From: Stanislav Fomichev <sdf@google.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
Stanislav Fomichev <sdf@google.com>,
Petar Penkov <ppenkov@google.com>
Subject: [PATCH bpf-next v3 0/2] bpf/flow_dissector: add mode to enforce global BPF flow dissector
Date: Mon, 7 Oct 2019 09:21:01 -0700 [thread overview]
Message-ID: <20191007162103.39395-1-sdf@google.com> (raw)
While having a per-net-ns flow dissector programs is convenient for
testing, security-wise it's better to have only one vetted global
flow dissector implementation.
Let's have a convention that when BPF flow dissector is installed
in the root namespace, child namespaces can't override it.
The intended use-case is to attach global BPF flow dissector
early from the init scripts/systemd. Attaching global dissector
is prohibited if some non-root namespace already has flow dissector
attached. Also, attaching to non-root namespace is prohibited
when there is flow dissector attached to the root namespace.
v3:
* drop extra check and empty line (Andrii Nakryiko)
v2:
* EPERM -> EEXIST (Song Liu)
* Make sure we don't have dissector attached to non-root namespaces
when attaching the global one (Andrii Nakryiko)
Cc: Petar Penkov <ppenkov@google.com>
Stanislav Fomichev (2):
bpf/flow_dissector: add mode to enforce global BPF flow dissector
selftests/bpf: add test for BPF flow dissector in the root namespace
Documentation/bpf/prog_flow_dissector.rst | 3 ++
net/core/flow_dissector.c | 38 +++++++++++++--
.../selftests/bpf/test_flow_dissector.sh | 48 ++++++++++++++++---
3 files changed, 79 insertions(+), 10 deletions(-)
--
2.23.0.581.g78d2f28ef7-goog
next reply other threads:[~2019-10-07 16:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-07 16:21 Stanislav Fomichev [this message]
2019-10-07 16:21 ` [PATCH bpf-next v3 1/2] bpf/flow_dissector: add mode to enforce global BPF flow dissector Stanislav Fomichev
2019-10-07 16:21 ` [PATCH bpf-next v3 2/2] selftests/bpf: add test for BPF flow dissector in the root namespace Stanislav Fomichev
2019-10-08 3:21 ` [PATCH bpf-next v3 0/2] bpf/flow_dissector: add mode to enforce global BPF flow dissector Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191007162103.39395-1-sdf@google.com \
--to=sdf@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=ppenkov@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.