From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roman Gushchin Subject: Re: [PATCH bpf-next 1/6] bpf: introduce BPF_PROG_TYPE_FILE_FILTER Date: Thu, 4 Oct 2018 19:41:28 +0000 Message-ID: <20181004194123.GA12697@castle.DHCP.thefacebook.com> References: <20181004025750.498303-1-ast@kernel.org> <20181004025750.498303-2-ast@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Cc: "David S . Miller" , "daniel@iogearbox.net" , "luto@amacapital.net" , "viro@zeniv.linux.org.uk" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Kernel Team To: Alexei Starovoitov Return-path: In-Reply-To: <20181004025750.498303-2-ast@kernel.org> Content-Language: en-US Content-ID: <1A6F8AA5A92E6241B856E5749AF84C9A@namprd15.prod.outlook.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Wed, Oct 03, 2018 at 07:57:45PM -0700, Alexei Starovoitov wrote: > Similar to networking sandboxing programs and cgroup-v2 based hooks > (BPF_CGROUP_INET_[INGRESS|EGRESS,] BPF_CGROUP_INET[4|6]_[BIND|CONNECT], e= tc) > introduce basic per-container sandboxing for file access via > new BPF_PROG_TYPE_FILE_FILTER program type that attaches after > security_file_open() LSM hook and works as additional file_open filter. > The new cgroup bpf hook is called BPF_CGROUP_FILE_OPEN. >=20 > Just like other cgroup-bpf programs new BPF_PROG_TYPE_FILE_FILTER type > is only available to root. >=20 > This program type has access to single argument 'struct bpf_file_info' > that contains standard sys_stat fields: > struct bpf_file_info { > __u64 inode; > __u32 dev_major; > __u32 dev_minor; > __u32 fs_magic; > __u32 mnt_id; > __u32 nlink; > __u32 mode; /* file mode S_ISDIR, S_ISLNK, 0755, etc */ > __u32 flags; /* open flags O_RDWR, O_CREAT, etc */ > }; It's probably nice to have file uid/gid as well. Thanks!