From: Stanislav Fomichev <sdf@google.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
Stanislav Fomichev <sdf@google.com>,
Petar Penkov <ppenkov@google.com>
Subject: [PATCH bpf-next 0/2] bpf/flow_dissector: add mode to enforce global BPF flow dissector
Date: Wed, 2 Oct 2019 10:33:55 -0700 [thread overview]
Message-ID: <20191002173357.253643-1-sdf@google.com> (raw)
While having a per-net-ns flow dissector programs is convenient for
testing, security-wise it's better to have only one vetted global
flow dissector implementation.
Let's have a convention that when BPF flow dissector is installed
in the root namespace, child namespaces can't override it.
Note, that it's totally possible to attach flow_dissector programs
to several namespaces and then switch to a global one. In this case,
only the root one will trigger; users are still able to detach
flow_dissector programs from non-root namespaces.
Alternative solution might be something like a sysctl to enable
the global mode.
Cc: Petar Penkov <ppenkov@google.com>
Stanislav Fomichev (2):
bpf/flow_dissector: add mode to enforce global BPF flow dissector
selftests/bpf: add test for BPF flow dissector in the root namespace
Documentation/bpf/prog_flow_dissector.rst | 3 ++
net/core/flow_dissector.c | 11 ++++-
.../selftests/bpf/test_flow_dissector.sh | 48 ++++++++++++++++---
3 files changed, 55 insertions(+), 7 deletions(-)
--
2.23.0.444.g18eeb5a265-goog
next reply other threads:[~2019-10-02 17:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-02 17:33 Stanislav Fomichev [this message]
2019-10-02 17:33 ` [PATCH bpf-next 1/2] bpf/flow_dissector: add mode to enforce global BPF flow dissector Stanislav Fomichev
2019-10-02 20:57 ` Song Liu
2019-10-02 21:31 ` Stanislav Fomichev
2019-10-02 23:29 ` Andrii Nakryiko
2019-10-03 1:43 ` Stanislav Fomichev
2019-10-03 2:47 ` Andrii Nakryiko
2019-10-03 16:01 ` Stanislav Fomichev
2019-10-03 16:26 ` Andrii Nakryiko
2019-10-03 17:45 ` John Fastabend
2019-10-03 17:58 ` Stanislav Fomichev
2019-10-02 17:33 ` [PATCH bpf-next 2/2] selftests/bpf: add test for BPF flow dissector in the root namespace Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191002173357.253643-1-sdf@google.com \
--to=sdf@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=ppenkov@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.