From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jesper Dangaard Brouer Subject: Re: [PATCH bpf-next] BPF: helpers: New helper to obtain namespace data from current task Date: Thu, 9 Aug 2018 15:46:53 +0200 Message-ID: <20180809154653.40396ce3@redhat.com> References: <20180809131800.11338-1-cneirabustos@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: brouer@redhat.com, netdev@vger.kernel.org, ebiederm@xmission.com, quentin.monnet@netronome.com, ys114321@gmail.com To: Carlos Neira Return-path: Received: from mx3-rdu2.redhat.com ([66.187.233.73]:52224 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730090AbeHIQL4 (ORCPT ); Thu, 9 Aug 2018 12:11:56 -0400 In-Reply-To: <20180809131800.11338-1-cneirabustos@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: On Thu, 9 Aug 2018 09:18:00 -0400 Carlos Neira wrote: > From: cneira > > This helper obtains the active namespace from current and returns pid, tgid, > device and namespace id as seen from that namespace, allowing to instrument > a process inside a container. > Device is read from /proc/self/ns/pid, as in the future it's possible that > different pid_ns files may belong to different devices, according > to the discussion between Eric Biederman and Yonghong in 2017 linux plumbers > conference. > > Currently bpf_get_current_pid_tgid(), is used to do pid filtering in bcc's > scripts but this helper returns the pid as seen by the root namespace which is > fine when a bcc script is not executed inside a container. > When the process of interest is inside a container, pid filtering will not work > if bpf_get_current_pid_tgid() is used. This helper addresses this limitation > returning the pid as it's seen by the current namespace where the script is > executing. > > This helper has the same use cases as bpf_get_current_pid_tgid() as it can be > used to do pid filtering even inside a container. > > For example a bcc script using bpf_get_current_pid_tgid() (tools/funccount.py): > > u32 pid = bpf_get_current_pid_tgid() >> 32; > if (pid != ) > return 0; > > Could be modified to use bpf_get_current_pidns_info() as follows: > > struct bpf_pidns pidns; > bpf_get_current_pid_tgid(&pidns, sizeof(struct bpf_pidns)); ^^^^^^^^^^^^^^^^^^^^^^^^ Shouldn't this be: bpf_get_current_pidns_info(...) > u32 pid = pidns.tgid; > u32 nsid = pidns.nsid; > if ((pid != ) && (nsid != )) > return 0; > [...] > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index dd5758dc35d3..031e7d9dba09 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -2113,6 +2113,18 @@ union bpf_attr { > * the shared data. > * Return > * Pointer to the local storage area. > + * > + * int bpf_get_current_pidns(struct bpf_pidns_info *pidns, u32 size_of_pidns) Should this be: bpf_get_current_pidns_info(...) > + * Description > + * Copies into *pidns* pid, namespace id and tgid as seen by the > + * current namespace and also device from /proc/self/ns/pid. > + * *size_of_pidns* must be the size of *pidns* > + * > + * This helper is used when pid filtering is needed inside a > + * container as bpf_get_current_tgid() helper returns always the > + * pid id as seen by the root namespace. > + * Return > + * 0 on success -EINVAL on error. > */ > #define __BPF_FUNC_MAPPER(FN) \ > FN(unspec), \ > @@ -2196,7 +2208,8 @@ union bpf_attr { > FN(rc_keydown), \ > FN(skb_cgroup_id), \ > FN(get_current_cgroup_id), \ > - FN(get_local_storage), > + FN(get_local_storage), \ > + FN(get_current_pidns_info), -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer