From: Alexei Starovoitov <alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Mickaël Salaün" <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Alexei Starovoitov <ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
Daniel Mack <daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>,
"David S . Miller"
<davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Sargun Dhillon <sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org>,
kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [RFC v2 09/10] landlock: Handle cgroups (netfilter match)
Date: Sat, 27 Aug 2016 11:32:52 -0700 [thread overview]
Message-ID: <20160827183250.GD38754@ast-mbp.thefacebook.com> (raw)
In-Reply-To: <57C1A159.3040905-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
On Sat, Aug 27, 2016 at 04:19:05PM +0200, Mickaël Salaün wrote:
>
> On 27/08/2016 01:05, Alexei Starovoitov wrote:
> > On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
> >> To sum up, there is four related patchsets:
> >> * "Landlock LSM: Unprivileged sandboxing" (this series)
> >> * "Add Checmate, BPF-driven minor LSM" (Sargun Dhillon)
> >> * "Networking cgroup controller" (Anoop Naravaram)
> >> * "Add eBPF hooks for cgroups" (Daniel Mack)
>
> >>> Anoop Naravaram's use case is to control the ports the applications
> >>> under cgroup can bind and listen on.
> >>> Such use case can be solved by such 'lsm cgroup controller' by
> >>> attaching bpf program to security_socket_bind lsm hook and
> >>> filtering sockaddr.
> >>> Furthermore Sargun's use case is to allow further sockaddr rewrites
> >>> from the bpf program which can be done as natural extension
> >>> of such mechanism.
> >>>
> >>> If I understood Daniel's Anoop's Sargun's and yours use cases
> >>> correctly the common piece of kernel infrastructure that can solve
> >>> them all can start from Daniel's current set of patches that
> >>> establish a mechanism of attaching bpf program to a cgroup.
> >>> Then adding lsm hooks to it and later allowing argument rewrite
> >>> (since they're already in the kernel and no ToCToU problems exist)
>
> >> For the network-related series, I think it make more sense to simply
> >> create a netfilter rule matching a cgroup and then add more features to
> >> netfilter (restrict port ranges and so on) thanks to eBPF programs.
> >> Containers are (usually) in a dedicated network namespace, which open
> >> the possibility to not only rely on cgroups (e.g. match UID,
> >> netmask...). It would also be more flexible to be able to load a BPF
> >> program in netfilter and update its maps on the fly to make dynamic
> >> rules, like ipset does, but in a more generic way.
>
> What do the netdev folks think about this design?
such design doesn't scale when used for container management and
that's what we need to solve.
netns has its overhead and management issues. There are proposals to
solve that but that is orthogonal to containers in general.
A lot of them don't use netns.
next prev parent reply other threads:[~2016-08-27 18:32 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1472121165-29071-1-git-send-email-mic@digikod.net>
[not found] ` <1472121165-29071-10-git-send-email-mic@digikod.net>
[not found] ` <CALCETrVqfTaY4gfwNdwynBqWwYh6xsGHaqdoA3uc_jHogbkA-A@mail.gmail.com>
2016-08-25 14:44 ` [RFC v2 09/10] landlock: Handle cgroups Mickaël Salaün
2016-08-26 12:55 ` Tejun Heo
2016-08-26 14:20 ` Andy Lutomirski
2016-08-26 15:50 ` Tejun Heo
[not found] ` <20160826021432.GA8291@ast-mbp.thefacebook.com>
2016-08-26 15:10 ` Mickaël Salaün
2016-08-26 23:05 ` Alexei Starovoitov
[not found] ` <20160826230539.GA26683-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-08-27 7:30 ` Andy Lutomirski
2016-08-27 18:11 ` Alexei Starovoitov
[not found] ` <20160827181153.GB38754-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-08-28 8:14 ` Andy Lutomirski
2016-08-27 14:06 ` [RFC v2 09/10] landlock: Handle cgroups (performance) Mickaël Salaün
[not found] ` <57C19E6E.6040908-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-08-27 18:06 ` Alexei Starovoitov
2016-08-27 19:35 ` Mickaël Salaün
[not found] ` <57C1EB72.2050703-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-08-27 20:43 ` Alexei Starovoitov
2016-08-27 21:14 ` Mickaël Salaün
2016-08-28 8:13 ` Andy Lutomirski
2016-08-28 9:42 ` Mickaël Salaün
2016-08-30 18:55 ` Andy Lutomirski
2016-08-30 20:20 ` Mickaël Salaün
[not found] ` <57C5EAA3.5090901-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-08-30 20:23 ` Andy Lutomirski
2016-08-30 20:33 ` Mickaël Salaün
[not found] ` <57C5ED9B.3040303-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-08-30 20:55 ` Alexei Starovoitov
[not found] ` <20160830205552.GB71063-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-08-30 21:45 ` Andy Lutomirski
2016-08-31 1:36 ` Alexei Starovoitov
[not found] ` <20160831013605.GB75654-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-08-31 3:29 ` Andy Lutomirski
2016-08-27 14:19 ` [RFC v2 09/10] landlock: Handle cgroups (netfilter match) Mickaël Salaün
[not found] ` <57C1A159.3040905-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-08-27 18:32 ` Alexei Starovoitov [this message]
[not found] ` <CALCETrWhzk4ukY7-Ynr5Hb9wHGTpcHUe2TvkVRxgvoU0-esDAA@mail.gmail.com>
[not found] ` <57C1AD75.8070304@digikod.net>
2016-08-27 15:21 ` [RFC v2 00/10] Landlock LSM: Unprivileged sandboxing (cgroup delegation) Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160827183250.GD38754@ast-mbp.thefacebook.com \
--to=alexei.starovoitov-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=kernel-hardening-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sargun-GaZTRHToo+CzQB+pC5nmwQ@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox