From: Jiri Olsa <jolsa@redhat.com>
To: KP Singh <kpsingh@chromium.org>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>, Jiri Olsa <jolsa@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
Yonghong Song <yhs@fb.com>, Martin KaFai Lau <kafai@fb.com>,
David Miller <davem@redhat.com>,
John Fastabend <john.fastabend@gmail.com>,
Jesper Dangaard Brouer <hawk@kernel.org>,
Wenbo Zhang <ethercflow@gmail.com>,
Andrii Nakryiko <andriin@fb.com>,
bgregg@netflix.com
Subject: Re: [RFC 0/3] bpf: Add d_path helper
Date: Tue, 7 Apr 2020 11:45:56 +0200 [thread overview]
Message-ID: <20200407094556.GC3144092@krava> (raw)
In-Reply-To: <20200407092753.GA109512@google.com>
On Tue, Apr 07, 2020 at 11:27:53AM +0200, KP Singh wrote:
> On 06-Apr 18:10, Alexei Starovoitov wrote:
> > On Mon, Apr 06, 2020 at 11:09:18AM +0200, Jiri Olsa wrote:
> > >
> > > is there any way we could have d_path functionality (even
> > > reduced and not working for all cases) that could be used
> > > or called like that?
> >
> > I agree with Al. This helper cannot be enabled for all of bpf tracing.
> > We have to white list its usage for specific callsites only.
> > May be all of lsm hooks are safe. I don't know yet. This has to be
> > analyzed carefully. Every hook. One by one.
>
> I agree with this, there are some LSM hooks which do get called in
> interrupt context, eg. task_free (which gets called in an RCU
> callback).
>
> The hooks that we are using it for and we know that it works (using
> our experimental helpers similar to this) are the bprm_* hooks in the
> exec pathway (for logic based on the path of the executable).
>
> It might be worth whitelisting these functions by adding verifier ops
> for LSM programs?
>
> Would you want to do it as a part of this series?
I guess we should to do some generic whitelist solution that
would be usable by any prog type.. I'll try to put something
together
jirka
prev parent reply other threads:[~2020-04-07 9:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-01 11:09 [RFC 0/3] bpf: Add d_path helper Jiri Olsa
2020-04-01 11:09 ` [PATCH 1/3] bpf: Add support to check if BTF object is nested in another object Jiri Olsa
2020-04-07 1:16 ` Alexei Starovoitov
2020-04-07 9:37 ` Jiri Olsa
2020-04-01 11:09 ` [PATCH 2/3] bpf: Add d_path helper Jiri Olsa
2020-04-02 14:02 ` Florent Revest
2020-04-03 9:01 ` Jiri Olsa
2020-04-06 2:49 ` Andrii Nakryiko
2020-04-01 11:09 ` [PATCH 3/3] selftests/bpf: Add test for " Jiri Olsa
2020-04-02 14:03 ` [RFC 0/3] bpf: Add " Florent Revest
2020-04-03 8:55 ` Jiri Olsa
2020-04-02 14:21 ` Al Viro
2020-04-03 9:08 ` Jiri Olsa
2020-04-06 3:16 ` Al Viro
2020-04-06 9:09 ` Jiri Olsa
2020-04-06 12:47 ` Al Viro
2020-04-07 1:10 ` Alexei Starovoitov
2020-04-07 8:53 ` Jiri Olsa
2020-04-07 9:27 ` KP Singh
2020-04-07 9:45 ` Jiri Olsa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407094556.GC3144092@krava \
--to=jolsa@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andriin@fb.com \
--cc=ast@kernel.org \
--cc=bgregg@netflix.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@redhat.com \
--cc=ethercflow@gmail.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=netdev@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.