[net-next PATCH 04/10] bpf: introduce new program type for skbs on sockets

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: John Fastabend <john.fastabend@gmail.com>
To: davem@davemloft.net, daniel@iogearbox.net, ast@fb.com
Cc: tgraf@suug.ch, netdev@vger.kernel.org, john.fastabend@gmail.com,
	tom@herbertland.com
Subject: [net-next PATCH 04/10] bpf: introduce new program type for skbs on sockets
Date: Tue, 15 Aug 2017 22:31:58 -0700	[thread overview]
Message-ID: <20170816053158.15445.22396.stgit@john-Precision-Tower-5810> (raw)
In-Reply-To: <20170816052338.15445.83732.stgit@john-Precision-Tower-5810>

A class of programs, run from strparser and soon from a new map type
called sock map, are used with skb as the context but on established
sockets. By creating a specific program type for these we can use
bpf helpers that expect full sockets and get the verifier to ensure
these helpers are not used out of context.

The new type is BPF_PROG_TYPE_SK_SKB. This patch introduces the
infrastructure and type.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 include/linux/bpf_types.h |    1 +
 include/uapi/linux/bpf.h  |    1 +
 net/core/filter.c         |   36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
index b1e1035..4b72db3 100644
--- a/include/linux/bpf_types.h
+++ b/include/linux/bpf_types.h
@@ -11,6 +11,7 @@
 BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_OUT, lwt_inout_prog_ops)
 BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_XMIT, lwt_xmit_prog_ops)
 BPF_PROG_TYPE(BPF_PROG_TYPE_SOCK_OPS, sock_ops_prog_ops)
+BPF_PROG_TYPE(BPF_PROG_TYPE_SK_SKB, sk_skb_prog_ops)
 #endif
 #ifdef CONFIG_BPF_EVENTS
 BPF_PROG_TYPE(BPF_PROG_TYPE_KPROBE, kprobe_prog_ops)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 91da837..2e796e3 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -127,6 +127,7 @@ enum bpf_prog_type {
 	BPF_PROG_TYPE_LWT_OUT,
 	BPF_PROG_TYPE_LWT_XMIT,
 	BPF_PROG_TYPE_SOCK_OPS,
+	BPF_PROG_TYPE_SK_SKB,
 };
 
 enum bpf_attach_type {
diff --git a/net/core/filter.c b/net/core/filter.c
index 5afe3ac..c1108bf 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3234,6 +3234,20 @@ static unsigned long bpf_xdp_copy(void *dst_buff, const void *src_buff,
 	}
 }
 
+static const struct bpf_func_proto *sk_skb_func_proto(enum bpf_func_id func_id)
+{
+	switch (func_id) {
+	case BPF_FUNC_skb_load_bytes:
+		return &bpf_skb_load_bytes_proto;
+	case BPF_FUNC_get_socket_cookie:
+		return &bpf_get_socket_cookie_proto;
+	case BPF_FUNC_get_socket_uid:
+		return &bpf_get_socket_uid_proto;
+	default:
+		return bpf_base_func_proto(func_id);
+	}
+}
+
 static const struct bpf_func_proto *
 lwt_xmit_func_proto(enum bpf_func_id func_id)
 {
@@ -3525,6 +3539,22 @@ static bool sock_ops_is_valid_access(int off, int size,
 	return __is_valid_sock_ops_access(off, size);
 }
 
+static bool sk_skb_is_valid_access(int off, int size,
+				   enum bpf_access_type type,
+				   struct bpf_insn_access_aux *info)
+{
+	switch (off) {
+	case bpf_ctx_range(struct __sk_buff, data):
+		info->reg_type = PTR_TO_PACKET;
+		break;
+	case bpf_ctx_range(struct __sk_buff, data_end):
+		info->reg_type = PTR_TO_PACKET_END;
+		break;
+	}
+
+	return bpf_skb_is_valid_access(off, size, type, info);
+}
+
 static u32 bpf_convert_ctx_access(enum bpf_access_type type,
 				  const struct bpf_insn *si,
 				  struct bpf_insn *insn_buf,
@@ -3992,6 +4022,12 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
 	.convert_ctx_access	= sock_ops_convert_ctx_access,
 };
 
+const struct bpf_verifier_ops sk_skb_prog_ops = {
+	.get_func_proto		= sk_skb_func_proto,
+	.is_valid_access	= sk_skb_is_valid_access,
+	.convert_ctx_access	= bpf_convert_ctx_access,
+};
+
 int sk_detach_filter(struct sock *sk)
 {
 	int ret = -ENOENT;

next prev parent reply	other threads:[~2017-08-16  5:32 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-08-16  5:30 [net-next PATCH 00/10] BPF: sockmap and sk redirect support John Fastabend
2017-08-16  5:30 ` [net-next PATCH 01/10] net: early init support for strparser John Fastabend
2017-08-16  5:31 ` [net-next PATCH 02/10] net: add sendmsg_locked and sendpage_locked to af_inet6 John Fastabend
2017-08-16  5:31 ` [net-next PATCH 03/10] net: fixes for skb_send_sock John Fastabend
2017-08-16  5:31 ` John Fastabend [this message]
2017-08-16  5:32 ` [net-next PATCH 05/10] bpf: export bpf_prog_inc_not_zero John Fastabend
2017-08-16  5:32 ` [net-next PATCH 06/10] bpf: sockmap with sk redirect support John Fastabend
2017-08-17  5:40   ` Alexei Starovoitov
2017-08-17 18:58     ` John Fastabend
2017-08-17 22:28       ` Alexei Starovoitov
2017-08-18  7:35         ` John Fastabend
2017-08-18 18:32           ` Alexei Starovoitov
2017-08-19  3:30             ` John Fastabend
2017-08-19  4:50               ` Alexei Starovoitov
2017-08-19 20:52                 ` John Fastabend
2017-08-16  5:33 ` [net-next PATCH 07/10] bpf: add access to sock fields and pkt data from sk_skb programs John Fastabend
2017-08-17  5:42   ` Alexei Starovoitov
2017-08-17 12:40     ` Daniel Borkmann
2017-08-16  5:33 ` [net-next PATCH 08/10] bpf: sockmap sample program John Fastabend
2017-08-16  5:33 ` [net-next PATCH 09/10] bpf: selftests: add tests for new __sk_buff members John Fastabend
2017-08-16  5:34 ` [net-next PATCH 10/10] bpf: selftests add sockmap tests John Fastabend
2017-08-16 15:25 ` [net-next PATCH 00/10] BPF: sockmap and sk redirect support Daniel Borkmann
2017-08-16 18:28 ` David Miller
2017-08-16 18:35   ` David Miller
2017-08-16 19:06     ` John Fastabend
2017-08-16 19:13       ` David Miller
2017-08-16 19:17         ` Eric Dumazet
2017-08-16 19:34           ` John Fastabend
2017-08-16 21:22             ` David Miller
2017-08-16 21:35             ` David Ahern
2017-08-16 21:37               ` John Fastabend

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b1e1035 dfblob:4b72db3 dfblob:91da837 dfblob:2e796e3
dfblob:5afe3ac dfblob:c1108bf )
 OR (
bs:"[net-next PATCH 04/10] bpf: introduce new program type for skbs on sockets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170816053158.15445.22396.stgit@john-Precision-Tower-5810 \
    --to=john.fastabend@gmail.com \
    --cc=ast@fb.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=tgraf@suug.ch \
    --cc=tom@herbertland.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox