From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org, tj@kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Dan Schatzberg <dschatzberg@meta.com>,
kkd@meta.com, kernel-team@meta.com
Subject: [PATCH bpf-next v2 0/2] Remove use of current->cgns in bpf_cgroup_from_id
Date: Mon, 11 Aug 2025 12:58:59 -0700 [thread overview]
Message-ID: <20250811195901.1651800-1-memxor@gmail.com> (raw)
bpf_cgroup_from_id currently ends up doing a check on whether the cgroup
being looked up is a descendant of the root cgroup of the current task's
cgroup namespace. This leads to unreliable results since this kfunc can
be invoked from any arbitrary context, for any arbitrary value of
current. Fix this by removing namespace-awarness in the kfunc, and
include a test that detects such a case and fails without the fix.
Changelog:
----------
v1 -> v2
v1: https://lore.kernel.org/bpf/20250811175045.1055202-1-memxor@gmail.com
* Add Ack from Tejun.
* Fix selftest to perform namespace migration and cgroup setup in a
child process to avoid changing test_progs namespace.
Kumar Kartikeya Dwivedi (2):
bpf: Do not limit bpf_cgroup_from_id to current's namespace
selftests/bpf: Add a test for bpf_cgroup_from_id lookup in non-root
cgns
include/linux/cgroup.h | 2 +-
kernel/bpf/cgroup_iter.c | 2 +-
kernel/bpf/helpers.c | 2 +-
kernel/cgroup/cgroup.c | 7 +-
.../selftests/bpf/prog_tests/cgrp_kfunc.c | 76 +++++++++++++++++++
.../selftests/bpf/progs/cgrp_kfunc_success.c | 12 +++
6 files changed, 97 insertions(+), 4 deletions(-)
base-commit: fa479132845e94b60068fad01c2a9979b3efe2dc
--
2.47.3
next reply other threads:[~2025-08-11 19:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-11 19:58 Kumar Kartikeya Dwivedi [this message]
2025-08-11 19:59 ` [PATCH bpf-next v2 1/2] bpf: Do not limit bpf_cgroup_from_id to current's namespace Kumar Kartikeya Dwivedi
2025-08-12 23:20 ` Andrii Nakryiko
2025-08-12 23:36 ` Kumar Kartikeya Dwivedi
2025-08-11 19:59 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add a test for bpf_cgroup_from_id lookup in non-root cgns Kumar Kartikeya Dwivedi
2025-08-11 22:51 ` Eduard Zingerman
2025-08-11 22:57 ` Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250811195901.1651800-1-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dschatzberg@meta.com \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=kkd@meta.com \
--cc=martin.lau@kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).