From: Martin KaFai Lau <kafai@fb.com>
To: Stanislav Fomichev <sdf@google.com>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, ast@kernel.org,
daniel@iogearbox.net, andrii@kernel.org
Subject: Re: [PATCH bpf-next v8 03/11] bpf: per-cgroup lsm flavor
Date: Tue, 7 Jun 2022 12:24:10 -0700 [thread overview]
Message-ID: <20220607192410.sjcorcve3xlvi7co@kafai-mbp> (raw)
In-Reply-To: <CAKH8qBu0XzFJjh0EZrhgO7SidpdVaszGMmf-DNKmqmf2sLACrw@mail.gmail.com>
On Mon, Jun 06, 2022 at 03:46:21PM -0700, Stanislav Fomichev wrote:
> > > +int bpf_trampoline_link_cgroup_shim(struct bpf_prog *prog,
> > > + struct bpf_attach_target_info *tgt_info,
> > > + int cgroup_atype)
> > > +{
> > > + struct bpf_shim_tramp_link *shim_link = NULL;
> > > + struct bpf_trampoline *tr;
> > > + bpf_func_t bpf_func;
> > > + u64 key;
> > > + int err;
> > > +
> > > + key = bpf_trampoline_compute_key(NULL, prog->aux->attach_btf,
> > > + prog->aux->attach_btf_id);
> > Directly get tgt_info here instead of doing it
> > in __cgroup_bpf_attach() and then passing in.
> > This is the only place needed it.
>
> Ack.
>
> > err = bpf_check_attach_target(NULL, prog, NULL,
> > prog->aux->attach_btf_id,
> > &tgt_info);
> > if (err)
> > return err;
> >
> > > +
> > > + bpf_lsm_find_cgroup_shim(prog, &bpf_func);
> > > + tr = bpf_trampoline_get(key, tgt_info);
> > > + if (!tr)
> > > + return -ENOMEM;
> > > +
> > > + mutex_lock(&tr->mutex);
> > > +
> > > + shim_link = cgroup_shim_find(tr, bpf_func);
> > > + if (shim_link) {
> > > + /* Reusing existing shim attached by the other program. */
> > > + atomic64_inc(&shim_link->link.link.refcnt);
> > Use bpf_link_inc() instead to pair with bpf_link_put().
>
> SG!
>
> > > + /* note, we're still holding tr refcnt from above */
> > It has to do a bpf_trampoline_put(tr) after mutex_unlock(&tr->mutex).
> > shim_link already holds one refcnt to tr.
>
> Right, since we are not doing that reuse anymore; will add a deref here.
>
>
>
>
> > > +
> > > + mutex_unlock(&tr->mutex);
> > > + return 0;
> > > + }
> > > +
> > > + /* Allocate and install new shim. */
> > > +
> > > + shim_link = cgroup_shim_alloc(prog, bpf_func, cgroup_atype);
> > > + if (!shim_link) {
> > > + err = -ENOMEM;
> > > + goto out;
> > > + }
> > > +
> > > + err = __bpf_trampoline_link_prog(&shim_link->link, tr);
> > > + if (err)
> > > + goto out;
> > > +
> > > + shim_link->trampoline = tr;
> > > + /* note, we're still holding tr refcnt from above */
> > > +
> > > + mutex_unlock(&tr->mutex);
> > > +
> > > + return 0;
> > > +out:
> > > + mutex_unlock(&tr->mutex);
> > > +
> > > + if (shim_link)
> > > + bpf_link_put(&shim_link->link.link);
> > > +
> > > + bpf_trampoline_put(tr); /* bpf_trampoline_get above */
> > Doing it here is because mutex_unlock(&tr->mutex) has
> > to be done first? A comment will be useful.
> >
> > How about passing tr to cgroup_shim_alloc(..., tr)
> > which is initializing everything else in shim_link anyway.
> > Then the 'if (!shim_link->trampoline)' in bpf_shim_tramp_link_release()
> > can go away also.
> > Like:
> >
> > static struct bpf_shim_tramp_link *cgroup_shim_alloc(const struct bpf_prog *prog,
> > bpf_func_t bpf_func,
> > struct bpf_trampoline *tr)
> >
> > {
> > /* ... */
> > shim_link->trampoline = tr;
>
> I believe this part has to happen after __bpf_trampoline_link_prog;
> otherwise bpf_shim_tramp_link_release might try to
> unlink_prog/bpf_trampoline_put on the shim that wan't fully linked?
Ah. You are correct. missed that.
Yeah, I don't see a better way out unless a separate shim_link cleanup
func is used during the error case. That may be overkill.
The current approach in the patch is better.
> > > @@ -10474,6 +10486,23 @@ static int check_return_code(struct bpf_verifier_env *env)
> > > case BPF_PROG_TYPE_SK_LOOKUP:
> > > range = tnum_range(SK_DROP, SK_PASS);
> > > break;
> > > +
> > > + case BPF_PROG_TYPE_LSM:
> > > + if (env->prog->expected_attach_type == BPF_LSM_CGROUP) {
> > > + if (!env->prog->aux->attach_func_proto->type) {
> > nit. Check 'if ( ... != BPF_LSM_CGROUP) return 0;' first to remove
> > one level of indentation.
>
> SG!
>
> > > + /* Make sure programs that attach to void
> > > + * hooks don't try to modify return value.
> > > + */
> > > + range = tnum_range(1, 1);
> > > + }
> > > + } else {
> > > + /* regular BPF_PROG_TYPE_LSM programs can return
> > > + * any value.
> > > + */
> > > + return 0;
> > > + }
> > > + break;
> > > +
> > > case BPF_PROG_TYPE_EXT:
> > > /* freplace program can return anything as its return value
> > > * depends on the to-be-replaced kernel func or bpf program.
> > > @@ -10490,6 +10519,8 @@ static int check_return_code(struct bpf_verifier_env *env)
> > >
> > > if (!tnum_in(range, reg->var_off)) {
> > > verbose_invalid_scalar(env, reg, &range, "program exit", "R0");
> > > + if (env->prog->expected_attach_type == BPF_LSM_CGROUP)
> > > + verbose(env, "BPF_LSM_CGROUP that attach to void LSM hooks can't modify return value!\n");
> > This is not accurate to verbose on void-return only.
> > For int-return lsm look, the BPF_LSM_CGROUP prog returning
> > neither 0 nor 1 will also trigger this range check failure.
>
> verbose_invalid_scalar will handle the case for int-returning ones?
>
> Maybe change that new verbose to "Note, BPF_LSM_CGROUP that attach to
> void LSM hooks can't modify return value!" ?
I was thinking only verbose_invalid_scalar is good enough.
Having the new 'void LSM hooks' message may confuse the lsm-hooks that
have an int ret type and the bpf prog returns -1.
If keeping this verbose, I think adding
'!attach_func_proto->type' check should be useful before
printing. No strong opinion here.
>
>
> > > return -EINVAL;
> > > }
> > >
> > > @@ -14713,6 +14744,7 @@ int bpf_check_attach_target(struct bpf_verifier_log *log,
> > > fallthrough;
> > > case BPF_MODIFY_RETURN:
> > > case BPF_LSM_MAC:
> > > + case BPF_LSM_CGROUP:
> > > case BPF_TRACE_FENTRY:
> > > case BPF_TRACE_FEXIT:
> > > if (!btf_type_is_func(t)) {
next prev parent reply other threads:[~2022-06-07 22:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-01 19:02 [PATCH bpf-next v8 00/11] bpf: cgroup_sock lsm flavor Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 01/11] bpf: add bpf_func_t and trampoline helpers Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 02/11] bpf: convert cgroup_bpf.progs to hlist Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 03/11] bpf: per-cgroup lsm flavor Stanislav Fomichev
2022-06-02 6:16 ` kernel test robot
2022-06-02 16:49 ` Stanislav Fomichev
2022-06-02 16:49 ` Stanislav Fomichev
2022-06-04 6:11 ` Martin KaFai Lau
2022-06-04 8:27 ` Martin KaFai Lau
2022-06-06 22:46 ` Stanislav Fomichev
2022-06-06 22:46 ` Stanislav Fomichev
2022-06-07 19:24 ` Martin KaFai Lau [this message]
2022-06-01 19:02 ` [PATCH bpf-next v8 04/11] bpf: minimize number of allocated lsm slots per program Stanislav Fomichev
2022-06-04 6:35 ` Martin KaFai Lau
2022-06-06 22:46 ` Stanislav Fomichev
2022-06-07 19:57 ` Martin KaFai Lau
2022-06-01 19:02 ` [PATCH bpf-next v8 05/11] bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP Stanislav Fomichev
2022-06-04 6:59 ` Martin KaFai Lau
2022-06-04 8:05 ` Martin KaFai Lau
2022-06-06 22:46 ` Stanislav Fomichev
2022-06-07 20:44 ` Martin KaFai Lau
2022-06-01 19:02 ` [PATCH bpf-next v8 06/11] bpf: allow writing to a subset of sock fields from lsm progtype Stanislav Fomichev
2022-06-04 7:18 ` Martin KaFai Lau
2022-06-06 22:46 ` Stanislav Fomichev
2022-06-07 22:17 ` Martin KaFai Lau
2022-06-01 19:02 ` [PATCH bpf-next v8 07/11] libbpf: add lsm_cgoup_sock type Stanislav Fomichev
2022-06-03 21:30 ` Andrii Nakryiko
2022-06-01 19:02 ` [PATCH bpf-next v8 08/11] libbpf: implement bpf_prog_query_opts Stanislav Fomichev
2022-06-03 21:34 ` Andrii Nakryiko
2022-06-03 23:13 ` Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 09/11] bpftool: implement cgroup tree for BPF_LSM_CGROUP Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 10/11] selftests/bpf: lsm_cgroup functional test Stanislav Fomichev
2022-06-01 19:02 ` [PATCH bpf-next v8 11/11] selftests/bpf: verify lsm_cgroup struct sock access Stanislav Fomichev
2022-06-03 1:52 ` Martin KaFai Lau
2022-06-03 1:59 ` Stanislav Fomichev
2022-06-03 5:38 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607192410.sjcorcve3xlvi7co@kafai-mbp \
--to=kafai@fb.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=netdev@vger.kernel.org \
--cc=sdf@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.