From: Song Liu <song@kernel.org>
To: bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: kernel-team@meta.com, andrii@kernel.org, eddyz87@gmail.com,
ast@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz,
kpsingh@kernel.org, mattbobrowski@google.com, amir73il@gmail.com,
repnop@google.com, jlayton@kernel.org, josef@toxicpanda.com,
mic@digikod.net, gnoack@google.com, Song Liu <song@kernel.org>
Subject: [RFC/PATCH v2 bpf-next fanotify 0/7] Fanotify fastpath handler
Date: Thu, 14 Nov 2024 00:43:38 -0800 [thread overview]
Message-ID: <20241114084345.1564165-1-song@kernel.org> (raw)
Overview of v2:
Patch 1/7 adds logic to write fastpath handlers in kernel modules.
Patch 2/7 adds a sample of a fastpath handler in a kernel module.
Patch 3/7 to 5/7 are preparation work on BPF side.
Patch 6/7 adds logic to write fastpath handlers in bpf programs.
Patch 7/7 is a selftest and example of bpf based fastpath handler.
Changes v1 => v2:
1. Add sysfs entries for fastpath handler.
2. Rewrite the sample and bpf selftest to handle subtree monitoring.
This requires quite some work from BPF side to properly handle
inode, dentry, etc.
3. Add CONFIG_FANOTIFY_FASTPATH.
4. Add more documents.
TODO of v2:
1. Enable prviate (not added to global list) bpf based fastpath handlers.
4. Man pages.
From v1 RFC:
This RFC set introduces in-kernel fastpath handler for fanotify. The
fastpath handler can be used to handle/filter some events without going
through userspace.
In LPC 2024, multiple talks covered use cases of monitoring a subtree in
the VFS (fanotify: [1], bpf/lsm: [2]). This work is inspired by these
discussions. Reliably monitoring of a subtree with low overhead is a hard
problem. We do not claim this set fully solves problem. But we think this
work can be a very useful building block of the solution to this problem.
The fastpath handler can be implemented with built-in logic, in a kernel
module, or a bpf program. The fastpath handler is attached to a fsnotify
group. With current implementation, the multiple fastpath handlers are
maintained in a global list. Only users with CAP_SYS_ADMIN can add
fastpath handlers to the list by loading a kernel module. User without
CAP_SYS_ADMIN can attach a loaded fastpath handler to fanotify instances.
During the attach operation, the fastpath handler can take an argument.
This enables non-CAP_SYSADMIN users to customize/configure the fastpath
handler, for example, with a specific allowlist/denylist.
As the patchset grows to 1000+ lines (including samples and tests), I
would like some feedback before pushing it further.
[1] https://lpc.events/event/18/contributions/1717/
[2] https://lpc.events/event/18/contributions/1940/
Song Liu (7):
fanotify: Introduce fanotify fastpath handler
samples/fanotify: Add a sample fanotify fastpath handler
bpf: Make bpf inode storage available to tracing programs
bpf: fs: Add three kfuncs
bpf: Allow bpf map hold reference on dentry
fanotify: Enable bpf based fanotify fastpath handler
selftests/bpf: Add test for BPF based fanotify fastpath handler
MAINTAINERS | 1 +
fs/Makefile | 2 +-
fs/bpf_fs_kfuncs.c | 51 +-
fs/inode.c | 2 +
fs/notify/fanotify/Kconfig | 13 +
fs/notify/fanotify/Makefile | 1 +
fs/notify/fanotify/fanotify.c | 29 ++
fs/notify/fanotify/fanotify_fastpath.c | 448 ++++++++++++++++++
fs/notify/fanotify/fanotify_user.c | 7 +
include/linux/bpf.h | 9 +
include/linux/bpf_lsm.h | 29 --
include/linux/fanotify.h | 131 +++++
include/linux/fs.h | 4 +
include/linux/fsnotify_backend.h | 4 +
include/uapi/linux/fanotify.h | 25 +
kernel/bpf/Makefile | 3 +-
kernel/bpf/bpf_inode_storage.c | 176 +++++--
kernel/bpf/bpf_lsm.c | 4 -
kernel/bpf/helpers.c | 14 +-
kernel/bpf/verifier.c | 6 +
kernel/trace/bpf_trace.c | 8 +
samples/Kconfig | 20 +-
samples/Makefile | 2 +-
samples/fanotify/.gitignore | 1 +
samples/fanotify/Makefile | 5 +-
samples/fanotify/fastpath-mod.c | 82 ++++
samples/fanotify/fastpath-user.c | 111 +++++
security/bpf/hooks.c | 7 -
tools/testing/selftests/bpf/bpf_kfuncs.h | 5 +
tools/testing/selftests/bpf/config | 2 +
.../testing/selftests/bpf/prog_tests/fan_fp.c | 264 +++++++++++
tools/testing/selftests/bpf/progs/fan_fp.c | 154 ++++++
32 files changed, 1530 insertions(+), 90 deletions(-)
create mode 100644 fs/notify/fanotify/fanotify_fastpath.c
create mode 100644 samples/fanotify/fastpath-mod.c
create mode 100644 samples/fanotify/fastpath-user.c
create mode 100644 tools/testing/selftests/bpf/prog_tests/fan_fp.c
create mode 100644 tools/testing/selftests/bpf/progs/fan_fp.c
--
2.43.5
next reply other threads:[~2024-11-14 8:44 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-14 8:43 Song Liu [this message]
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 1/7] fanotify: Introduce fanotify fastpath handler Song Liu
2024-11-15 8:51 ` Amir Goldstein
2024-11-15 17:11 ` Song Liu
2024-11-15 17:32 ` Amir Goldstein
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 2/7] samples/fanotify: Add a sample " Song Liu
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 3/7] bpf: Make bpf inode storage available to tracing programs Song Liu
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 4/7] bpf: fs: Add three kfuncs Song Liu
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 5/7] bpf: Allow bpf map hold reference on dentry Song Liu
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 6/7] fanotify: Enable bpf based fanotify fastpath handler Song Liu
2024-11-14 8:43 ` [RFC/PATCH v2 bpf-next fanotify 7/7] selftests/bpf: Add test for BPF " Song Liu
2024-11-14 20:14 ` Alexei Starovoitov
2024-11-14 23:02 ` Song Liu
2024-11-15 0:41 ` Alexei Starovoitov
2024-11-15 1:10 ` Song Liu
2024-11-15 1:31 ` Alexei Starovoitov
2024-11-15 7:01 ` Song Liu
2024-11-15 19:41 ` Alexei Starovoitov
2024-11-15 21:05 ` Song Liu
2024-11-18 20:51 ` Song Liu
2024-11-19 0:10 ` Alexei Starovoitov
2024-11-19 1:10 ` Song Liu
2024-11-19 7:59 ` Amir Goldstein
2024-11-19 8:35 ` Song Liu
2024-11-15 7:26 ` Amir Goldstein
2024-11-15 20:04 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241114084345.1564165-1-song@kernel.org \
--to=song@kernel.org \
--cc=amir73il@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jlayton@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kernel-team@meta.com \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=repnop@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).