From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=h9J9=SO=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0D9F8C10F13
	for <netdev@archiver.kernel.org>; Fri, 12 Apr 2019 00:21:24 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id B1A7E2084D
	for <netdev@archiver.kernel.org>; Fri, 12 Apr 2019 00:21:23 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=fb.com header.i=@fb.com header.b="CUAvsS12";
	dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.i=@fb.onmicrosoft.com header.b="IBiuHIsf"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727414AbfDLAVW (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Thu, 11 Apr 2019 20:21:22 -0400
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:48134 "EHLO
        mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726629AbfDLAVW (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 11 Apr 2019 20:21:22 -0400
Received: from pps.filterd (m0001255.ppops.net [127.0.0.1])
        by mx0b-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3C0HPWc026757;
        Thu, 11 Apr 2019 17:21:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject
 : date : message-id : references : in-reply-to : content-type : content-id
 : content-transfer-encoding : mime-version; s=facebook;
 bh=KK39qgm9HTc8sHgLvH4ZSrhzzPHnye/yjmYuZ+XCIhc=;
 b=CUAvsS1292VBzRcibUTd5JonC2NVHp6XLR0YyzzCzV5KweOEE1PJW+DJpbfTNe2ID5OI
 Mkolraki7MFyYxNmHnVLtVa0z76Hc7g9X0XdoGDcnEbu7zUbFHyr3ok7t5SrtbHKSIYb
 A2F9+PqZc5c1nVR/EQ4x99zlBiG2cyG7LK8= 
Received: from mail.thefacebook.com (mailout.thefacebook.com [199.201.64.23])
        by mx0b-00082601.pphosted.com with ESMTP id 2rt8881k90-2
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);
        Thu, 11 Apr 2019 17:21:01 -0700
Received: from prn-mbx07.TheFacebook.com (2620:10d:c081:6::21) by
 prn-hub03.TheFacebook.com (2620:10d:c081:35::127) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.1.1713.5; Thu, 11 Apr 2019 17:21:00 -0700
Received: from prn-hub02.TheFacebook.com (2620:10d:c081:35::126) by
 prn-mbx07.TheFacebook.com (2620:10d:c081:6::21) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.1.1713.5; Thu, 11 Apr 2019 17:21:00 -0700
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (192.168.54.28)
 by o365-in.thefacebook.com (192.168.16.26) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5
 via Frontend Transport; Thu, 11 Apr 2019 17:21:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com;
 s=selector1-fb-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=KK39qgm9HTc8sHgLvH4ZSrhzzPHnye/yjmYuZ+XCIhc=;
 b=IBiuHIsftKR7KsNqWrM61dUXyXi3K4TTj0yd6WoKqRh0jWtuOj0yR4ddRDm8HpmCUasNjphMO+3TgUUk4XIjJEFvyRwjCD7Cm6AJCv9E1IsLWZTDBWxoTP4CJTsq1R41foBj8sMMKojEjJkL2sIk9JKsNR7GwMS/pK4eYIOTn0g=
Received: from MN2PR15MB2656.namprd15.prod.outlook.com (20.179.146.26) by
 MN2PR15MB3248.namprd15.prod.outlook.com (20.179.20.157) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1771.16; Fri, 12 Apr 2019 00:20:59 +0000
Received: from MN2PR15MB2656.namprd15.prod.outlook.com
 ([fe80::a4fc:4858:3315:6fee]) by MN2PR15MB2656.namprd15.prod.outlook.com
 ([fe80::a4fc:4858:3315:6fee%2]) with mapi id 15.20.1771.021; Fri, 12 Apr 2019
 00:20:59 +0000
From:   Javier Honduvilla Coto <javierhonduco@fb.com>
To:     Daniel Borkmann <daniel@iogearbox.net>
CC:     "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        Yonghong Song <yhs@fb.com>, Kernel Team <Kernel-team@fb.com>
Subject: Re: [PATCH v5 bpf-next 1/3] bpf: add bpf_descendant_of helper
Thread-Topic: [PATCH v5 bpf-next 1/3] bpf: add bpf_descendant_of helper
Thread-Index: AQHU8LFy6b4K4PoOPky7vzW4aCVgK6Y3qcIA
Date:   Fri, 12 Apr 2019 00:20:58 +0000
Message-ID: <20190412002046.GA5106@fb.com>
References: <20190322223848.3338614-1-javierhonduco@fb.com>
 <20190410203631.1576576-1-javierhonduco@fb.com>
 <20190410203631.1576576-2-javierhonduco@fb.com>
 <d00b488c-ee1d-6150-937f-cbef97360c32@iogearbox.net>
In-Reply-To: <d00b488c-ee1d-6150-937f-cbef97360c32@iogearbox.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: PR1PR01CA0001.eurprd01.prod.exchangelabs.com
 (2603:10a6:102::14) To MN2PR15MB2656.namprd15.prod.outlook.com
 (2603:10b6:208:128::26)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2620:10d:c092:180::1:7437]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 99f29eb5-1b39-4de0-a416-08d6bedcbc81
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020);SRVR:MN2PR15MB3248;
x-ms-traffictypediagnostic: MN2PR15MB3248:
x-microsoft-antispam-prvs: <MN2PR15MB3248DCF3A854CDBB7B91C2DEC6280@MN2PR15MB3248.namprd15.prod.outlook.com>
x-forefront-prvs: 0005B05917
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(376002)(396003)(39860400002)(366004)(346002)(199004)(189003)(5660300002)(14454004)(52116002)(14444005)(478600001)(6116002)(99286004)(68736007)(6512007)(5024004)(1076003)(53936002)(106356001)(256004)(86362001)(305945005)(71200400001)(97736004)(36756003)(71190400001)(6436002)(2906002)(105586002)(486006)(11346002)(76176011)(446003)(6916009)(102836004)(7736002)(386003)(6506007)(81166006)(53546011)(6486002)(8676002)(6246003)(2616005)(229853002)(46003)(476003)(186003)(54906003)(81156014)(25786009)(8936002)(4326008)(33656002)(316002)(93886005);DIR:OUT;SFP:1102;SCL:1;SRVR:MN2PR15MB3248;H:MN2PR15MB2656.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: fb.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: V0Uy+qaVbt7rqNZoXSryve+VXEEVs4Nys5x7zT017TzbdShOgUGb2TqDdLlBvmQ/xlGDZoPzIDoGE33yaaDGj+xVA+n35PDZ48TRdRy6oivwAzlzhamvPvu1/152cTc+dQ/Pr7cPS0lhplxkHW3WiVeGEiMXb+6wcuIwxlv/xA8zWJIknDqu9T49phOkYcsV0QQQvCKvopwIrp5ZgJa8e/a81vCVnZG7u9R0ypUXyWMgZj7Ivx4xGvcDtcL9ILN4jEgV7xxoMXzD8p+aEQj+yv5U9kPqWR51rbbCHzGMuIPnCPy8vmaQi4RgRYqfr3N3uEa9VACkK1kNsxfo+DeDh+u8GNhtWeiKQygnteDCN9YId9LBU0h2UFBYLTN1+M/tzE9b7llVwfWI987yXmxHJcq6aNaMjW0jqorMR1l5PBc=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B88C70F5A0C10F47B488761F0D568186@namprd15.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 99f29eb5-1b39-4de0-a416-08d6bedcbc81
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2019 00:20:58.8702
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR15MB3248
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-04-12_01:,,
 signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Thu, Apr 11, 2019 at 11:55:58PM +0200, Daniel Borkmann wrote:
> On 04/10/2019 10:36 PM, Javier Honduvilla Coto wrote:
> > This patch adds the bpf_descendant_of helper which accepts a PID and
> > returns 1 if the PID of the process currently being executed is a
> > descendant of it or if it's itself. Returns 0 otherwise.
> >
> > This is very useful in tracing programs when we want to filter by a
> > given PID and all the children it might spawn. The current workarounds
> > most people implement for this purpose have issues:
> >
> > - Attaching to process spawning syscalls and dynamically add those PIDs
> >   to some bpf map that would be used to filter is cumbersome and
> > potentially racy.
> > - Unrolling some loop to perform what this helper is doing consumes lot=
s
> >   of instructions. That and the impossibility to jump backwards makes i=
t
> > really hard to be correct in really large process chains.
> >
> > Signed-off-by: Javier Honduvilla Coto <javierhonduco@fb.com>
> > ---
> >  include/linux/bpf.h      |  1 +
> >  include/uapi/linux/bpf.h | 10 +++++++++-
> >  kernel/bpf/core.c        |  1 +
> >  kernel/bpf/helpers.c     | 27 +++++++++++++++++++++++++++
> >  kernel/trace/bpf_trace.c |  2 ++
> >  5 files changed, 40 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> > index 65f7094c40b4..0539999f07f3 100644
> > --- a/include/linux/bpf.h
> > +++ b/include/linux/bpf.h
> > @@ -967,6 +967,7 @@ extern const struct bpf_func_proto bpf_sk_redirect_=
map_proto;
> >  extern const struct bpf_func_proto bpf_spin_lock_proto;
> >  extern const struct bpf_func_proto bpf_spin_unlock_proto;
> >  extern const struct bpf_func_proto bpf_get_local_storage_proto;
> > +extern const struct bpf_func_proto bpf_descendant_of_proto;
> >
> >  /* Shared helpers among cBPF and eBPF. */
> >  void bpf_user_rnd_init_once(void);
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index af1cbd951f26..f707b286c21d 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -2493,6 +2493,13 @@ union bpf_attr {
> >   * 	Return
> >   * 		0 if iph and th are a valid SYN cookie ACK, or a negative error
> >   * 		otherwise.
> > + * int bpf_descendant_of(pid_t pid)
>
> Small nit: Looks good to go, but please add a newline before the new help=
er
> description like all the rest in there.

Thanks!

>
> > + *	Description
> > + *		This helper is useful in programs that want to filter events
> > + *		happening to a pid or to any of its descendants.
>
> One more thing that would be helpful is to add a short description here t=
hat
> this helper can be used in combination with bpf_get_current_pid_tgid(), a=
nd
> that pid here is representation from init pid namespace if I grok it corr=
ectly.

What use case do you have in mind for bpf_get_current_pid_tgid() +
bpf_descendant_of()? Most of the cases the former won't be necessary as
the latter is alredy fetching the pid of the process in the current
context, but maybe I'm missing something! :)

Not sure about the last part, sorry, are you referring that we should
maybe mention that the descendant check is performed within a pid namespace
and does not cross pid namespaces?

>
> > + *	Return
> > + *		1 if the passed pid is an ancestor of the currently executing
> > + *		process' pid or equal to it.
> >   */
> >  #define __BPF_FUNC_MAPPER(FN)		\
> >  	FN(unspec),			\
> > @@ -2595,7 +2602,8 @@ union bpf_attr {
> >  	FN(skb_ecn_set_ce),		\
> >  	FN(get_listener_sock),		\
> >  	FN(skc_lookup_tcp),		\
> > -	FN(tcp_check_syncookie),
> > +	FN(tcp_check_syncookie),	\
> > +	FN(descendant_of),
> >
> >  /* integer value in 'imm' field of BPF_CALL instruction selects which =
helper
> >   * function eBPF program intends to call
> > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> > index ace8c22c8b0e..df93d7157657 100644
> > --- a/kernel/bpf/core.c
> > +++ b/kernel/bpf/core.c
> > @@ -2046,6 +2046,7 @@ const struct bpf_func_proto bpf_get_current_uid_g=
id_proto __weak;
> >  const struct bpf_func_proto bpf_get_current_comm_proto __weak;
> >  const struct bpf_func_proto bpf_get_current_cgroup_id_proto __weak;
> >  const struct bpf_func_proto bpf_get_local_storage_proto __weak;
> > +const struct bpf_func_proto bpf_descendant_of_proto __weak;
> >
> >  const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void)
> >  {
> > diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> > index a411fc17d265..d04186c69042 100644
> > --- a/kernel/bpf/helpers.c
> > +++ b/kernel/bpf/helpers.c
> > @@ -18,6 +18,7 @@
> >  #include <linux/sched.h>
> >  #include <linux/uidgid.h>
> >  #include <linux/filter.h>
> > +#include <linux/init_task.h>
> >
> >  /* If kernel subsystem is allowing eBPF programs to call this function=
,
> >   * inside its own verifier_ops->get_func_proto() callback it should re=
turn
> > @@ -364,3 +365,29 @@ const struct bpf_func_proto bpf_get_local_storage_=
proto =3D {
> >  };
> >  #endif
> >  #endif
> > +
> > +BPF_CALL_1(bpf_descendant_of, pid_t, pid)
> > +{
> > +	int result =3D 0;
> > +	struct task_struct *task =3D current;
> > +
> > +	if (pid =3D=3D 0)
> > +		return 1;
> > +
> > +	while (task !=3D &init_task) {
> > +		if (task->pid =3D=3D pid) {
> > +			result =3D 1;
> > +			break;
> > +		}
> > +		task =3D rcu_dereference(task->real_parent);
> > +	}
> > +
> > +	return result;
> > +}
> > +
> > +const struct bpf_func_proto bpf_descendant_of_proto =3D {
> > +	.func		=3D bpf_descendant_of,
> > +	.gpl_only	=3D false,
> > +	.ret_type	=3D RET_INTEGER,
> > +	.arg1_type	=3D ARG_ANYTHING,
> > +};
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index d64c00afceb5..0968e38a2aae 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> > @@ -599,6 +599,8 @@ tracing_func_proto(enum bpf_func_id func_id, const =
struct bpf_prog *prog)
> >  		return &bpf_get_prandom_u32_proto;
> >  	case BPF_FUNC_probe_read_str:
> >  		return &bpf_probe_read_str_proto;
> > +	case BPF_FUNC_descendant_of:
> > +		return &bpf_descendant_of_proto;
> >  #ifdef CONFIG_CGROUPS
> >  	case BPF_FUNC_get_current_cgroup_id:
> >  		return &bpf_get_current_cgroup_id_proto;
> >
>