From: Alexei Starovoitov <ast@fb.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "David S . Miller" <davem@davemloft.net>,
Daniel Borkmann <daniel@iogearbox.net>,
David Ahern <dsa@cumulusnetworks.com>, Tejun Heo <tj@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Thomas Graf <tgraf@suug.ch>, <netdev@vger.kernel.org>
Subject: Re: [PATCH net] bpf: expose netns inode to bpf programs
Date: Wed, 25 Jan 2017 22:23:26 -0800 [thread overview]
Message-ID: <588995DE.9040707@fb.com> (raw)
In-Reply-To: <87efzq8jbi.fsf@xmission.com>
On 1/25/17 9:46 PM, Eric W. Biederman wrote:
> Alexei Starovoitov <ast@fb.com> writes:
>
>> in cases where bpf programs are looking at sockets and packets
>> that belong to different netns, it could be useful to read netns inode,
>> so that programs can make intelligent decisions.
>> For example to disallow raw sockets in all non-init netns the program can do:
>> if (sk->type == SOCK_RAW && sk->netns_inum != 0xf0000075)
>> return 0;
>> where 0xf0000075 inode comes from /proc/pid/ns/net
>>
>> Similarly TC cls_bpf/act_bpf and socket filters can do
>> if (skb->netns_inum == expected_inode)
>
> Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
I very much value your opinion, but your ack or nack doesn't apply here.
Exposing existing inode has nothing to do with what you maintain.
It's a bpf feature that is exposing already visible to user space id.
Period.
If I was proposing to expose some internal namespace id, then yes,
we'd need to have a discussion. ns.inum is already visible.
> Particularly you need to compare more than the inode number.
> Further I have never guaranteed there will be exactly one inode
> per network namespace, just that if the device number and the inode
> number pair match they are the same.
people already rely on inodes for _all_ namespaces.
The current implementation of
net_ns_net_init->..>ida_get_new is stuck the way it is.
We can change ids, generation algorithm, but uniqueness is
already assumed by user space.
> Beyond that the entire concept is complete rubbish.
care to explain what you think the 'entire concept' is?
> The only sane thing is to interpret whatever your bpf program in the
> context of the program which installs it.
that's impossible. The programs are operating in the context that
is disjoined from the app that installs it.
> If you can't do that you have a very broken piece of userspace
> interface. Which appears to be the case here.
Call it rubbish, but this is how it is.
cls_bpf is operating on packets. xdp_bpf is operating on raw dma buffers
and there we might need eventually lookup sockets and net namespaces.
Think of bpf programs as safe kernel modules. They don't have
confined boundaries and program authors, if not careful, can shoot
themselves in the foot. We're not trying to prevent that because
it's impossible to check that the program is sane. Just like
it's impossible to check that kernel module is sane.
But in case of bpf we check that bpf program is _safe_ from the kernel
point of view. If it's doing some garbage, it's program's business.
Does it make more sense now?
next prev parent reply other threads:[~2017-01-26 6:24 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 3:27 [PATCH net] bpf: expose netns inode to bpf programs Alexei Starovoitov
2017-01-26 5:46 ` Eric W. Biederman
2017-01-26 6:00 ` Ying Xue
2017-01-26 6:23 ` Alexei Starovoitov [this message]
2017-01-26 16:37 ` Andy Lutomirski
2017-01-26 17:46 ` Alexei Starovoitov
2017-01-26 18:12 ` Andy Lutomirski
2017-01-26 18:32 ` Alexei Starovoitov
2017-01-26 19:07 ` Andy Lutomirski
2017-01-26 19:25 ` Alexei Starovoitov
2017-02-03 4:33 ` Eric W. Biederman
2017-02-03 6:05 ` Alexei Starovoitov
2017-02-03 10:30 ` Eric W. Biederman
2017-02-03 21:00 ` Andy Lutomirski
2017-02-03 21:06 ` Eric W. Biederman
2017-02-03 23:08 ` Alexei Starovoitov
2017-02-04 17:07 ` Andy Lutomirski
2017-02-05 3:10 ` Alexei Starovoitov
2017-02-05 3:27 ` Andy Lutomirski
2017-02-05 3:48 ` Alexei Starovoitov
2017-02-05 3:54 ` Andy Lutomirski
2017-02-05 4:37 ` Alexei Starovoitov
2017-02-05 5:05 ` Andy Lutomirski
2017-02-07 1:43 ` Alexei Starovoitov
2017-01-31 18:02 ` David Miller
2017-01-31 22:11 ` David Ahern
2017-02-03 21:56 ` Daniel Borkmann
2017-02-03 23:06 ` Alexei Starovoitov
2017-02-03 23:42 ` Daniel Borkmann
2017-02-04 1:25 ` Alexei Starovoitov
2017-02-04 17:08 ` Andy Lutomirski
2017-02-05 3:18 ` Alexei Starovoitov
2017-02-05 3:22 ` Andy Lutomirski
2017-02-05 3:35 ` Alexei Starovoitov
2017-02-05 3:49 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=588995DE.9040707@fb.com \
--to=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=ebiederm@xmission.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).