,6 +18,7 @@
> >  #include <linux/sched.h>
> >  #include <linux/uidgid.h>
> >  #include <linux/filter.h>
> > +#include <linux/init_task.h>
> >
> >  /* If kernel subsystem is allowing eBPF programs to call this function,
> >   * inside its own verifier_ops->get_func_proto() callback it should return
> > @@ -364,3 +365,29 @@ const struct bpf_func_proto bpf_get_local_storage_proto = {
> >  };
> >  #endif
> >  #endif
> > +
> > +BPF_CALL_1(bpf_descendant_of, pid_t, pid)
> > +{
> > +	int result = 0;
> > +	struct task_struct *task = current;
> > +
> > +	if (pid == 0)
> > +		return 1;
> > +
> > +	while (task != &init_task) {
> > +		if (task->pid == pid) {
> > +			result = 1;
> > +			break;
> > +		}
> > +		task = rcu_dereference(task->real_parent);
> > +	}
> > +
> > +	return result;
> > +}
> > +
> > +const struct bpf_func_proto bpf_descendant_of_proto = {
> > +	.func		= bpf_descendant_of,
> > +	.gpl_only	= false,
> > +	.ret_type	= RET_INTEGER,
> > +	.arg1_type	= ARG_ANYTHING,
> > +};
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index d64c00afceb5..0968e38a2aae 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -599,6 +599,8 @@ tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >  		return &bpf_get_prandom_u32_proto;
> >  	case BPF_FUNC_probe_read_str:
> >  		return &bpf_probe_read_str_proto;
> > +	case BPF_FUNC_descendant_of:
> > +		return &bpf_descendant_of_proto;
> >  #ifdef CONFIG_CGROUPS
> >  	case BPF_FUNC_get_current_cgroup_id:
> >  		return &bpf_get_current_cgroup_id_proto;
> >
>