From: Yonghong Song <yhs@fb.com>
To: Al Viro <viro@zeniv.linux.org.uk>, Carlos Neira <cneirabustos@gmail.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"ebiederm@xmission.com" <ebiederm@xmission.com>,
"brouer@redhat.com" <brouer@redhat.com>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: Re: [PATCH bpf-next v10 2/4] bpf: new helper to obtain namespace data from current task New bpf helper bpf_get_current_pidns_info.
Date: Fri, 6 Sep 2019 23:21:14 +0000 [thread overview]
Message-ID: <c0e67fc7-be66-c4c6-6aad-316cbba18757@fb.com> (raw)
In-Reply-To: <20190906160020.GX1131@ZenIV.linux.org.uk>
On 9/6/19 9:00 AM, Al Viro wrote:
> On Fri, Sep 06, 2019 at 04:46:47PM +0100, Al Viro wrote:
>
>>> Where do I begin?
>>> * getname_kernel() is there for purpose
>>> * so's kern_path(), damnit
>>
>> Oh, and filename_lookup() *CAN* sleep, obviously. So that
>> GFP_ATOMIC above is completely pointless.
>>
>>>> +
>>>> + inode = d_backing_inode(kp.dentry);
>>>> + pidns_info->dev = (u32)inode->i_rdev;
>
> In the original variant of patchset it used to be ->i_sb->s_dev,
> which is also bloody strange - you are not asking filename_lookup()
> to follow symlinks, so you'd get that of whatever filesystem
> /proc/self/ns resides on.
>
> ->i_rdev use makes no sense whatsoever - it's a symlink and
> neither it nor its target are device nodes; ->i_rdev will be
> left zero for both.
>
> What data are you really trying to get there?
Let me explain a little bit background here.
The ultimate goal is for bpf program to filter over
(pid_namespace, tgid/pid inside pid_namespace)
so bpf based tools can run inside the container.
Typically, pid namespace is achieved by looking at
/proc/self/ns/pid:
-bash-4.4$ lsns
NS TYPE NPROCS PID USER COMMAND
4026531835 cgroup 44 8261 yhs /usr/lib/systemd/systemd --user
4026531836 pid 44 8261 yhs /usr/lib/systemd/systemd --user
4026531837 user 44 8261 yhs /usr/lib/systemd/systemd --user
4026531838 uts 44 8261 yhs /usr/lib/systemd/systemd --user
4026531839 ipc 44 8261 yhs /usr/lib/systemd/systemd --user
4026531840 mnt 44 8261 yhs /usr/lib/systemd/systemd --user
4026532008 net 44 8261 yhs /usr/lib/systemd/systemd --user
-bash-4.4$ readlink /proc/self/ns/pid
pid:[4026531836]
-bash-4.4$ stat /proc/self/ns/pid
File: ‘/proc/self/ns/pid’ -> ‘pid:[4026531836]’
Size: 0 Blocks: 0 IO Block: 1024 symbolic link
Device: 4h/4d Inode: 344795989 Links: 1
Access: (0777/lrwxrwxrwx) Uid: (128203/ yhs) Gid: ( 100/ users)
Context: user_u:base_r:base_t
Access: 2019-09-06 16:06:09.431616380 -0700
Modify: 2019-09-06 16:06:09.431616380 -0700
Change: 2019-09-06 16:06:09.431616380 -0700
Birth: -
-bash-4.4$
Based on a discussion with Eric Biederman back in 2019 Linux
Plumbers, Eric suggested that to uniquely identify a
namespace, device id (major/minor) number should also
be included. Although today's kernel implementation
has the same device for all namespace pseudo files,
but from uapi perspective, device id should be included.
That is the reason why we try to get device id which holds
pid namespace pseudo file.
Do you have a better suggestion on how to get
the device id for 'current' pid namespace? Or from design, we
really should not care about device id at all?
next prev parent reply other threads:[~2019-09-06 23:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 15:09 [PATCH bpf-next v10 0/4] BPF: New helper to obtain namespace data from current task Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 1/4] fs/namei.c: make available filename_lookup() for bpf helpers Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 2/4] bpf: new helper to obtain namespace data from current task New bpf helper bpf_get_current_pidns_info Carlos Neira
2019-09-06 15:24 ` Al Viro
2019-09-06 15:46 ` Al Viro
2019-09-06 16:00 ` Al Viro
2019-09-06 23:21 ` Yonghong Song [this message]
2019-09-07 0:10 ` Al Viro
2019-09-07 6:34 ` Yonghong Song
2019-09-09 17:45 ` Carlos Antonio Neira Bustos
2019-09-10 22:35 ` Yonghong Song
2019-09-10 23:15 ` Al Viro
2019-09-11 8:16 ` Eric W. Biederman
2019-09-12 5:49 ` Yonghong Song
[not found] ` <CACiB22j9M2gmccnh7XqqFp8g7qKFuiOrSAVJiA2tQHLB0pmoSQ@mail.gmail.com>
2019-09-13 2:56 ` Yonghong Song
2019-09-13 11:58 ` Carlos Antonio Neira Bustos
2019-09-13 16:59 ` Eric W. Biederman
2019-09-13 17:28 ` Yonghong Song
2019-09-11 4:32 ` Carlos Antonio Neira Bustos
2019-09-11 8:17 ` Eric W. Biederman
2019-09-10 22:46 ` Yonghong Song
2019-09-11 4:33 ` Carlos Antonio Neira Bustos
2019-09-06 15:09 ` [PATCH bpf-next v10 3/4] tools: Added bpf_get_current_pidns_info helper Carlos Neira
2019-09-06 15:09 ` [PATCH bpf-next v10 4/4] tools/testing/selftests/bpf: Add self-tests for helper bpf_get_pidns_info Carlos Neira
2019-09-10 22:55 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c0e67fc7-be66-c4c6-6aad-316cbba18757@fb.com \
--to=yhs@fb.com \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=cneirabustos@gmail.com \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).