From: YiFei Zhu <zhuyifei@google.com>
To: bpf@vger.kernel.org
Cc: Stanislav Fomichev <sdf@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>, Song Liu <song@kernel.org>,
YiFei Zhu <zhuyifei@google.com>
Subject: [PATCH v2 bpf-next 0/5] bpf: allow cgroup progs to export custom retval to userspace
Date: Thu, 16 Dec 2021 02:04:24 +0000 [thread overview]
Message-ID: <cover.1639619851.git.zhuyifei@google.com> (raw)
Right now, most cgroup hooks are best used for permission checks. They
can only reject a syscall with -EPERM, so a cause of a rejection, if
the rejected by eBPF cgroup hooks, is ambiguous to userspace.
Additionally, if the syscalls are implemented in eBPF, all permission
checks and the implementation has to happen within the same filter,
as programs executed later in the series of progs are unaware of the
return values return by the previous progs.
This patch series adds two helpers, bpf_get_retval and bpf_set_retval,
that allows hooks to get/set the return value of syscall to userspace.
This also allows later progs to retrieve retval set by previous progs.
For legacy programs that rejects a syscall without setting the retval,
for backwards compatibility, if a prog rejects without itself or a
prior prog setting retval to an -err, the retval is set by the kernel
to -EPERM.
For getsockopt hooks that has ctx->retval, this variable mirrors that
that accessed by the helpers.
Additionally, the following user-visible behavior for getsockopt
hooks has changed:
- If a prior filter rejected the syscall, it will be visible
in ctx->retval.
- Attempting to change the retval arbitrarily is now allowed and
will not cause an -EFAULT.
- If kernel rejects a getsockopt syscall before running the hooks,
the error will be visible in ctx->retval. Returning 0 from the
prog will not overwrite the error to -EPERM unless there is an
explicit call of bpf_set_retval(-EPERM)
Tests have been added in this series to test the behavior of the helper
with cgroup setsockopt getsockopt hooks.
Patch 1 changes the API of macros to prepare for the next patch and
should be a no-op.
Patch 2 moves ctx->retval to a struct pointed to by current
task_struct.
Patch 3 implements the helpers.
Patch 4 tests the behaviors of the helpers.
Patch 5 updates a test after the test broke due to the visible changes.
v1 -> v2:
- errno -> retval
- split one helper to get & set helpers
- allow retval to be set arbitrarily in the general case
- made the helper retval and context retval mirror each other
YiFei Zhu (5):
bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean
bpf: Move getsockopt retval to struct bpf_cg_run_ctx
bpf: Add cgroup helpers bpf_{get,set}_retval to get/set syscall return
value
selftests/bpf: Test bpf_{get,set}_retval behavior with cgroup/sockopt
selftests/bpf: Update sockopt_sk test to the use bpf_set_retval
include/linux/bpf.h | 34 +-
include/linux/filter.h | 5 +-
include/uapi/linux/bpf.h | 18 +
kernel/bpf/cgroup.c | 149 ++++--
security/device_cgroup.c | 2 +-
tools/include/uapi/linux/bpf.h | 18 +
.../bpf/prog_tests/cgroup_getset_retval.c | 481 ++++++++++++++++++
.../selftests/bpf/prog_tests/sockopt_sk.c | 2 +-
.../progs/cgroup_getset_retval_getsockopt.c | 45 ++
.../progs/cgroup_getset_retval_setsockopt.c | 52 ++
.../testing/selftests/bpf/progs/sockopt_sk.c | 32 +-
11 files changed, 750 insertions(+), 88 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup_getset_retval.c
create mode 100644 tools/testing/selftests/bpf/progs/cgroup_getset_retval_getsockopt.c
create mode 100644 tools/testing/selftests/bpf/progs/cgroup_getset_retval_setsockopt.c
--
2.34.1.173.g76aa8bc2d0-goog
next reply other threads:[~2021-12-16 2:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 2:04 YiFei Zhu [this message]
2021-12-16 2:04 ` [PATCH v2 bpf-next 1/5] bpf: Make BPF_PROG_RUN_ARRAY return -err instead of allow boolean YiFei Zhu
2021-12-16 2:04 ` [PATCH v2 bpf-next 2/5] bpf: Move getsockopt retval to struct bpf_cg_run_ctx YiFei Zhu
2021-12-16 2:04 ` [PATCH v2 bpf-next 3/5] bpf: Add cgroup helpers bpf_{get,set}_retval to get/set syscall return value YiFei Zhu
2021-12-16 2:04 ` [PATCH v2 bpf-next 4/5] selftests/bpf: Test bpf_{get,set}_retval behavior with cgroup/sockopt YiFei Zhu
2021-12-16 2:04 ` [PATCH v2 bpf-next 5/5] selftests/bpf: Update sockopt_sk test to the use bpf_set_retval YiFei Zhu
2021-12-21 23:13 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1639619851.git.zhuyifei@google.com \
--to=zhuyifei@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=sdf@google.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.