From: Yonghong Song <yonghong.song@linux.dev>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Jakub Sitnicki <jakub@cloudflare.com>,
John Fastabend <john.fastabend@gmail.com>,
kernel-team@fb.com, Martin KaFai Lau <martin.lau@kernel.org>
Subject: Re: [PATCH bpf-next v2 1/6] bpf: Add bpf_link support for sk_msg and sk_skb progs
Date: Fri, 22 Mar 2024 12:17:52 -0700 [thread overview]
Message-ID: <7d6eba04-d70d-4467-9c65-065774b29012@linux.dev> (raw)
In-Reply-To: <CAEf4BzZxD3xQ_3x_576OuvM2pueki=h19b1eyX5i1cqZtWNA4g@mail.gmail.com>
On 3/22/24 11:45 AM, Andrii Nakryiko wrote:
> On Tue, Mar 19, 2024 at 10:54 AM Yonghong Song <yonghong.song@linux.dev> wrote:
>> Add bpf_link support for sk_msg and sk_skb programs. We have an
>> internal request to support bpf_link for sk_msg programs so user
>> space can have a uniform handling with bpf_link based libbpf
>> APIs. Using bpf_link based libbpf API also has a benefit which
>> makes system robust by decoupling prog life cycle and
>> attachment life cycle.
>>
>> Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
>> ---
>> include/linux/bpf.h | 13 +++
>> include/uapi/linux/bpf.h | 10 ++
>> kernel/bpf/syscall.c | 4 +
>> net/core/skmsg.c | 164 +++++++++++++++++++++++++++++++++
>> net/core/sock_map.c | 6 +-
>> tools/include/uapi/linux/bpf.h | 10 ++
>> 6 files changed, 203 insertions(+), 4 deletions(-)
>>
> [...]
>
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index 3c42b9f1bada..c5506cfca4f8 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -1135,6 +1135,8 @@ enum bpf_link_type {
>> BPF_LINK_TYPE_TCX = 11,
>> BPF_LINK_TYPE_UPROBE_MULTI = 12,
>> BPF_LINK_TYPE_NETKIT = 13,
>> + BPF_LINK_TYPE_SK_MSG = 14,
>> + BPF_LINK_TYPE_SK_SKB = 15,
> they are both "sockmap attachments", so maybe we should just have
> something like BPF_LINK_TYPE_SOCKMAP ?
Yes, we could do this. Basically it represents all programs
which can be attached to sockmap.
>
>> __MAX_BPF_LINK_TYPE,
>> };
>>
>> @@ -6718,6 +6720,14 @@ struct bpf_link_info {
>> __u32 ifindex;
>> __u32 attach_type;
>> } netkit;
>> + struct {
>> + __u32 map_id;
>> + __u32 attach_type;
>> + } skmsg;
>> + struct {
>> + __u32 map_id;
>> + __u32 attach_type;
>> + } skskb;
> and then this would be also just one struct, instead of two identical
> ones duplicated
Right, we could do one with name 'sockmap'.
>
>> };
>> } __attribute__((aligned(8)));
>>
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index ae2ff73bde7e..3d13eec5a30d 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>> @@ -5213,6 +5213,10 @@ static int link_create(union bpf_attr *attr, bpfptr_t uattr)
>> case BPF_PROG_TYPE_SK_LOOKUP:
>> ret = netns_bpf_link_create(attr, prog);
>> break;
>> + case BPF_PROG_TYPE_SK_MSG:
>> + case BPF_PROG_TYPE_SK_SKB:
>> + ret = bpf_sk_msg_skb_link_create(attr, prog);
>> + break;
>> #ifdef CONFIG_NET
>> case BPF_PROG_TYPE_XDP:
>> ret = bpf_xdp_link_attach(attr, prog);
>> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
>> index 4d75ef9d24bf..1aa900ad54d7 100644
>> --- a/net/core/skmsg.c
>> +++ b/net/core/skmsg.c
>> @@ -1256,3 +1256,167 @@ void sk_psock_stop_verdict(struct sock *sk, struct sk_psock *psock)
>> sk->sk_data_ready = psock->saved_data_ready;
>> psock->saved_data_ready = NULL;
>> }
>> +
>> +struct bpf_sk_msg_skb_link {
>> + struct bpf_link link;
>> + struct bpf_map *map;
>> + enum bpf_attach_type attach_type;
>> +};
>> +
>> +static DEFINE_MUTEX(link_mutex);
> maybe more specific name, sockmap_link_mutex? link_mutex sounds very generic
Good idea.
>
>> +
>> +static struct bpf_sk_msg_skb_link *bpf_sk_msg_skb_link(const struct bpf_link *link)
>> +{
>> + return container_of(link, struct bpf_sk_msg_skb_link, link);
>> +}
>> +
> [...]
>
>> + attach_type = attr->link_create.attach_type;
>> + bpf_link_init(&sk_link->link, link_type, &bpf_sk_msg_skb_link_ops, prog);
>> + sk_link->map = map;
>> + sk_link->attach_type = attach_type;
>> +
>> + ret = bpf_link_prime(&sk_link->link, &link_primer);
>> + if (ret) {
>> + kfree(sk_link);
>> + goto out;
>> + }
>> +
>> + ret = sock_map_prog_update(map, prog, NULL, attach_type);
> Does anything prevent someone else do to remove this program from
> user-space, bypassing the link? It's a guarantee of a link that
> attachment won't be tampered with (except for SYS_ADMIN-only
> force-detachment, which is a completely separate thing).
>
> It feels like there should be some sort of protection for programs
> attached through sockmap link here. Just like we have this for XDP,
> for example, or any of cgroup BPF programs attached through BPF link.
Good point. I have a 'bpf_prog_inc(prog)' below, I could do a refcount increase
before sock_map_prog_update(), we then should be okay.
>
>> + if (ret) {
>> + bpf_link_cleanup(&link_primer);
>> + goto out;
>> + }
>> +
>> + bpf_prog_inc(prog);
>> +
>> + return bpf_link_settle(&link_primer);
>> +
>> +out:
>> + bpf_map_put_with_uref(map);
>> + return ret;
>> +}
> [...]
next prev parent reply other threads:[~2024-03-22 19:18 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-19 17:54 [PATCH bpf-next v2 0/6] bpf: Add bpf_link support for sk_msg and sk_skb progs Yonghong Song
2024-03-19 17:54 ` [PATCH bpf-next v2 1/6] " Yonghong Song
2024-03-21 8:02 ` kernel test robot
2024-03-21 20:33 ` kernel test robot
2024-03-21 21:25 ` kernel test robot
2024-03-22 18:45 ` Andrii Nakryiko
2024-03-22 19:17 ` Yonghong Song [this message]
2024-03-22 20:16 ` Andrii Nakryiko
2024-03-22 21:33 ` Yonghong Song
2024-03-22 21:35 ` Andrii Nakryiko
2024-03-19 17:54 ` [PATCH bpf-next v2 2/6] libbpf: Add new sec_def "sk_skb/verdict" Yonghong Song
2024-03-22 18:47 ` Andrii Nakryiko
2024-03-22 19:19 ` Yonghong Song
2024-03-19 17:54 ` [PATCH bpf-next v2 3/6] libbpf: Add bpf_link support for BPF_PROG_TYPE_SK_{MSG,SKB} Yonghong Song
2024-03-22 18:48 ` Andrii Nakryiko
2024-03-22 19:23 ` Yonghong Song
2024-03-19 17:54 ` [PATCH bpf-next v2 4/6] bpftool: Add link dump support for BPF_LINK_TYPE_SK_{MSG,SKB} Yonghong Song
2024-03-20 17:11 ` Quentin Monnet
2024-03-19 17:54 ` [PATCH bpf-next v2 5/6] selftests/bpf: Refactor out helper functions for a few tests Yonghong Song
2024-03-19 17:54 ` [PATCH bpf-next v2 6/6] selftests/bpf: Add some tests with new bpf_program__attach_sk_{msg,skb}() APIs Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7d6eba04-d70d-4467-9c65-065774b29012@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.