* [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
@ 2021-08-13 23:05 Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 1/2] " Stanislav Fomichev
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Stanislav Fomichev @ 2021-08-13 23:05 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev
We'd like to be able to identify netns from setsockopt hooks
to be able to do the enforcement of some options only in the
"initial" netns (to give users the ability to create clear/isolated
sandboxes if needed without any enforcement by doing unshare(net)).
v3:
- remove extra 'ctx->skb == NULL' check (Martin KaFai Lau)
- rework test to make sure the helper is really called, not just
verified
v2:
- add missing CONFIG_NET
Stanislav Fomichev (2):
bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
selftests/bpf: verify bpf_get_netns_cookie in
BPF_PROG_TYPE_CGROUP_SOCKOPT
kernel/bpf/cgroup.c | 18 ++++++++++++++++++
tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++
2 files changed, 34 insertions(+)
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf-next v3 1/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
2021-08-13 23:05 [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev
@ 2021-08-13 23:05 ` Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 2/2] selftests/bpf: verify " Stanislav Fomichev
2021-08-13 23:27 ` [PATCH bpf-next v3 0/2] bpf: Allow " Martin KaFai Lau
2 siblings, 0 replies; 4+ messages in thread
From: Stanislav Fomichev @ 2021-08-13 23:05 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev, Martin KaFai Lau
This is similar to existing BPF_PROG_TYPE_CGROUP_SOCK
and BPF_PROG_TYPE_CGROUP_SOCK_ADDR.
Cc: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
kernel/bpf/cgroup.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index b567ca46555c..9f6070369caa 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1846,11 +1846,29 @@ const struct bpf_verifier_ops cg_sysctl_verifier_ops = {
const struct bpf_prog_ops cg_sysctl_prog_ops = {
};
+#ifdef CONFIG_NET
+BPF_CALL_1(bpf_get_netns_cookie_sockopt, struct bpf_sockopt_kern *, ctx)
+{
+ const struct net *net = ctx ? sock_net(ctx->sk) : &init_net;
+
+ return net->net_cookie;
+}
+
+static const struct bpf_func_proto bpf_get_netns_cookie_sockopt_proto = {
+ .func = bpf_get_netns_cookie_sockopt,
+ .gpl_only = false,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_CTX_OR_NULL,
+};
+#endif
+
static const struct bpf_func_proto *
cg_sockopt_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
{
switch (func_id) {
#ifdef CONFIG_NET
+ case BPF_FUNC_get_netns_cookie:
+ return &bpf_get_netns_cookie_sockopt_proto;
case BPF_FUNC_sk_storage_get:
return &bpf_sk_storage_get_proto;
case BPF_FUNC_sk_storage_delete:
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH bpf-next v3 2/2] selftests/bpf: verify bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
2021-08-13 23:05 [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 1/2] " Stanislav Fomichev
@ 2021-08-13 23:05 ` Stanislav Fomichev
2021-08-13 23:27 ` [PATCH bpf-next v3 0/2] bpf: Allow " Martin KaFai Lau
2 siblings, 0 replies; 4+ messages in thread
From: Stanislav Fomichev @ 2021-08-13 23:05 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, andrii, Stanislav Fomichev
Add extra calls to sockopt_sk.c.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
tools/testing/selftests/bpf/progs/sockopt_sk.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/sockopt_sk.c b/tools/testing/selftests/bpf/progs/sockopt_sk.c
index 8acdb99b5959..79c8139b63b8 100644
--- a/tools/testing/selftests/bpf/progs/sockopt_sk.c
+++ b/tools/testing/selftests/bpf/progs/sockopt_sk.c
@@ -33,6 +33,14 @@ int _getsockopt(struct bpf_sockopt *ctx)
__u8 *optval = ctx->optval;
struct sockopt_sk *storage;
+ /* Make sure bpf_get_netns_cookie is callable.
+ */
+ if (bpf_get_netns_cookie(NULL) == 0)
+ return 0;
+
+ if (bpf_get_netns_cookie(ctx) == 0)
+ return 0;
+
if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
/* Not interested in SOL_IP:IP_TOS;
* let next BPF program in the cgroup chain or kernel
@@ -123,6 +131,14 @@ int _setsockopt(struct bpf_sockopt *ctx)
__u8 *optval = ctx->optval;
struct sockopt_sk *storage;
+ /* Make sure bpf_get_netns_cookie is callable.
+ */
+ if (bpf_get_netns_cookie(NULL) == 0)
+ return 0;
+
+ if (bpf_get_netns_cookie(ctx) == 0)
+ return 0;
+
if (ctx->level == SOL_IP && ctx->optname == IP_TOS) {
/* Not interested in SOL_IP:IP_TOS;
* let next BPF program in the cgroup chain or kernel
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT
2021-08-13 23:05 [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 1/2] " Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 2/2] selftests/bpf: verify " Stanislav Fomichev
@ 2021-08-13 23:27 ` Martin KaFai Lau
2 siblings, 0 replies; 4+ messages in thread
From: Martin KaFai Lau @ 2021-08-13 23:27 UTC (permalink / raw)
To: Stanislav Fomichev; +Cc: netdev, bpf, ast, daniel, andrii
On Fri, Aug 13, 2021 at 04:05:28PM -0700, Stanislav Fomichev wrote:
> We'd like to be able to identify netns from setsockopt hooks
> to be able to do the enforcement of some options only in the
> "initial" netns (to give users the ability to create clear/isolated
> sandboxes if needed without any enforcement by doing unshare(net)).
>
> v3:
> - remove extra 'ctx->skb == NULL' check (Martin KaFai Lau)
> - rework test to make sure the helper is really called, not just
> verified
Acked-by: Martin KaFai Lau <kafai@fb.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-13 23:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-13 23:05 [PATCH bpf-next v3 0/2] bpf: Allow bpf_get_netns_cookie in BPF_PROG_TYPE_CGROUP_SOCKOPT Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 1/2] " Stanislav Fomichev
2021-08-13 23:05 ` [PATCH bpf-next v3 2/2] selftests/bpf: verify " Stanislav Fomichev
2021-08-13 23:27 ` [PATCH bpf-next v3 0/2] bpf: Allow " Martin KaFai Lau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.