Re: [PATCH v16 0/5] BPF: New helper to obtain namespace data from current task

[Carlos Antonio Neira Bustos <cneirabustos@gmail.com>]

On Thu, Jan 09, 2020 at 05:46:29PM -0800, Alexei Starovoitov wrote:
> On Wed, Dec 18, 2019 at 9:38 AM Carlos Neira <cneirabustos@gmail.com> wrote:
> >
> > Currently bpf_get_current_pid_tgid(), is used to do pid filtering in bcc's
> > scripts but this helper returns the pid as seen by the root namespace which is
> > fine when a bcc script is not executed inside a container.
> > When the process of interest is inside a container, pid filtering will not work
> > if bpf_get_current_pid_tgid() is used.
> > This helper addresses this limitation returning the pid as it's seen by the current
> > namespace where the script is executing.
> >
> > In the future different pid_ns files may belong to different devices, according to the
> > discussion between Eric Biederman and Yonghong in 2017 Linux plumbers conference.
> > To address that situation the helper requires inum and dev_t from /proc/self/ns/pid.
> > This helper has the same use cases as bpf_get_current_pid_tgid() as it can be
> > used to do pid filtering even inside a container.
> 
> I think the set looks like fine. Please respin against bpf-next
> carrying over Yonghong's ack and I'll apply it.
> Please squash patch 2 and 3 together.
> Updates to tools/uapi/bpf.h don't need to be separated anymore.
> Patch 5 can be squashed into them as well.
> Could you also improve selftest from patch 4 to test new helper
> both inside and outside of some container?
> With unshare(CLONE_NEWPID) or something.
> Do you have corresponding bcc change to show how it's going to be used?

Thanks Alexei,
I'll squash patches 2, 3, 5 together and improve the new helper test, regarding bcc
changes, I also need to work on that as the one I created a while ago now
is not valid https://github.com/iovisor/bcc/pull/1901/commits/a81b4352173cb82922d4d4bb965a39f781fd7693

Bests