From: Stanislav Fomichev <sdf@google.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
Stanislav Fomichev <sdf@google.com>,
kafai@fb.com, kpsingh@kernel.org, jakub@cloudflare.com
Subject: [PATCH bpf-next v6 00/10] bpf: cgroup_sock lsm flavor
Date: Fri, 29 Apr 2022 14:15:30 -0700 [thread overview]
Message-ID: <20220429211540.715151-1-sdf@google.com> (raw)
This series implements new lsm flavor for attaching per-cgroup programs to
existing lsm hooks. The cgroup is taken out of 'current', unless
the first argument of the hook is 'struct socket'. In this case,
the cgroup association is taken out of socket. The attachment
looks like a regular per-cgroup attachment: we add new BPF_LSM_CGROUP
attach type which, together with attach_btf_id, signals per-cgroup lsm.
Behind the scenes, we allocate trampoline shim program and
attach to lsm. This program looks up cgroup from current/socket
and runs cgroup's effective prog array. The rest of the per-cgroup BPF
stays the same: hierarchy, local storage, retval conventions
(return 1 == success).
Current limitations:
* haven't considered sleepable bpf; can be extended later on
* not sure the verifier does the right thing with null checks;
see latest selftest for details
* total of 10 (global) per-cgroup LSM attach points; this bloats
bpf_cgroup a bit
Cc: ast@kernel.org
Cc: daniel@iogearbox.net
Cc: kafai@fb.com
Cc: kpsingh@kernel.org
Cc: jakub@cloudflare.com
v6:
- remove active count & stats for shim program (Martin KaFai Lau)
- remove NULL/error check for btf_vmlinux (Martin)
- don't check cgroup_atype in bpf_cgroup_lsm_shim_release (Martin)
- use old_prog (instead of passed one) in __cgroup_bpf_detach (Martin)
- make sure attach_btf_id is the same in __cgroup_bpf_replace (Martin)
- enable cgroup local storage and test it (Martin)
- properly implement prog query and add bpftool & tests (Martin)
- prohibit non-shared cgroup storage mode for BPF_LSM_CGROUP (Martin)
v5:
- __cgroup_bpf_run_lsm_socket remove NULL sock/sk checks (Martin KaFai Lau)
- __cgroup_bpf_run_lsm_{socket,current} s/prog/shim_prog/ (Martin)
- make sure bpf_lsm_find_cgroup_shim works for hooks without args (Martin)
- __cgroup_bpf_attach make sure attach_btf_id is the same when replacing (Martin)
- call bpf_cgroup_lsm_shim_release only for LSM_CGROUP (Martin)
- drop BPF_LSM_CGROUP from bpf_attach_type_to_tramp (Martin)
- drop jited check from cgroup_shim_find (Martin)
- new patch to convert cgroup_bpf to hlist_node (Jakub Sitnicki)
- new shim flavor for 'struct sock' + list of exceptions (Martin)
v4:
- fix build when jit is on but syscall is off
v3:
- add BPF_LSM_CGROUP to bpftool
- use simple int instead of refcnt_t (to avoid use-after-free
false positive)
v2:
- addressed build bot failures
Stanislav Fomichev (10):
bpf: add bpf_func_t and trampoline helpers
bpf: convert cgroup_bpf.progs to hlist
bpf: per-cgroup lsm flavor
bpf: minimize number of allocated lsm slots per program
bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP
bpf: allow writing to a subset of sock fields from lsm progtype
libbpf: add lsm_cgoup_sock type
bpftool: implement cgroup tree for BPF_LSM_CGROUP
selftests/bpf: lsm_cgroup functional test
selftests/bpf: verify lsm_cgroup struct sock access
arch/x86/net/bpf_jit_comp.c | 22 +-
include/linux/bpf-cgroup-defs.h | 11 +-
include/linux/bpf-cgroup.h | 9 +-
include/linux/bpf.h | 26 +-
include/linux/bpf_lsm.h | 8 +
include/uapi/linux/bpf.h | 2 +
kernel/bpf/bpf_lsm.c | 117 ++++++
kernel/bpf/btf.c | 11 +
kernel/bpf/cgroup.c | 391 +++++++++++++++---
kernel/bpf/syscall.c | 13 +-
kernel/bpf/trampoline.c | 222 ++++++++--
kernel/bpf/verifier.c | 35 +-
tools/bpf/bpftool/cgroup.c | 138 +++++--
tools/bpf/bpftool/common.c | 1 +
tools/include/uapi/linux/bpf.h | 2 +
tools/lib/bpf/bpf.c | 42 +-
tools/lib/bpf/bpf.h | 15 +
tools/lib/bpf/libbpf.c | 2 +
tools/lib/bpf/libbpf.map | 1 +
.../selftests/bpf/prog_tests/lsm_cgroup.c | 236 +++++++++++
.../testing/selftests/bpf/progs/lsm_cgroup.c | 160 +++++++
tools/testing/selftests/bpf/test_verifier.c | 54 ++-
.../selftests/bpf/verifier/lsm_cgroup.c | 34 ++
23 files changed, 1406 insertions(+), 146 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/lsm_cgroup.c
create mode 100644 tools/testing/selftests/bpf/progs/lsm_cgroup.c
create mode 100644 tools/testing/selftests/bpf/verifier/lsm_cgroup.c
--
2.36.0.464.gb9c8b46e94-goog
next reply other threads:[~2022-04-29 21:15 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-29 21:15 Stanislav Fomichev [this message]
2022-04-29 21:15 ` [PATCH bpf-next v6 01/10] bpf: add bpf_func_t and trampoline helpers Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 02/10] bpf: convert cgroup_bpf.progs to hlist Stanislav Fomichev
2022-05-18 15:16 ` Jakub Sitnicki
2022-04-29 21:15 ` [PATCH bpf-next v6 03/10] bpf: per-cgroup lsm flavor Stanislav Fomichev
2022-05-06 23:02 ` Martin KaFai Lau
2022-05-09 23:38 ` Stanislav Fomichev
2022-05-10 7:13 ` Martin KaFai Lau
2022-05-10 17:30 ` Stanislav Fomichev
2022-05-10 19:18 ` Martin KaFai Lau
2022-05-10 21:14 ` Stanislav Fomichev
2022-05-09 21:51 ` Andrii Nakryiko
2022-05-09 23:38 ` Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 04/10] bpf: minimize number of allocated lsm slots per program Stanislav Fomichev
2022-05-10 5:05 ` Alexei Starovoitov
2022-05-10 17:31 ` sdf
2022-05-12 4:07 ` Alexei Starovoitov
2022-04-29 21:15 ` [PATCH bpf-next v6 05/10] bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP Stanislav Fomichev
2022-05-07 0:12 ` Martin KaFai Lau
2022-05-09 23:38 ` Stanislav Fomichev
2022-05-09 21:49 ` Andrii Nakryiko
2022-05-09 23:38 ` Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 06/10] bpf: allow writing to a subset of sock fields from lsm progtype Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 07/10] libbpf: add lsm_cgoup_sock type Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 08/10] bpftool: implement cgroup tree for BPF_LSM_CGROUP Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 09/10] selftests/bpf: lsm_cgroup functional test Stanislav Fomichev
2022-04-29 21:15 ` [PATCH bpf-next v6 10/10] selftests/bpf: verify lsm_cgroup struct sock access Stanislav Fomichev
2022-05-09 21:54 ` Andrii Nakryiko
2022-05-09 23:38 ` Stanislav Fomichev
2022-05-09 23:43 ` Andrii Nakryiko
2022-05-10 17:31 ` Stanislav Fomichev
2022-05-12 3:37 ` Andrii Nakryiko
2022-05-12 17:11 ` Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220429211540.715151-1-sdf@google.com \
--to=sdf@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jakub@cloudflare.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).