From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Mack <daniel@zonque.org>,
htejun@fb.com, daniel@iogearbox.net, ast@fb.com,
davem@davemloft.net, kafai@fb.com, fw@strlen.de,
harald@redhat.com, netdev@vger.kernel.org, sargun@sargun.me,
cgroups@vger.kernel.org
Subject: Re: [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs
Date: Mon, 19 Sep 2016 22:39:45 +0200 [thread overview]
Message-ID: <20160919203945.GB888@salvia> (raw)
In-Reply-To: <20160919201322.GA84770@ast-mbp.thefacebook.com>
On Mon, Sep 19, 2016 at 01:13:27PM -0700, Alexei Starovoitov wrote:
> On Mon, Sep 19, 2016 at 09:19:10PM +0200, Pablo Neira Ayuso wrote:
[...]
> > 2) This will turn the stack into a nightmare to debug I predict. If
> > any process with CAP_NET_ADMIN can potentially attach bpf blobs
> > via these hooks, we will have to include in the network stack
>
> a process without CAP_NET_ADMIN can attach bpf blobs to
> system calls via seccomp. bpf is already used for security and policing.
That is a local mechanism, it applies to parent process and child
processes, just like SO_ATTACH_FILTER.
The usecase that we're discussing here enforces a global policy.
next prev parent reply other threads:[~2016-09-19 20:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-19 16:43 [PATCH v6 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-09-19 16:43 ` [PATCH v6 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-09-19 16:43 ` [PATCH v6 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
[not found] ` <1474303441-3745-1-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 16:43 ` [PATCH v6 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-09-19 16:43 ` [PATCH v6 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-09-19 16:44 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs Daniel Mack
2016-09-19 19:19 ` Pablo Neira Ayuso
2016-09-19 19:30 ` Daniel Mack
[not found] ` <ac88bb4c-ab7c-1f74-c7fd-79e523b50ae4-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 20:35 ` Pablo Neira Ayuso
2016-09-19 20:56 ` Daniel Mack
2016-09-20 14:29 ` Pablo Neira Ayuso
2016-09-20 16:43 ` Daniel Mack
[not found] ` <6584b975-fa3e-8d98-f0c7-a2c6b194b2b6-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-21 15:45 ` Pablo Neira Ayuso
2016-09-21 18:48 ` Thomas Graf
[not found] ` <20160921184827.GA15732-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22 9:21 ` Pablo Neira Ayuso
2016-09-22 9:54 ` Thomas Graf
[not found] ` <20160922095411.GA5654-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22 12:05 ` Pablo Neira Ayuso
2016-09-22 15:12 ` Daniel Borkmann
[not found] ` <57E3F4F9.70300-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-09-22 15:53 ` Daniel Mack
2016-09-23 13:17 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup ebpf " Pablo Neira Ayuso
2016-09-26 10:10 ` Daniel Borkmann
2016-09-20 16:53 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF " Thomas Graf
2016-09-19 20:13 ` Alexei Starovoitov
2016-09-19 20:39 ` Pablo Neira Ayuso [this message]
[not found] ` <20160919201322.GA84770-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-09-19 21:28 ` Thomas Graf
[not found] ` <1474303441-3745-6-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-20 5:44 ` kbuild test robot
2016-10-21 5:32 ` [PATCH v6 0/6] Add eBPF hooks for cgroups David Ahern
2016-09-19 16:44 ` [PATCH v6 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160919203945.GB888@salvia \
--to=pablo@netfilter.org \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@fb.com \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=htejun@fb.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).