From: ebiederm@xmission.com (Eric W. Biederman)
To: Alexei Starovoitov <ast@fb.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Daniel Borkmann <daniel@iogearbox.net>,
David Ahern <dsa@cumulusnetworks.com>, Tejun Heo <tj@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Thomas Graf <tgraf@suug.ch>, <netdev@vger.kernel.org>
Subject: Re: [PATCH net] bpf: expose netns inode to bpf programs
Date: Thu, 26 Jan 2017 18:46:25 +1300 [thread overview]
Message-ID: <87efzq8jbi.fsf@xmission.com> (raw)
In-Reply-To: <1485401274-2836524-1-git-send-email-ast@fb.com> (Alexei Starovoitov's message of "Wed, 25 Jan 2017 19:27:54 -0800")
Alexei Starovoitov <ast@fb.com> writes:
> in cases where bpf programs are looking at sockets and packets
> that belong to different netns, it could be useful to read netns inode,
> so that programs can make intelligent decisions.
> For example to disallow raw sockets in all non-init netns the program can do:
> if (sk->type == SOCK_RAW && sk->netns_inum != 0xf0000075)
> return 0;
> where 0xf0000075 inode comes from /proc/pid/ns/net
>
> Similarly TC cls_bpf/act_bpf and socket filters can do
> if (skb->netns_inum == expected_inode)
Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Particularly you need to compare more than the inode number.
Further I have never guaranteed there will be exactly one inode
per network namespace, just that if the device number and the inode
number pair match they are the same.
Beyond that the entire concept is complete rubbish.
The only sane thing is to interpret whatever your bpf program in the
context of the program which installs it.
If you can't do that you have a very broken piece of userspace
interface. Which appears to be the case here.
Eric
next prev parent reply other threads:[~2017-01-26 5:50 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 3:27 [PATCH net] bpf: expose netns inode to bpf programs Alexei Starovoitov
2017-01-26 5:46 ` Eric W. Biederman [this message]
2017-01-26 6:00 ` Ying Xue
2017-01-26 6:23 ` Alexei Starovoitov
2017-01-26 16:37 ` Andy Lutomirski
2017-01-26 17:46 ` Alexei Starovoitov
2017-01-26 18:12 ` Andy Lutomirski
2017-01-26 18:32 ` Alexei Starovoitov
2017-01-26 19:07 ` Andy Lutomirski
2017-01-26 19:25 ` Alexei Starovoitov
2017-02-03 4:33 ` Eric W. Biederman
2017-02-03 6:05 ` Alexei Starovoitov
2017-02-03 10:30 ` Eric W. Biederman
2017-02-03 21:00 ` Andy Lutomirski
2017-02-03 21:06 ` Eric W. Biederman
2017-02-03 23:08 ` Alexei Starovoitov
2017-02-04 17:07 ` Andy Lutomirski
2017-02-05 3:10 ` Alexei Starovoitov
2017-02-05 3:27 ` Andy Lutomirski
2017-02-05 3:48 ` Alexei Starovoitov
2017-02-05 3:54 ` Andy Lutomirski
2017-02-05 4:37 ` Alexei Starovoitov
2017-02-05 5:05 ` Andy Lutomirski
2017-02-07 1:43 ` Alexei Starovoitov
2017-01-31 18:02 ` David Miller
2017-01-31 22:11 ` David Ahern
2017-02-03 21:56 ` Daniel Borkmann
2017-02-03 23:06 ` Alexei Starovoitov
2017-02-03 23:42 ` Daniel Borkmann
2017-02-04 1:25 ` Alexei Starovoitov
2017-02-04 17:08 ` Andy Lutomirski
2017-02-05 3:18 ` Alexei Starovoitov
2017-02-05 3:22 ` Andy Lutomirski
2017-02-05 3:35 ` Alexei Starovoitov
2017-02-05 3:49 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87efzq8jbi.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.