* Make CONFIG_NET and CONFIG_SECCOMP_FILTER independent of CONFIG_NET @ 2018-06-06 13:52 Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey 0 siblings, 1 reply; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:52 UTC (permalink / raw) To: linux-kernel, kvm, netdev, x86 Dear all, currently, KVM and SECCOMP rely on functionality of CONFIG_NET, and hence the latter has to be enabled when building the kernel for the first two configurations. However, there exists scenarios where the system does not need networking, but KVM and SECCOMP filters. To reduce the kernel image size for these scenarios, and to be able to drop active code, this commit series allows to enable CONFIG_KVM and CONFIG_SECCOMP_FILTER without using CONFIG_NET. The functionality that is required for seccomp filters is kept in the same files and - after reordering the source code - is guarded with a single ifdef per file. I hope these changes are useful for other scenarios than the one I currently face. Best, Norbert Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 1/7] net: reorder filter code 2018-06-06 13:52 Make CONFIG_NET and CONFIG_SECCOMP_FILTER independent of CONFIG_NET Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 2/7] net: reorder flow_dissector Norbert Manthey ` (6 more replies) 0 siblings, 7 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Alexei Starovoitov, Daniel Borkmann, David S. Miller, netdev, linux-kernel This commit reorders the definition of functions and struct in the file filter.c, such that in the next step we can easily cut the file into a commonly used part, as well as a part that is only required in case CONFIG_NET is actually set. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/filter.c | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 165 insertions(+), 165 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 201ff36b..0d980e9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -59,58 +59,6 @@ #include <net/tcp.h> #include <linux/bpf_trace.h> -/** - * sk_filter_trim_cap - run a packet through a socket filter - * @sk: sock associated with &sk_buff - * @skb: buffer to filter - * @cap: limit on how short the eBPF program may trim the packet - * - * Run the eBPF program and then cut skb->data to correct size returned by - * the program. If pkt_len is 0 we toss packet. If skb->len is smaller - * than pkt_len we keep whole skb->data. This is the socket level - * wrapper to BPF_PROG_RUN. It returns 0 if the packet should - * be accepted or -EPERM if the packet should be tossed. - * - */ -int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) -{ - int err; - struct sk_filter *filter; - - /* - * If the skb was allocated from pfmemalloc reserves, only - * allow SOCK_MEMALLOC sockets to use it as this socket is - * helping free memory - */ - if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_PFMEMALLOCDROP); - return -ENOMEM; - } - err = BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb); - if (err) - return err; - - err = security_sock_rcv_skb(sk, skb); - if (err) - return err; - - rcu_read_lock(); - filter = rcu_dereference(sk->sk_filter); - if (filter) { - struct sock *save_sk = skb->sk; - unsigned int pkt_len; - - skb->sk = sk; - pkt_len = bpf_prog_run_save_cb(filter->prog, skb); - skb->sk = save_sk; - err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM; - } - rcu_read_unlock(); - - return err; -} -EXPORT_SYMBOL(sk_filter_trim_cap); - BPF_CALL_1(__skb_get_pay_offset, struct sk_buff *, skb) { return skb_get_poff(skb); @@ -165,12 +113,6 @@ BPF_CALL_0(__get_raw_cpu_id) return raw_smp_processor_id(); } -static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = { - .func = __get_raw_cpu_id, - .gpl_only = false, - .ret_type = RET_INTEGER, -}; - static u32 convert_skb_access(int skb_field, int dst_reg, int src_reg, struct bpf_insn *insn_buf) { @@ -954,71 +896,6 @@ static void __bpf_prog_release(struct bpf_prog *prog) } } -static void __sk_filter_release(struct sk_filter *fp) -{ - __bpf_prog_release(fp->prog); - kfree(fp); -} - -/** - * sk_filter_release_rcu - Release a socket filter by rcu_head - * @rcu: rcu_head that contains the sk_filter to free - */ -static void sk_filter_release_rcu(struct rcu_head *rcu) -{ - struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); - - __sk_filter_release(fp); -} - -/** - * sk_filter_release - release a socket filter - * @fp: filter to remove - * - * Remove a filter from a socket and release its resources. - */ -static void sk_filter_release(struct sk_filter *fp) -{ - if (refcount_dec_and_test(&fp->refcnt)) - call_rcu(&fp->rcu, sk_filter_release_rcu); -} - -void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) -{ - u32 filter_size = bpf_prog_size(fp->prog->len); - - atomic_sub(filter_size, &sk->sk_omem_alloc); - sk_filter_release(fp); -} - -/* try to charge the socket memory if there is space available - * return true on success - */ -static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) -{ - u32 filter_size = bpf_prog_size(fp->prog->len); - - /* same check as in sock_kmalloc() */ - if (filter_size <= sysctl_optmem_max && - atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { - atomic_add(filter_size, &sk->sk_omem_alloc); - return true; - } - return false; -} - -bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) -{ - if (!refcount_inc_not_zero(&fp->refcnt)) - return false; - - if (!__sk_filter_charge(sk, fp)) { - sk_filter_release(fp); - return false; - } - return true; -} - static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp) { struct sock_filter *old_prog; @@ -1127,19 +1004,22 @@ static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp, } /** - * bpf_prog_create - create an unattached filter + * bpf_prog_create_from_user - create an unattached filter from user buffer * @pfp: the unattached filter that is created * @fprog: the filter program + * @trans: post-classic verifier transformation handler + * @save_orig: save classic BPF program * - * Create a filter independent of any socket. We first run some - * sanity checks on it to make sure it does not explode on us later. - * If an error occurs or there is insufficient memory for the filter - * a negative errno code is returned. On success the return is zero. + * This function effectively does the same as bpf_prog_create(), only + * that it builds up its insns buffer from user space provided buffer. + * It also allows for passing a bpf_aux_classic_check_t handler. */ -int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) +int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, + bpf_aux_classic_check_t trans, bool save_orig) { unsigned int fsize = bpf_classic_proglen(fprog); struct bpf_prog *fp; + int err; /* Make sure new filter is there and in the right amounts. */ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) @@ -1149,44 +1029,177 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) if (!fp) return -ENOMEM; - memcpy(fp->insns, fprog->filter, fsize); + if (copy_from_user(fp->insns, fprog->filter, fsize)) { + __bpf_prog_free(fp); + return -EFAULT; + } fp->len = fprog->len; - /* Since unattached filters are not copied back to user - * space through sk_get_filter(), we do not need to hold - * a copy here, and can spare us the work. - */ fp->orig_prog = NULL; + if (save_orig) { + err = bpf_prog_store_orig_filter(fp, fprog); + if (err) { + __bpf_prog_free(fp); + return -ENOMEM; + } + } + /* bpf_prepare_filter() already takes care of freeing * memory in case something goes wrong. */ - fp = bpf_prepare_filter(fp, NULL); + fp = bpf_prepare_filter(fp, trans); if (IS_ERR(fp)) return PTR_ERR(fp); *pfp = fp; return 0; } -EXPORT_SYMBOL_GPL(bpf_prog_create); +EXPORT_SYMBOL_GPL(bpf_prog_create_from_user); + +void bpf_prog_destroy(struct bpf_prog *fp) +{ + __bpf_prog_release(fp); +} +EXPORT_SYMBOL_GPL(bpf_prog_destroy); /** - * bpf_prog_create_from_user - create an unattached filter from user buffer + * sk_filter_trim_cap - run a packet through a socket filter + * @sk: sock associated with &sk_buff + * @skb: buffer to filter + * @cap: limit on how short the eBPF program may trim the packet + * + * Run the eBPF program and then cut skb->data to correct size returned by + * the program. If pkt_len is 0 we toss packet. If skb->len is smaller + * than pkt_len we keep whole skb->data. This is the socket level + * wrapper to BPF_PROG_RUN. It returns 0 if the packet should + * be accepted or -EPERM if the packet should be tossed. + * + */ +int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) +{ + int err; + struct sk_filter *filter; + + /* + * If the skb was allocated from pfmemalloc reserves, only + * allow SOCK_MEMALLOC sockets to use it as this socket is + * helping free memory + */ + if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_PFMEMALLOCDROP); + return -ENOMEM; + } + err = BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb); + if (err) + return err; + + err = security_sock_rcv_skb(sk, skb); + if (err) + return err; + + rcu_read_lock(); + filter = rcu_dereference(sk->sk_filter); + if (filter) { + struct sock *save_sk = skb->sk; + unsigned int pkt_len; + + skb->sk = sk; + pkt_len = bpf_prog_run_save_cb(filter->prog, skb); + skb->sk = save_sk; + err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM; + } + rcu_read_unlock(); + + return err; +} +EXPORT_SYMBOL(sk_filter_trim_cap); + +static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = { + .func = __get_raw_cpu_id, + .gpl_only = false, + .ret_type = RET_INTEGER, +}; + +static void __sk_filter_release(struct sk_filter *fp) +{ + __bpf_prog_release(fp->prog); + kfree(fp); +} + +/** + * sk_filter_release_rcu - Release a socket filter by rcu_head + * @rcu: rcu_head that contains the sk_filter to free + */ +static void sk_filter_release_rcu(struct rcu_head *rcu) +{ + struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); + + __sk_filter_release(fp); +} + +/** + * sk_filter_release - release a socket filter + * @fp: filter to remove + * + * Remove a filter from a socket and release its resources. + */ +static void sk_filter_release(struct sk_filter *fp) +{ + if (refcount_dec_and_test(&fp->refcnt)) + call_rcu(&fp->rcu, sk_filter_release_rcu); +} + +void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) +{ + u32 filter_size = bpf_prog_size(fp->prog->len); + + atomic_sub(filter_size, &sk->sk_omem_alloc); + sk_filter_release(fp); +} + +/* try to charge the socket memory if there is space available + * return true on success + */ +static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) +{ + u32 filter_size = bpf_prog_size(fp->prog->len); + + /* same check as in sock_kmalloc() */ + if (filter_size <= sysctl_optmem_max && + atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { + atomic_add(filter_size, &sk->sk_omem_alloc); + return true; + } + return false; +} + +bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) +{ + if (!refcount_inc_not_zero(&fp->refcnt)) + return false; + + if (!__sk_filter_charge(sk, fp)) { + sk_filter_release(fp); + return false; + } + return true; +} + +/** + * bpf_prog_create - create an unattached filter * @pfp: the unattached filter that is created * @fprog: the filter program - * @trans: post-classic verifier transformation handler - * @save_orig: save classic BPF program * - * This function effectively does the same as bpf_prog_create(), only - * that it builds up its insns buffer from user space provided buffer. - * It also allows for passing a bpf_aux_classic_check_t handler. + * Create a filter independent of any socket. We first run some + * sanity checks on it to make sure it does not explode on us later. + * If an error occurs or there is insufficient memory for the filter + * a negative errno code is returned. On success the return is zero. */ -int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, - bpf_aux_classic_check_t trans, bool save_orig) +int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) { unsigned int fsize = bpf_classic_proglen(fprog); struct bpf_prog *fp; - int err; /* Make sure new filter is there and in the right amounts. */ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) @@ -1196,39 +1209,26 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, if (!fp) return -ENOMEM; - if (copy_from_user(fp->insns, fprog->filter, fsize)) { - __bpf_prog_free(fp); - return -EFAULT; - } + memcpy(fp->insns, fprog->filter, fsize); fp->len = fprog->len; + /* Since unattached filters are not copied back to user + * space through sk_get_filter(), we do not need to hold + * a copy here, and can spare us the work. + */ fp->orig_prog = NULL; - if (save_orig) { - err = bpf_prog_store_orig_filter(fp, fprog); - if (err) { - __bpf_prog_free(fp); - return -ENOMEM; - } - } - /* bpf_prepare_filter() already takes care of freeing * memory in case something goes wrong. */ - fp = bpf_prepare_filter(fp, trans); + fp = bpf_prepare_filter(fp, NULL); if (IS_ERR(fp)) return PTR_ERR(fp); *pfp = fp; return 0; } -EXPORT_SYMBOL_GPL(bpf_prog_create_from_user); - -void bpf_prog_destroy(struct bpf_prog *fp) -{ - __bpf_prog_release(fp); -} -EXPORT_SYMBOL_GPL(bpf_prog_destroy); +EXPORT_SYMBOL_GPL(bpf_prog_create); static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk) { -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 2/7] net: reorder flow_dissector 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 3/7] seccomp: include net and bpf files Norbert Manthey ` (5 subsequent siblings) 6 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, David S. Miller, Simon Horman, Andrew Lunn, Jakub Kicinski, Tom Herbert, John Crispin, Eric Dumazet, Sven Eckelmann, WANG Cong, David Ahern, Jon Maloy, netdev, linux-kernel This commit reorders the definitions, such that in the next step we can easily cut the file into a commonly used part, as well as a part that is only required in case CONFIG_NET is used. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/flow_dissector.c | 206 +++++++++++++++++++++++----------------------- 1 file changed, 103 insertions(+), 103 deletions(-) diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index d29f09b..70e0679 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -1085,36 +1085,6 @@ static inline size_t flow_keys_hash_length(const struct flow_keys *flow) return (sizeof(*flow) - diff) / sizeof(u32); } -__be32 flow_get_u32_src(const struct flow_keys *flow) -{ - switch (flow->control.addr_type) { - case FLOW_DISSECTOR_KEY_IPV4_ADDRS: - return flow->addrs.v4addrs.src; - case FLOW_DISSECTOR_KEY_IPV6_ADDRS: - return (__force __be32)ipv6_addr_hash( - &flow->addrs.v6addrs.src); - case FLOW_DISSECTOR_KEY_TIPC: - return flow->addrs.tipckey.key; - default: - return 0; - } -} -EXPORT_SYMBOL(flow_get_u32_src); - -__be32 flow_get_u32_dst(const struct flow_keys *flow) -{ - switch (flow->control.addr_type) { - case FLOW_DISSECTOR_KEY_IPV4_ADDRS: - return flow->addrs.v4addrs.dst; - case FLOW_DISSECTOR_KEY_IPV6_ADDRS: - return (__force __be32)ipv6_addr_hash( - &flow->addrs.v6addrs.dst); - default: - return 0; - } -} -EXPORT_SYMBOL(flow_get_u32_dst); - static inline void __flow_hash_consistentify(struct flow_keys *keys) { int addr_diff, i; @@ -1162,49 +1132,6 @@ static inline u32 __flow_hash_from_keys(struct flow_keys *keys, u32 keyval) return hash; } -u32 flow_hash_from_keys(struct flow_keys *keys) -{ - __flow_hash_secret_init(); - return __flow_hash_from_keys(keys, hashrnd); -} -EXPORT_SYMBOL(flow_hash_from_keys); - -static inline u32 ___skb_get_hash(const struct sk_buff *skb, - struct flow_keys *keys, u32 keyval) -{ - skb_flow_dissect_flow_keys(skb, keys, - FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL); - - return __flow_hash_from_keys(keys, keyval); -} - -struct _flow_keys_digest_data { - __be16 n_proto; - u8 ip_proto; - u8 padding; - __be32 ports; - __be32 src; - __be32 dst; -}; - -void make_flow_keys_digest(struct flow_keys_digest *digest, - const struct flow_keys *flow) -{ - struct _flow_keys_digest_data *data = - (struct _flow_keys_digest_data *)digest; - - BUILD_BUG_ON(sizeof(*data) > sizeof(*digest)); - - memset(digest, 0, sizeof(*digest)); - - data->n_proto = flow->basic.n_proto; - data->ip_proto = flow->basic.ip_proto; - data->ports = flow->ports.ports; - data->src = flow->addrs.v4addrs.src; - data->dst = flow->addrs.v4addrs.dst; -} -EXPORT_SYMBOL(make_flow_keys_digest); - static struct flow_dissector flow_keys_dissector_symmetric __read_mostly; u32 __skb_get_hash_symmetric(const struct sk_buff *skb) @@ -1222,36 +1149,6 @@ u32 __skb_get_hash_symmetric(const struct sk_buff *skb) } EXPORT_SYMBOL_GPL(__skb_get_hash_symmetric); -/** - * __skb_get_hash: calculate a flow hash - * @skb: sk_buff to calculate flow hash from - * - * This function calculates a flow hash based on src/dst addresses - * and src/dst port numbers. Sets hash in skb to non-zero hash value - * on success, zero indicates no valid hash. Also, sets l4_hash in skb - * if hash is a canonical 4-tuple hash over transport ports. - */ -void __skb_get_hash(struct sk_buff *skb) -{ - struct flow_keys keys; - u32 hash; - - __flow_hash_secret_init(); - - hash = ___skb_get_hash(skb, &keys, hashrnd); - - __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys)); -} -EXPORT_SYMBOL(__skb_get_hash); - -__u32 skb_get_hash_perturb(const struct sk_buff *skb, u32 perturb) -{ - struct flow_keys keys; - - return ___skb_get_hash(skb, &keys, perturb); -} -EXPORT_SYMBOL(skb_get_hash_perturb); - u32 __skb_get_poff(const struct sk_buff *skb, void *data, const struct flow_keys *keys, int hlen) { @@ -1322,6 +1219,109 @@ u32 skb_get_poff(const struct sk_buff *skb) return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb)); } +__be32 flow_get_u32_src(const struct flow_keys *flow) +{ + switch (flow->control.addr_type) { + case FLOW_DISSECTOR_KEY_IPV4_ADDRS: + return flow->addrs.v4addrs.src; + case FLOW_DISSECTOR_KEY_IPV6_ADDRS: + return (__force __be32)ipv6_addr_hash( + &flow->addrs.v6addrs.src); + case FLOW_DISSECTOR_KEY_TIPC: + return flow->addrs.tipckey.key; + default: + return 0; + } +} +EXPORT_SYMBOL(flow_get_u32_src); + +__be32 flow_get_u32_dst(const struct flow_keys *flow) +{ + switch (flow->control.addr_type) { + case FLOW_DISSECTOR_KEY_IPV4_ADDRS: + return flow->addrs.v4addrs.dst; + case FLOW_DISSECTOR_KEY_IPV6_ADDRS: + return (__force __be32)ipv6_addr_hash( + &flow->addrs.v6addrs.dst); + default: + return 0; + } +} +EXPORT_SYMBOL(flow_get_u32_dst); + +u32 flow_hash_from_keys(struct flow_keys *keys) +{ + __flow_hash_secret_init(); + return __flow_hash_from_keys(keys, hashrnd); +} +EXPORT_SYMBOL(flow_hash_from_keys); + +static inline u32 ___skb_get_hash(const struct sk_buff *skb, + struct flow_keys *keys, u32 keyval) +{ + skb_flow_dissect_flow_keys(skb, keys, + FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL); + + return __flow_hash_from_keys(keys, keyval); +} + +struct _flow_keys_digest_data { + __be16 n_proto; + u8 ip_proto; + u8 padding; + __be32 ports; + __be32 src; + __be32 dst; +}; + +void make_flow_keys_digest(struct flow_keys_digest *digest, + const struct flow_keys *flow) +{ + struct _flow_keys_digest_data *data = + (struct _flow_keys_digest_data *)digest; + + BUILD_BUG_ON(sizeof(*data) > sizeof(*digest)); + + memset(digest, 0, sizeof(*digest)); + + data->n_proto = flow->basic.n_proto; + data->ip_proto = flow->basic.ip_proto; + data->ports = flow->ports.ports; + data->src = flow->addrs.v4addrs.src; + data->dst = flow->addrs.v4addrs.dst; +} +EXPORT_SYMBOL(make_flow_keys_digest); + +/** + * __skb_get_hash: calculate a flow hash + * @skb: sk_buff to calculate flow hash from + * + * This function calculates a flow hash based on src/dst addresses + * and src/dst port numbers. Sets hash in skb to non-zero hash value + * on success, zero indicates no valid hash. Also, sets l4_hash in skb + * if hash is a canonical 4-tuple hash over transport ports. + */ +void __skb_get_hash(struct sk_buff *skb) +{ + struct flow_keys keys; + u32 hash; + + __flow_hash_secret_init(); + + hash = ___skb_get_hash(skb, &keys, hashrnd); + + __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys)); +} +EXPORT_SYMBOL(__skb_get_hash); + +__u32 skb_get_hash_perturb(const struct sk_buff *skb, u32 perturb) +{ + struct flow_keys keys; + + return ___skb_get_hash(skb, &keys, perturb); +} +EXPORT_SYMBOL(skb_get_hash_perturb); + __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys) { memset(keys, 0, sizeof(*keys)); -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 3/7] seccomp: include net and bpf files 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 2/7] net: reorder flow_dissector Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 4/7] seccomp: include nlattr Norbert Manthey ` (4 subsequent siblings) 6 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Alexei Starovoitov, Daniel Borkmann, David S. Miller, netdev, linux-kernel When we want to use CONFIG_SECCOMP_FILTER without CONFIG_NET, we have to ensure that the required files that would be pulled in via CONFIG_NET are compiled when dropping CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- kernel/bpf/Makefile | 3 ++- net/Makefile | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile index a713fd2..5d13269 100644 --- a/kernel/bpf/Makefile +++ b/kernel/bpf/Makefile @@ -4,7 +4,8 @@ obj-y := core.o obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o obj-$(CONFIG_BPF_SYSCALL) += disasm.o -ifeq ($(CONFIG_NET),y) + +ifneq ($(filter y,$(CONFIG_NET) $(CONFIG_SECCOMP_FILTER)),) obj-$(CONFIG_BPF_SYSCALL) += devmap.o obj-$(CONFIG_BPF_SYSCALL) += cpumap.o obj-$(CONFIG_BPF_SYSCALL) += offload.o diff --git a/net/Makefile b/net/Makefile index a6147c6..08f1875 100644 --- a/net/Makefile +++ b/net/Makefile @@ -11,6 +11,11 @@ obj-$(CONFIG_NET) := socket.o core/ tmp-$(CONFIG_COMPAT) := compat.o obj-$(CONFIG_NET) += $(tmp-y) +ifneq ($(CONFIG_NET),y) +obj-$(CONFIG_SECCOMP_FILTER) += core/filter.o +obj-$(CONFIG_SECCOMP_FILTER) += core/flow_dissector.o +endif + # LLC has to be linked before the files in net/802/ obj-$(CONFIG_LLC) += llc/ obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ bpf/ -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 4/7] seccomp: include nlattr 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 2/7] net: reorder flow_dissector Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 3/7] seccomp: include net and bpf files Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 5/7] seccomp: cut off functions not required Norbert Manthey ` (3 subsequent siblings) 6 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Andrew Morton, Chris Mason, Geert Uytterhoeven, Nick Terrell, Luis R. Rodriguez, Yury Norov, Palmer Dabbelt, Jinbum Park, Paul E. McKenney, Dave Young, Tom Herbert, linux-kernel When we want to use CONFIG_SECCOMP_FILTER without CONFIG_NET, we have to ensure that the required files that would be pulled in via CONFIG_NET are compiled when dropping CONFIG_NET. Here, we could also select CONFIG_NLATTR instead of pulling the file in explicitly. One could go even one step further and cut the only required function off, namely nla_find. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- lib/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/Makefile b/lib/Makefile index ce20696..bbe09f3 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -163,7 +163,9 @@ obj-$(CONFIG_HAVE_ARCH_TRACEHOOK) += syscall.o obj-$(CONFIG_DYNAMIC_DEBUG) += dynamic_debug.o -obj-$(CONFIG_NLATTR) += nlattr.o +ifneq ($(filter y,$(CONFIG_NLATTR) $(CONFIG_SECCOMP_FILTER)),) +obj-y += nlattr.o +endif obj-$(CONFIG_LRU_CACHE) += lru_cache.o -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 5/7] seccomp: cut off functions not required 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey ` (2 preceding siblings ...) 2018-06-06 13:53 ` [less-CONFIG_NET 4/7] seccomp: include nlattr Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 6/7] seccomp: drop CONFIG_NET Norbert Manthey ` (2 subsequent siblings) 6 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Alexei Starovoitov, Daniel Borkmann, David S. Miller, John Crispin, Simon Horman, Jakub Kicinski, Tom Herbert, Eric Dumazet, Sven Eckelmann, WANG Cong, David Ahern, Jon Maloy, netdev, linux-kernel When using CONFIG_SECCOMP_FILTER, not all functions of filter.c and flow_dissector.c are required. To not pull in more dependencies, guard the functions that are not required with CONFIG_NET defines. This way, these functions are enabled in case the file is compiled because of CONFIG_NET, but they are not present when the file is compiled because of other configurations. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/filter.c | 2 ++ net/core/flow_dissector.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 0d980e9..4ddacb7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1063,6 +1063,7 @@ void bpf_prog_destroy(struct bpf_prog *fp) } EXPORT_SYMBOL_GPL(bpf_prog_destroy); +#if defined(CONFIG_NET) /** * sk_filter_trim_cap - run a packet through a socket filter * @sk: sock associated with &sk_buff @@ -5657,3 +5658,4 @@ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf, release_sock(sk); return ret; } +#endif // CONFIG_NET diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index 70e0679..0903444 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -1219,6 +1219,7 @@ u32 skb_get_poff(const struct sk_buff *skb) return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb)); } +#if defined(CONFIG_NET) __be32 flow_get_u32_src(const struct flow_keys *flow) { switch (flow->control.addr_type) { @@ -1340,6 +1341,7 @@ __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys) return flow_hash_from_keys(keys); } EXPORT_SYMBOL(__get_hash_from_flowi6); +#endif // CONFIG_NET static const struct flow_dissector_key flow_keys_dissector_keys[] = { { -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 6/7] seccomp: drop CONFIG_NET 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey ` (3 preceding siblings ...) 2018-06-06 13:53 ` [less-CONFIG_NET 5/7] seccomp: cut off functions not required Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 7/7] kvm: " Norbert Manthey 2018-06-06 16:33 ` [less-CONFIG_NET 1/7] net: reorder filter code Willem de Bruijn 6 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Kees Cook, Andrew Morton, Ingo Molnar, Alexei Starovoitov, Josef Bacik, Nicholas Piggin, Masami Hiramatsu, David S. Miller, Ding Tianhong, linux-kernel With the goal of dropping CONFIG_NET, we have to drop the dependency in the configuration management. Since SECCOMP_FILTER also requires BPF functionality, which is usually activated by CONFIG_NET, imply BPF from SECCOMP_FILTER directly. In case both CONFIG_NET and CONFIG_SECCOMP_FILTER are activated, BPF will be activated as well, so this additional dependency does not destroy original builds. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- arch/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/Kconfig b/arch/Kconfig index 75dd23a..c7108fd 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -393,7 +393,8 @@ config HAVE_ARCH_SECCOMP_FILTER config SECCOMP_FILTER def_bool y - depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET + depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP + select BPF help Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET 7/7] kvm: drop CONFIG_NET 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey ` (4 preceding siblings ...) 2018-06-06 13:53 ` [less-CONFIG_NET 6/7] seccomp: drop CONFIG_NET Norbert Manthey @ 2018-06-06 13:53 ` Norbert Manthey 2018-06-07 11:20 ` Paolo Bonzini 2018-06-06 16:33 ` [less-CONFIG_NET 1/7] net: reorder filter code Willem de Bruijn 6 siblings, 1 reply; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 13:53 UTC (permalink / raw) Cc: Norbert Manthey, Paolo Bonzini, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm, linux-kernel In some scenarios, we do not want to use CONFIG_NET even though we want to use CONFIG_KVM. To get this working, and to not pull in more dependencies, we need to disable CONFIG_TASKSTATS as well. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- arch/x86/kvm/Kconfig | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig index 92fd433..f209817 100644 --- a/arch/x86/kvm/Kconfig +++ b/arch/x86/kvm/Kconfig @@ -22,8 +22,8 @@ config KVM tristate "Kernel-based Virtual Machine (KVM) support" depends on HAVE_KVM depends on HIGH_RES_TIMERS - # for TASKSTATS/TASK_DELAY_ACCT: - depends on NET && MULTIUSER + # TASK_DELAY_ACCT: + depends on MULTIUSER depends on X86_LOCAL_APIC select PREEMPT_NOTIFIERS select MMU_NOTIFIER @@ -37,7 +37,6 @@ config KVM select KVM_ASYNC_PF select USER_RETURN_NOTIFIER select KVM_MMIO - select TASKSTATS select TASK_DELAY_ACCT select PERF_EVENTS select HAVE_KVM_MSI -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET 7/7] kvm: drop CONFIG_NET 2018-06-06 13:53 ` [less-CONFIG_NET 7/7] kvm: " Norbert Manthey @ 2018-06-07 11:20 ` Paolo Bonzini 2018-06-07 11:46 ` Norbert Manthey 0 siblings, 1 reply; 24+ messages in thread From: Paolo Bonzini @ 2018-06-07 11:20 UTC (permalink / raw) To: Norbert Manthey Cc: Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm, linux-kernel On 06/06/2018 15:53, Norbert Manthey wrote: > In some scenarios, we do not want to use CONFIG_NET even though we want > to use CONFIG_KVM. To get this working, and to not pull in more > dependencies, we need to disable CONFIG_TASKSTATS as well. > > Signed-off-by: Norbert Manthey <nmanthey@amazon.de> > --- > arch/x86/kvm/Kconfig | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig > index 92fd433..f209817 100644 > --- a/arch/x86/kvm/Kconfig > +++ b/arch/x86/kvm/Kconfig > @@ -22,8 +22,8 @@ config KVM > tristate "Kernel-based Virtual Machine (KVM) support" > depends on HAVE_KVM > depends on HIGH_RES_TIMERS > - # for TASKSTATS/TASK_DELAY_ACCT: > - depends on NET && MULTIUSER > + # TASK_DELAY_ACCT: > + depends on MULTIUSER > depends on X86_LOCAL_APIC > select PREEMPT_NOTIFIERS > select MMU_NOTIFIER > @@ -37,7 +37,6 @@ config KVM > select KVM_ASYNC_PF > select USER_RETURN_NOTIFIER > select KVM_MMIO > - select TASKSTATS > select TASK_DELAY_ACCT > select PERF_EVENTS > select HAVE_KVM_MSI > Assuming it compiles, it looks good. :) Paolo ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET 7/7] kvm: drop CONFIG_NET 2018-06-07 11:20 ` Paolo Bonzini @ 2018-06-07 11:46 ` Norbert Manthey 2018-06-07 15:48 ` Norbert Manthey 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey 0 siblings, 2 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-07 11:46 UTC (permalink / raw) To: Paolo Bonzini Cc: Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm, linux-kernel On 06/07/2018 01:20 PM, Paolo Bonzini wrote: > On 06/06/2018 15:53, Norbert Manthey wrote: >> In some scenarios, we do not want to use CONFIG_NET even though we want >> to use CONFIG_KVM. To get this working, and to not pull in more >> dependencies, we need to disable CONFIG_TASKSTATS as well. >> >> Signed-off-by: Norbert Manthey <nmanthey@amazon.de> >> --- >> arch/x86/kvm/Kconfig | 5 ++--- >> 1 file changed, 2 insertions(+), 3 deletions(-) >> >> diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig >> index 92fd433..f209817 100644 >> --- a/arch/x86/kvm/Kconfig >> +++ b/arch/x86/kvm/Kconfig >> @@ -22,8 +22,8 @@ config KVM >> tristate "Kernel-based Virtual Machine (KVM) support" >> depends on HAVE_KVM >> depends on HIGH_RES_TIMERS >> - # for TASKSTATS/TASK_DELAY_ACCT: >> - depends on NET && MULTIUSER >> + # TASK_DELAY_ACCT: >> + depends on MULTIUSER >> depends on X86_LOCAL_APIC >> select PREEMPT_NOTIFIERS >> select MMU_NOTIFIER >> @@ -37,7 +37,6 @@ config KVM >> select KVM_ASYNC_PF >> select USER_RETURN_NOTIFIER >> select KVM_MMIO >> - select TASKSTATS >> select TASK_DELAY_ACCT >> select PERF_EVENTS >> select HAVE_KVM_MSI >> > Assuming it compiles, it looks good. :) > > Paolo > It compiles, with the default configuration, as well as with the subset that I currently use. Since I have an actually small selection of config options, I wonder whether there is some best practices to make sure this change does not corrupt other configurations that rely on KVM selecting TASKSTATS. Norbert Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET 7/7] kvm: drop CONFIG_NET 2018-06-07 11:46 ` Norbert Manthey @ 2018-06-07 15:48 ` Norbert Manthey 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey 1 sibling, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-07 15:48 UTC (permalink / raw) To: Paolo Bonzini Cc: Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm, linux-kernel Dear Paolo, after you asked, I run a few more "make randconfig; make" rounds, and found a problem with one of the commits (when using BPF_SYSCALL, NET and SECCOMP_FILTER). I'll fix the issues and all other that might pop up, and rerun the randconfig loop many more times to get a better coverage and higher confidence. I'll update the series afterwards. Best, Norbert On 06/07/2018 01:46 PM, Norbert Manthey wrote: > On 06/07/2018 01:20 PM, Paolo Bonzini wrote: >> On 06/06/2018 15:53, Norbert Manthey wrote: >>> In some scenarios, we do not want to use CONFIG_NET even though we want >>> to use CONFIG_KVM. To get this working, and to not pull in more >>> dependencies, we need to disable CONFIG_TASKSTATS as well. >>> >>> Signed-off-by: Norbert Manthey <nmanthey@amazon.de> >>> --- >>> arch/x86/kvm/Kconfig | 5 ++--- >>> 1 file changed, 2 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig >>> index 92fd433..f209817 100644 >>> --- a/arch/x86/kvm/Kconfig >>> +++ b/arch/x86/kvm/Kconfig >>> @@ -22,8 +22,8 @@ config KVM >>> tristate "Kernel-based Virtual Machine (KVM) support" >>> depends on HAVE_KVM >>> depends on HIGH_RES_TIMERS >>> - # for TASKSTATS/TASK_DELAY_ACCT: >>> - depends on NET && MULTIUSER >>> + # TASK_DELAY_ACCT: >>> + depends on MULTIUSER >>> depends on X86_LOCAL_APIC >>> select PREEMPT_NOTIFIERS >>> select MMU_NOTIFIER >>> @@ -37,7 +37,6 @@ config KVM >>> select KVM_ASYNC_PF >>> select USER_RETURN_NOTIFIER >>> select KVM_MMIO >>> - select TASKSTATS >>> select TASK_DELAY_ACCT >>> select PERF_EVENTS >>> select HAVE_KVM_MSI >>> >> Assuming it compiles, it looks good. :) >> >> Paolo >> > It compiles, with the default configuration, as well as with the subset > that I currently use. Since I have an actually small selection of config > options, I wonder whether there is some best practices to make sure this > change does not corrupt other configurations that rely on KVM selecting > TASKSTATS. > > Norbert Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply [flat|nested] 24+ messages in thread
* less-CONFIG_NET v2 2018-06-07 11:46 ` Norbert Manthey 2018-06-07 15:48 ` Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 1/8] net: reorder filter code Norbert Manthey ` (7 more replies) 1 sibling, 8 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel In the first version of this series, I found a compilation error after running make randconfig multiple times. I fixed the error, and rebased the series. Furthermore, this series passed many make randconfig compilations, as well as a compilation test for multiple architectures and configurations. Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 1/8] net: reorder filter code 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 2/8] net: reorder flow_dissector Norbert Manthey ` (6 subsequent siblings) 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller, netdev This commit reorders the definition of functions and struct in the file filter.c, such that in the next step we can easily cut the file into a commonly used part, as well as a part that is only required in case CONFIG_NET is actually set. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/filter.c | 330 +++++++++++++++++++++++++++--------------------------- 1 file changed, 165 insertions(+), 165 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index e7f12e9..61c24c9 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -69,58 +69,6 @@ #include <net/seg6.h> #include <net/seg6_local.h> -/** - * sk_filter_trim_cap - run a packet through a socket filter - * @sk: sock associated with &sk_buff - * @skb: buffer to filter - * @cap: limit on how short the eBPF program may trim the packet - * - * Run the eBPF program and then cut skb->data to correct size returned by - * the program. If pkt_len is 0 we toss packet. If skb->len is smaller - * than pkt_len we keep whole skb->data. This is the socket level - * wrapper to BPF_PROG_RUN. It returns 0 if the packet should - * be accepted or -EPERM if the packet should be tossed. - * - */ -int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) -{ - int err; - struct sk_filter *filter; - - /* - * If the skb was allocated from pfmemalloc reserves, only - * allow SOCK_MEMALLOC sockets to use it as this socket is - * helping free memory - */ - if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) { - NET_INC_STATS(sock_net(sk), LINUX_MIB_PFMEMALLOCDROP); - return -ENOMEM; - } - err = BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb); - if (err) - return err; - - err = security_sock_rcv_skb(sk, skb); - if (err) - return err; - - rcu_read_lock(); - filter = rcu_dereference(sk->sk_filter); - if (filter) { - struct sock *save_sk = skb->sk; - unsigned int pkt_len; - - skb->sk = sk; - pkt_len = bpf_prog_run_save_cb(filter->prog, skb); - skb->sk = save_sk; - err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM; - } - rcu_read_unlock(); - - return err; -} -EXPORT_SYMBOL(sk_filter_trim_cap); - BPF_CALL_1(bpf_skb_get_pay_offset, struct sk_buff *, skb) { return skb_get_poff(skb); @@ -256,12 +204,6 @@ BPF_CALL_0(bpf_get_raw_cpu_id) return raw_smp_processor_id(); } -static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = { - .func = bpf_get_raw_cpu_id, - .gpl_only = false, - .ret_type = RET_INTEGER, -}; - static u32 convert_skb_access(int skb_field, int dst_reg, int src_reg, struct bpf_insn *insn_buf) { @@ -1138,71 +1080,6 @@ static void __bpf_prog_release(struct bpf_prog *prog) } } -static void __sk_filter_release(struct sk_filter *fp) -{ - __bpf_prog_release(fp->prog); - kfree(fp); -} - -/** - * sk_filter_release_rcu - Release a socket filter by rcu_head - * @rcu: rcu_head that contains the sk_filter to free - */ -static void sk_filter_release_rcu(struct rcu_head *rcu) -{ - struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); - - __sk_filter_release(fp); -} - -/** - * sk_filter_release - release a socket filter - * @fp: filter to remove - * - * Remove a filter from a socket and release its resources. - */ -static void sk_filter_release(struct sk_filter *fp) -{ - if (refcount_dec_and_test(&fp->refcnt)) - call_rcu(&fp->rcu, sk_filter_release_rcu); -} - -void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) -{ - u32 filter_size = bpf_prog_size(fp->prog->len); - - atomic_sub(filter_size, &sk->sk_omem_alloc); - sk_filter_release(fp); -} - -/* try to charge the socket memory if there is space available - * return true on success - */ -static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) -{ - u32 filter_size = bpf_prog_size(fp->prog->len); - - /* same check as in sock_kmalloc() */ - if (filter_size <= sysctl_optmem_max && - atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { - atomic_add(filter_size, &sk->sk_omem_alloc); - return true; - } - return false; -} - -bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) -{ - if (!refcount_inc_not_zero(&fp->refcnt)) - return false; - - if (!__sk_filter_charge(sk, fp)) { - sk_filter_release(fp); - return false; - } - return true; -} - static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp) { struct sock_filter *old_prog; @@ -1314,19 +1191,22 @@ static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp, } /** - * bpf_prog_create - create an unattached filter + * bpf_prog_create_from_user - create an unattached filter from user buffer * @pfp: the unattached filter that is created * @fprog: the filter program + * @trans: post-classic verifier transformation handler + * @save_orig: save classic BPF program * - * Create a filter independent of any socket. We first run some - * sanity checks on it to make sure it does not explode on us later. - * If an error occurs or there is insufficient memory for the filter - * a negative errno code is returned. On success the return is zero. + * This function effectively does the same as bpf_prog_create(), only + * that it builds up its insns buffer from user space provided buffer. + * It also allows for passing a bpf_aux_classic_check_t handler. */ -int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) +int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, + bpf_aux_classic_check_t trans, bool save_orig) { unsigned int fsize = bpf_classic_proglen(fprog); struct bpf_prog *fp; + int err; /* Make sure new filter is there and in the right amounts. */ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) @@ -1336,44 +1216,177 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) if (!fp) return -ENOMEM; - memcpy(fp->insns, fprog->filter, fsize); + if (copy_from_user(fp->insns, fprog->filter, fsize)) { + __bpf_prog_free(fp); + return -EFAULT; + } fp->len = fprog->len; - /* Since unattached filters are not copied back to user - * space through sk_get_filter(), we do not need to hold - * a copy here, and can spare us the work. - */ fp->orig_prog = NULL; + if (save_orig) { + err = bpf_prog_store_orig_filter(fp, fprog); + if (err) { + __bpf_prog_free(fp); + return -ENOMEM; + } + } + /* bpf_prepare_filter() already takes care of freeing * memory in case something goes wrong. */ - fp = bpf_prepare_filter(fp, NULL); + fp = bpf_prepare_filter(fp, trans); if (IS_ERR(fp)) return PTR_ERR(fp); *pfp = fp; return 0; } -EXPORT_SYMBOL_GPL(bpf_prog_create); +EXPORT_SYMBOL_GPL(bpf_prog_create_from_user); + +void bpf_prog_destroy(struct bpf_prog *fp) +{ + __bpf_prog_release(fp); +} +EXPORT_SYMBOL_GPL(bpf_prog_destroy); /** - * bpf_prog_create_from_user - create an unattached filter from user buffer + * sk_filter_trim_cap - run a packet through a socket filter + * @sk: sock associated with &sk_buff + * @skb: buffer to filter + * @cap: limit on how short the eBPF program may trim the packet + * + * Run the eBPF program and then cut skb->data to correct size returned by + * the program. If pkt_len is 0 we toss packet. If skb->len is smaller + * than pkt_len we keep whole skb->data. This is the socket level + * wrapper to BPF_PROG_RUN. It returns 0 if the packet should + * be accepted or -EPERM if the packet should be tossed. + * + */ +int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) +{ + int err; + struct sk_filter *filter; + + /* + * If the skb was allocated from pfmemalloc reserves, only + * allow SOCK_MEMALLOC sockets to use it as this socket is + * helping free memory + */ + if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_PFMEMALLOCDROP); + return -ENOMEM; + } + err = BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb); + if (err) + return err; + + err = security_sock_rcv_skb(sk, skb); + if (err) + return err; + + rcu_read_lock(); + filter = rcu_dereference(sk->sk_filter); + if (filter) { + struct sock *save_sk = skb->sk; + unsigned int pkt_len; + + skb->sk = sk; + pkt_len = bpf_prog_run_save_cb(filter->prog, skb); + skb->sk = save_sk; + err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM; + } + rcu_read_unlock(); + + return err; +} +EXPORT_SYMBOL(sk_filter_trim_cap); + +static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = { + .func = bpf_get_raw_cpu_id, + .gpl_only = false, + .ret_type = RET_INTEGER, +}; + +static void __sk_filter_release(struct sk_filter *fp) +{ + __bpf_prog_release(fp->prog); + kfree(fp); +} + +/** + * sk_filter_release_rcu - Release a socket filter by rcu_head + * @rcu: rcu_head that contains the sk_filter to free + */ +static void sk_filter_release_rcu(struct rcu_head *rcu) +{ + struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); + + __sk_filter_release(fp); +} + +/** + * sk_filter_release - release a socket filter + * @fp: filter to remove + * + * Remove a filter from a socket and release its resources. + */ +static void sk_filter_release(struct sk_filter *fp) +{ + if (refcount_dec_and_test(&fp->refcnt)) + call_rcu(&fp->rcu, sk_filter_release_rcu); +} + +void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) +{ + u32 filter_size = bpf_prog_size(fp->prog->len); + + atomic_sub(filter_size, &sk->sk_omem_alloc); + sk_filter_release(fp); +} + +/* try to charge the socket memory if there is space available + * return true on success + */ +static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp) +{ + u32 filter_size = bpf_prog_size(fp->prog->len); + + /* same check as in sock_kmalloc() */ + if (filter_size <= sysctl_optmem_max && + atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { + atomic_add(filter_size, &sk->sk_omem_alloc); + return true; + } + return false; +} + +bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) +{ + if (!refcount_inc_not_zero(&fp->refcnt)) + return false; + + if (!__sk_filter_charge(sk, fp)) { + sk_filter_release(fp); + return false; + } + return true; +} + +/** + * bpf_prog_create - create an unattached filter * @pfp: the unattached filter that is created * @fprog: the filter program - * @trans: post-classic verifier transformation handler - * @save_orig: save classic BPF program * - * This function effectively does the same as bpf_prog_create(), only - * that it builds up its insns buffer from user space provided buffer. - * It also allows for passing a bpf_aux_classic_check_t handler. + * Create a filter independent of any socket. We first run some + * sanity checks on it to make sure it does not explode on us later. + * If an error occurs or there is insufficient memory for the filter + * a negative errno code is returned. On success the return is zero. */ -int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, - bpf_aux_classic_check_t trans, bool save_orig) +int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) { unsigned int fsize = bpf_classic_proglen(fprog); struct bpf_prog *fp; - int err; /* Make sure new filter is there and in the right amounts. */ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) @@ -1383,39 +1396,26 @@ int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog, if (!fp) return -ENOMEM; - if (copy_from_user(fp->insns, fprog->filter, fsize)) { - __bpf_prog_free(fp); - return -EFAULT; - } + memcpy(fp->insns, fprog->filter, fsize); fp->len = fprog->len; + /* Since unattached filters are not copied back to user + * space through sk_get_filter(), we do not need to hold + * a copy here, and can spare us the work. + */ fp->orig_prog = NULL; - if (save_orig) { - err = bpf_prog_store_orig_filter(fp, fprog); - if (err) { - __bpf_prog_free(fp); - return -ENOMEM; - } - } - /* bpf_prepare_filter() already takes care of freeing * memory in case something goes wrong. */ - fp = bpf_prepare_filter(fp, trans); + fp = bpf_prepare_filter(fp, NULL); if (IS_ERR(fp)) return PTR_ERR(fp); *pfp = fp; return 0; } -EXPORT_SYMBOL_GPL(bpf_prog_create_from_user); - -void bpf_prog_destroy(struct bpf_prog *fp) -{ - __bpf_prog_release(fp); -} -EXPORT_SYMBOL_GPL(bpf_prog_destroy); +EXPORT_SYMBOL_GPL(bpf_prog_create); static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk) { -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 2/8] net: reorder flow_dissector 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 1/8] net: reorder filter code Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 3/8] seccomp: include net Norbert Manthey ` (5 subsequent siblings) 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: David S. Miller, David Ahern, Jiri Pirko, Jon Maloy, Simon Horman, Paolo Abeni, Tom Herbert, Michal Kubecek, Sven Eckelmann, WANG Cong, netdev This commit reorders the definitions, such that in the next step we can easily cut the file into a commonly used part, as well as a part that is only required in case CONFIG_NET is used. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/flow_dissector.c | 206 +++++++++++++++++++++++----------------------- 1 file changed, 103 insertions(+), 103 deletions(-) diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index 53f96e4..76d0b23 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -1085,36 +1085,6 @@ static inline size_t flow_keys_hash_length(const struct flow_keys *flow) return (sizeof(*flow) - diff) / sizeof(u32); } -__be32 flow_get_u32_src(const struct flow_keys *flow) -{ - switch (flow->control.addr_type) { - case FLOW_DISSECTOR_KEY_IPV4_ADDRS: - return flow->addrs.v4addrs.src; - case FLOW_DISSECTOR_KEY_IPV6_ADDRS: - return (__force __be32)ipv6_addr_hash( - &flow->addrs.v6addrs.src); - case FLOW_DISSECTOR_KEY_TIPC: - return flow->addrs.tipckey.key; - default: - return 0; - } -} -EXPORT_SYMBOL(flow_get_u32_src); - -__be32 flow_get_u32_dst(const struct flow_keys *flow) -{ - switch (flow->control.addr_type) { - case FLOW_DISSECTOR_KEY_IPV4_ADDRS: - return flow->addrs.v4addrs.dst; - case FLOW_DISSECTOR_KEY_IPV6_ADDRS: - return (__force __be32)ipv6_addr_hash( - &flow->addrs.v6addrs.dst); - default: - return 0; - } -} -EXPORT_SYMBOL(flow_get_u32_dst); - static inline void __flow_hash_consistentify(struct flow_keys *keys) { int addr_diff, i; @@ -1162,49 +1132,6 @@ static inline u32 __flow_hash_from_keys(struct flow_keys *keys, u32 keyval) return hash; } -u32 flow_hash_from_keys(struct flow_keys *keys) -{ - __flow_hash_secret_init(); - return __flow_hash_from_keys(keys, hashrnd); -} -EXPORT_SYMBOL(flow_hash_from_keys); - -static inline u32 ___skb_get_hash(const struct sk_buff *skb, - struct flow_keys *keys, u32 keyval) -{ - skb_flow_dissect_flow_keys(skb, keys, - FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL); - - return __flow_hash_from_keys(keys, keyval); -} - -struct _flow_keys_digest_data { - __be16 n_proto; - u8 ip_proto; - u8 padding; - __be32 ports; - __be32 src; - __be32 dst; -}; - -void make_flow_keys_digest(struct flow_keys_digest *digest, - const struct flow_keys *flow) -{ - struct _flow_keys_digest_data *data = - (struct _flow_keys_digest_data *)digest; - - BUILD_BUG_ON(sizeof(*data) > sizeof(*digest)); - - memset(digest, 0, sizeof(*digest)); - - data->n_proto = flow->basic.n_proto; - data->ip_proto = flow->basic.ip_proto; - data->ports = flow->ports.ports; - data->src = flow->addrs.v4addrs.src; - data->dst = flow->addrs.v4addrs.dst; -} -EXPORT_SYMBOL(make_flow_keys_digest); - static struct flow_dissector flow_keys_dissector_symmetric __read_mostly; u32 __skb_get_hash_symmetric(const struct sk_buff *skb) @@ -1222,36 +1149,6 @@ u32 __skb_get_hash_symmetric(const struct sk_buff *skb) } EXPORT_SYMBOL_GPL(__skb_get_hash_symmetric); -/** - * __skb_get_hash: calculate a flow hash - * @skb: sk_buff to calculate flow hash from - * - * This function calculates a flow hash based on src/dst addresses - * and src/dst port numbers. Sets hash in skb to non-zero hash value - * on success, zero indicates no valid hash. Also, sets l4_hash in skb - * if hash is a canonical 4-tuple hash over transport ports. - */ -void __skb_get_hash(struct sk_buff *skb) -{ - struct flow_keys keys; - u32 hash; - - __flow_hash_secret_init(); - - hash = ___skb_get_hash(skb, &keys, hashrnd); - - __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys)); -} -EXPORT_SYMBOL(__skb_get_hash); - -__u32 skb_get_hash_perturb(const struct sk_buff *skb, u32 perturb) -{ - struct flow_keys keys; - - return ___skb_get_hash(skb, &keys, perturb); -} -EXPORT_SYMBOL(skb_get_hash_perturb); - u32 __skb_get_poff(const struct sk_buff *skb, void *data, const struct flow_keys_basic *keys, int hlen) { @@ -1322,6 +1219,109 @@ u32 skb_get_poff(const struct sk_buff *skb) return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb)); } +__be32 flow_get_u32_src(const struct flow_keys *flow) +{ + switch (flow->control.addr_type) { + case FLOW_DISSECTOR_KEY_IPV4_ADDRS: + return flow->addrs.v4addrs.src; + case FLOW_DISSECTOR_KEY_IPV6_ADDRS: + return (__force __be32)ipv6_addr_hash( + &flow->addrs.v6addrs.src); + case FLOW_DISSECTOR_KEY_TIPC: + return flow->addrs.tipckey.key; + default: + return 0; + } +} +EXPORT_SYMBOL(flow_get_u32_src); + +__be32 flow_get_u32_dst(const struct flow_keys *flow) +{ + switch (flow->control.addr_type) { + case FLOW_DISSECTOR_KEY_IPV4_ADDRS: + return flow->addrs.v4addrs.dst; + case FLOW_DISSECTOR_KEY_IPV6_ADDRS: + return (__force __be32)ipv6_addr_hash( + &flow->addrs.v6addrs.dst); + default: + return 0; + } +} +EXPORT_SYMBOL(flow_get_u32_dst); + +u32 flow_hash_from_keys(struct flow_keys *keys) +{ + __flow_hash_secret_init(); + return __flow_hash_from_keys(keys, hashrnd); +} +EXPORT_SYMBOL(flow_hash_from_keys); + +static inline u32 ___skb_get_hash(const struct sk_buff *skb, + struct flow_keys *keys, u32 keyval) +{ + skb_flow_dissect_flow_keys(skb, keys, + FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL); + + return __flow_hash_from_keys(keys, keyval); +} + +struct _flow_keys_digest_data { + __be16 n_proto; + u8 ip_proto; + u8 padding; + __be32 ports; + __be32 src; + __be32 dst; +}; + +void make_flow_keys_digest(struct flow_keys_digest *digest, + const struct flow_keys *flow) +{ + struct _flow_keys_digest_data *data = + (struct _flow_keys_digest_data *)digest; + + BUILD_BUG_ON(sizeof(*data) > sizeof(*digest)); + + memset(digest, 0, sizeof(*digest)); + + data->n_proto = flow->basic.n_proto; + data->ip_proto = flow->basic.ip_proto; + data->ports = flow->ports.ports; + data->src = flow->addrs.v4addrs.src; + data->dst = flow->addrs.v4addrs.dst; +} +EXPORT_SYMBOL(make_flow_keys_digest); + +/** + * __skb_get_hash: calculate a flow hash + * @skb: sk_buff to calculate flow hash from + * + * This function calculates a flow hash based on src/dst addresses + * and src/dst port numbers. Sets hash in skb to non-zero hash value + * on success, zero indicates no valid hash. Also, sets l4_hash in skb + * if hash is a canonical 4-tuple hash over transport ports. + */ +void __skb_get_hash(struct sk_buff *skb) +{ + struct flow_keys keys; + u32 hash; + + __flow_hash_secret_init(); + + hash = ___skb_get_hash(skb, &keys, hashrnd); + + __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys)); +} +EXPORT_SYMBOL(__skb_get_hash); + +__u32 skb_get_hash_perturb(const struct sk_buff *skb, u32 perturb) +{ + struct flow_keys keys; + + return ___skb_get_hash(skb, &keys, perturb); +} +EXPORT_SYMBOL(skb_get_hash_perturb); + __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys) { memset(keys, 0, sizeof(*keys)); -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 3/8] seccomp: include net 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 1/8] net: reorder filter code Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 2/8] net: reorder flow_dissector Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 4/8] seccomp: include nlattr Norbert Manthey ` (4 subsequent siblings) 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller, netdev When we want to use CONFIG_SECCOMP_FILTER without CONFIG_NET, we have to ensure that the required files that would be pulled in via CONFIG_NET are compiled when dropping CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- kernel/bpf/Makefile | 1 + net/Makefile | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/kernel/bpf/Makefile b/kernel/bpf/Makefile index f27f549..16936c0 100644 --- a/kernel/bpf/Makefile +++ b/kernel/bpf/Makefile @@ -5,6 +5,7 @@ obj-$(CONFIG_BPF_SYSCALL) += syscall.o verifier.o inode.o helpers.o tnum.o obj-$(CONFIG_BPF_SYSCALL) += hashtab.o arraymap.o percpu_freelist.o bpf_lru_list.o lpm_trie.o map_in_map.o obj-$(CONFIG_BPF_SYSCALL) += disasm.o obj-$(CONFIG_BPF_SYSCALL) += btf.o + ifeq ($(CONFIG_NET),y) obj-$(CONFIG_BPF_SYSCALL) += devmap.o obj-$(CONFIG_BPF_SYSCALL) += cpumap.o diff --git a/net/Makefile b/net/Makefile index 13ec0d5..f3fb03a 100644 --- a/net/Makefile +++ b/net/Makefile @@ -11,6 +11,11 @@ obj-$(CONFIG_NET) := socket.o core/ tmp-$(CONFIG_COMPAT) := compat.o obj-$(CONFIG_NET) += $(tmp-y) +ifneq ($(CONFIG_NET),y) +obj-$(CONFIG_SECCOMP_FILTER) += core/filter.o +obj-$(CONFIG_SECCOMP_FILTER) += core/flow_dissector.o +endif + # LLC has to be linked before the files in net/802/ obj-$(CONFIG_LLC) += llc/ obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ bpf/ -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 4/8] seccomp: include nlattr 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey ` (2 preceding siblings ...) 2018-06-28 12:45 ` [less-CONFIG_NET v2 3/8] seccomp: include net Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 5/8] seccomp: cut off functions not required Norbert Manthey ` (3 subsequent siblings) 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Andrew Morton, Palmer Dabbelt, Geert Uytterhoeven, Kees Cook, Luis R. Rodriguez, Yury Norov, Nick Terrell, Matt Redfearn, Sebastian Andrzej Siewior When we want to use CONFIG_SECCOMP_FILTER without CONFIG_NET, we have to ensure that the required files that would be pulled in via CONFIG_NET are compiled when dropping CONFIG_NET. Here, we could also select CONFIG_NLATTR instead of pulling the file in explicitly. One could go even one step further and cut the only required function off, namely nla_find. This is part of the effort to split CONFIG_SECCOMP_FILTER and CONFIG_NET. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- lib/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/Makefile b/lib/Makefile index 90dc552..8cd4909 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -157,7 +157,9 @@ obj-$(CONFIG_HAVE_ARCH_TRACEHOOK) += syscall.o obj-$(CONFIG_DYNAMIC_DEBUG) += dynamic_debug.o -obj-$(CONFIG_NLATTR) += nlattr.o +ifneq ($(filter y,$(CONFIG_NLATTR) $(CONFIG_SECCOMP_FILTER)),) +obj-y += nlattr.o +endif obj-$(CONFIG_LRU_CACHE) += lru_cache.o -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 5/8] seccomp: cut off functions not required 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey ` (3 preceding siblings ...) 2018-06-28 12:45 ` [less-CONFIG_NET v2 4/8] seccomp: include nlattr Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 6/8] bpf: avoid duplicate definitions Norbert Manthey ` (2 subsequent siblings) 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller, Ido Schimmel, Paolo Abeni, Andrew Lunn, Tom Herbert, Simon Horman, Michal Kubecek, John Crispin, Sven Eckelmann, WANG Cong, David Ahern, Jon Maloy, netdev When using CONFIG_SECCOMP_FILTER, not all functions of filter.c and flow_dissector.c are required. To not pull in more dependencies, guard the functions that are not required with CONFIG_NET defines. This way, these functions are enabled in case the file is compiled because of CONFIG_NET, but they are not present when the file is compiled because of other configurations. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- net/core/filter.c | 2 ++ net/core/flow_dissector.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 61c24c9..410189c 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1250,6 +1250,7 @@ void bpf_prog_destroy(struct bpf_prog *fp) } EXPORT_SYMBOL_GPL(bpf_prog_destroy); +#if defined(CONFIG_NET) /** * sk_filter_trim_cap - run a packet through a socket filter * @sk: sock associated with &sk_buff @@ -6823,3 +6824,4 @@ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf, release_sock(sk); return ret; } +#endif // CONFIG_NET diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index 76d0b23..f5ba8e9 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -1219,6 +1219,7 @@ u32 skb_get_poff(const struct sk_buff *skb) return __skb_get_poff(skb, skb->data, &keys, skb_headlen(skb)); } +#if defined(CONFIG_NET) __be32 flow_get_u32_src(const struct flow_keys *flow) { switch (flow->control.addr_type) { @@ -1340,6 +1341,7 @@ __u32 __get_hash_from_flowi6(const struct flowi6 *fl6, struct flow_keys *keys) return flow_hash_from_keys(keys); } EXPORT_SYMBOL(__get_hash_from_flowi6); +#endif // CONFIG_NET static const struct flow_dissector_key flow_keys_dissector_keys[] = { { -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 6/8] bpf: avoid duplicate definitions 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey ` (4 preceding siblings ...) 2018-06-28 12:45 ` [less-CONFIG_NET v2 5/8] seccomp: cut off functions not required Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 8/8] kvm: " Norbert Manthey 7 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel; +Cc: Alexei Starovoitov, Daniel Borkmann, netdev With the aim of making CONFIG_SECCOMP_FILTER independent of CONFIG_NET, some bpf functions are not required to provide net functionality, as already implemented in the header include/linux/bpf.h. However, the source files assumed to be only included if CONFIG_NET is activated. To be able to include the source files while CONFIG_NET is disabled, make sure the functions defined in the header include/linux/bpf.h are not included in the source file. To reduce the amount of #ifdef CONFIG_NET guards, the position of the functions __bpf_map_offload_destroy and bpf_map_offload_map_alloc has been swapped. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- kernel/bpf/offload.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/kernel/bpf/offload.c b/kernel/bpf/offload.c index ac747d5..7042dbe 100644 --- a/kernel/bpf/offload.c +++ b/kernel/bpf/offload.c @@ -32,6 +32,7 @@ static DECLARE_RWSEM(bpf_devs_lock); static LIST_HEAD(bpf_prog_offload_devs); static LIST_HEAD(bpf_map_offload_devs); +#ifdef CONFIG_NET static int bpf_dev_offload_check(struct net_device *netdev) { if (!netdev) @@ -84,6 +85,7 @@ int bpf_prog_offload_init(struct bpf_prog *prog, union bpf_attr *attr) kfree(offload); return err; } +#endif // CONFIG_NET static int __bpf_offload_ndo(struct bpf_prog *prog, enum bpf_netdev_command cmd, struct netdev_bpf *data) @@ -291,6 +293,16 @@ static int bpf_map_offload_ndo(struct bpf_offloaded_map *offmap, return netdev->netdev_ops->ndo_bpf(netdev, &data); } +static void __bpf_map_offload_destroy(struct bpf_offloaded_map *offmap) +{ + WARN_ON(bpf_map_offload_ndo(offmap, BPF_OFFLOAD_MAP_FREE)); + /* Make sure BPF_MAP_GET_NEXT_ID can't find this dead map */ + bpf_map_free_id(&offmap->map, true); + list_del_init(&offmap->offloads); + offmap->netdev = NULL; +} + +#ifdef CONFIG_NET struct bpf_map *bpf_map_offload_map_alloc(union bpf_attr *attr) { struct net *net = current->nsproxy->net_ns; @@ -333,15 +345,6 @@ struct bpf_map *bpf_map_offload_map_alloc(union bpf_attr *attr) return ERR_PTR(err); } -static void __bpf_map_offload_destroy(struct bpf_offloaded_map *offmap) -{ - WARN_ON(bpf_map_offload_ndo(offmap, BPF_OFFLOAD_MAP_FREE)); - /* Make sure BPF_MAP_GET_NEXT_ID can't find this dead map */ - bpf_map_free_id(&offmap->map, true); - list_del_init(&offmap->offloads); - offmap->netdev = NULL; -} - void bpf_map_offload_map_free(struct bpf_map *map) { struct bpf_offloaded_map *offmap = map_to_offmap(map); @@ -355,6 +358,7 @@ void bpf_map_offload_map_free(struct bpf_map *map) kfree(offmap); } +#endif // CONFIG_NET int bpf_map_offload_lookup_elem(struct bpf_map *map, void *key, void *value) { -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey ` (5 preceding siblings ...) 2018-06-28 12:45 ` [less-CONFIG_NET v2 6/8] bpf: avoid duplicate definitions Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 19:02 ` Kees Cook 2018-06-28 12:45 ` [less-CONFIG_NET v2 8/8] kvm: " Norbert Manthey 7 siblings, 1 reply; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Kees Cook, Masahiro Yamada, Andrew Morton, Nicholas Piggin, Arnd Bergmann, Josef Bacik, Masami Hiramatsu, Deepa Dinamani With the goal of dropping CONFIG_NET, we have to drop the dependency in the configuration management. Since SECCOMP_FILTER also requires BPF functionality, which is usually activated by CONFIG_NET, imply BPF from SECCOMP_FILTER directly. In case both CONFIG_NET and CONFIG_SECCOMP_FILTER are activated, BPF will be activated as well, so this additional dependency does not destroy original builds. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- arch/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/Kconfig b/arch/Kconfig index 1aa5906..8cfb634 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -397,7 +397,8 @@ config HAVE_ARCH_SECCOMP_FILTER config SECCOMP_FILTER def_bool y - depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET + depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP + select BPF help Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET 2018-06-28 12:45 ` [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET Norbert Manthey @ 2018-06-28 19:02 ` Kees Cook 0 siblings, 0 replies; 24+ messages in thread From: Kees Cook @ 2018-06-28 19:02 UTC (permalink / raw) To: Norbert Manthey Cc: LKML, Masahiro Yamada, Andrew Morton, Nicholas Piggin, Arnd Bergmann, Josef Bacik, Masami Hiramatsu, Deepa Dinamani On Thu, Jun 28, 2018 at 5:45 AM, Norbert Manthey <nmanthey@amazon.de> wrote: > With the goal of dropping CONFIG_NET, we have to drop the dependency > in the configuration management. Since SECCOMP_FILTER also requires > BPF functionality, which is usually activated by CONFIG_NET, imply > BPF from SECCOMP_FILTER directly. Nit: "select" not "imply" > In case both CONFIG_NET and CONFIG_SECCOMP_FILTER are activated, BPF > will be activated as well, so this additional dependency does not > destroy original builds. > > Signed-off-by: Norbert Manthey <nmanthey@amazon.de> Otherwise, sure. As long as this still compiles and runs, it looks fine to me! :) -Kees > --- > arch/Kconfig | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/Kconfig b/arch/Kconfig > index 1aa5906..8cfb634 100644 > --- a/arch/Kconfig > +++ b/arch/Kconfig > @@ -397,7 +397,8 @@ config HAVE_ARCH_SECCOMP_FILTER > > config SECCOMP_FILTER > def_bool y > - depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP && NET > + depends on HAVE_ARCH_SECCOMP_FILTER && SECCOMP > + select BPF > help > Enable tasks to build secure computing environments defined > in terms of Berkeley Packet Filter programs which implement > -- > 2.7.4 > > Amazon Development Center Germany GmbH > Berlin - Dresden - Aachen > main office: Krausenstr. 38, 10117 Berlin > Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger > Ust-ID: DE289237879 > Eingetragen am Amtsgericht Charlottenburg HRB 149173 B > -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 24+ messages in thread
* [less-CONFIG_NET v2 8/8] kvm: drop CONFIG_NET 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey ` (6 preceding siblings ...) 2018-06-28 12:45 ` [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET Norbert Manthey @ 2018-06-28 12:45 ` Norbert Manthey 2018-06-28 12:47 ` Paolo Bonzini 7 siblings, 1 reply; 24+ messages in thread From: Norbert Manthey @ 2018-06-28 12:45 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Paolo Bonzini, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm In some scenarios, we do not want to use CONFIG_NET even though we want to use CONFIG_KVM. To get this working, and to not pull in more dependencies, we need to disable CONFIG_TASKSTATS as well. Signed-off-by: Norbert Manthey <nmanthey@amazon.de> --- arch/x86/kvm/Kconfig | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig index 92fd433..f209817 100644 --- a/arch/x86/kvm/Kconfig +++ b/arch/x86/kvm/Kconfig @@ -22,8 +22,8 @@ config KVM tristate "Kernel-based Virtual Machine (KVM) support" depends on HAVE_KVM depends on HIGH_RES_TIMERS - # for TASKSTATS/TASK_DELAY_ACCT: - depends on NET && MULTIUSER + # TASK_DELAY_ACCT: + depends on MULTIUSER depends on X86_LOCAL_APIC select PREEMPT_NOTIFIERS select MMU_NOTIFIER @@ -37,7 +37,6 @@ config KVM select KVM_ASYNC_PF select USER_RETURN_NOTIFIER select KVM_MMIO - select TASKSTATS select TASK_DELAY_ACCT select PERF_EVENTS select HAVE_KVM_MSI -- 2.7.4 Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET v2 8/8] kvm: drop CONFIG_NET 2018-06-28 12:45 ` [less-CONFIG_NET v2 8/8] kvm: " Norbert Manthey @ 2018-06-28 12:47 ` Paolo Bonzini 0 siblings, 0 replies; 24+ messages in thread From: Paolo Bonzini @ 2018-06-28 12:47 UTC (permalink / raw) To: Norbert Manthey, linux-kernel Cc: Radim Krčmář, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm On 28/06/2018 14:45, Norbert Manthey wrote: > In some scenarios, we do not want to use CONFIG_NET even though we want > to use CONFIG_KVM. To get this working, and to not pull in more > dependencies, we need to disable CONFIG_TASKSTATS as well. > > Signed-off-by: Norbert Manthey <nmanthey@amazon.de> > --- > arch/x86/kvm/Kconfig | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/Kconfig b/arch/x86/kvm/Kconfig > index 92fd433..f209817 100644 > --- a/arch/x86/kvm/Kconfig > +++ b/arch/x86/kvm/Kconfig > @@ -22,8 +22,8 @@ config KVM > tristate "Kernel-based Virtual Machine (KVM) support" > depends on HAVE_KVM > depends on HIGH_RES_TIMERS > - # for TASKSTATS/TASK_DELAY_ACCT: > - depends on NET && MULTIUSER > + # TASK_DELAY_ACCT: > + depends on MULTIUSER > depends on X86_LOCAL_APIC > select PREEMPT_NOTIFIERS > select MMU_NOTIFIER > @@ -37,7 +37,6 @@ config KVM > select KVM_ASYNC_PF > select USER_RETURN_NOTIFIER > select KVM_MMIO > - select TASKSTATS > select TASK_DELAY_ACCT > select PERF_EVENTS > select HAVE_KVM_MSI > Acked-by: Paolo Bonzini <pbonzini@redhat.com> Thanks, Paolo ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET 1/7] net: reorder filter code 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey ` (5 preceding siblings ...) 2018-06-06 13:53 ` [less-CONFIG_NET 7/7] kvm: " Norbert Manthey @ 2018-06-06 16:33 ` Willem de Bruijn 2018-06-06 18:19 ` Norbert Manthey 6 siblings, 1 reply; 24+ messages in thread From: Willem de Bruijn @ 2018-06-06 16:33 UTC (permalink / raw) To: Norbert Manthey Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller, Network Development, LKML On Wed, Jun 6, 2018 at 9:53 AM, Norbert Manthey <nmanthey@amazon.de> wrote: > This commit reorders the definition of functions and struct in the > file filter.c, such that in the next step we can easily cut the file > into a commonly used part, as well as a part that is only required in > case CONFIG_NET is actually set. > > This is part of the effort to split CONFIG_SECCOMP_FILTER and > CONFIG_NET. > > Signed-off-by: Norbert Manthey <nmanthey@amazon.de> Reordering patches like this and the flow-dissector patch in this series make cherry-picking fixes back to stable branches and and following code history with git blame harder. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [less-CONFIG_NET 1/7] net: reorder filter code 2018-06-06 16:33 ` [less-CONFIG_NET 1/7] net: reorder filter code Willem de Bruijn @ 2018-06-06 18:19 ` Norbert Manthey 0 siblings, 0 replies; 24+ messages in thread From: Norbert Manthey @ 2018-06-06 18:19 UTC (permalink / raw) To: Willem de Bruijn Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller, Network Development, LKML On 06/06/2018 06:33 PM, Willem de Bruijn wrote: > On Wed, Jun 6, 2018 at 9:53 AM, Norbert Manthey <nmanthey@amazon.de> wrote: >> This commit reorders the definition of functions and struct in the >> file filter.c, such that in the next step we can easily cut the file >> into a commonly used part, as well as a part that is only required in >> case CONFIG_NET is actually set. >> >> This is part of the effort to split CONFIG_SECCOMP_FILTER and >> CONFIG_NET. >> >> Signed-off-by: Norbert Manthey <nmanthey@amazon.de> > Reordering patches like this and the flow-dissector patch in this > series make cherry-picking fixes back to stable branches and > and following code history with git blame harder. > Dear Willem, I agree that this change makes cherry picking harder. When keeping the order of the code, the following commits have to introduce many pairs "#ifdef CONFIG_NET - #endif" and "#if defined(CONFIG_NET) || defined(CONFIG_SECCOMP_FILTER) #endif" This is how I developed the commits, but then refactored for improved readability. From my experience, cherry picking changes from this variant is equally difficult. A third alternative, splitting the files into separate files, would force me to make current static definitions visible. I am happy to go another route, if people insist that this is the better way forward. Best, Norbert Amazon Development Center Germany GmbH Berlin - Dresden - Aachen main office: Krausenstr. 38, 10117 Berlin Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger Ust-ID: DE289237879 Eingetragen am Amtsgericht Charlottenburg HRB 149173 B ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2018-06-28 19:03 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-06-06 13:52 Make CONFIG_NET and CONFIG_SECCOMP_FILTER independent of CONFIG_NET Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 1/7] net: reorder filter code Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 2/7] net: reorder flow_dissector Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 3/7] seccomp: include net and bpf files Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 4/7] seccomp: include nlattr Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 5/7] seccomp: cut off functions not required Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 6/7] seccomp: drop CONFIG_NET Norbert Manthey 2018-06-06 13:53 ` [less-CONFIG_NET 7/7] kvm: " Norbert Manthey 2018-06-07 11:20 ` Paolo Bonzini 2018-06-07 11:46 ` Norbert Manthey 2018-06-07 15:48 ` Norbert Manthey 2018-06-28 12:45 ` less-CONFIG_NET v2 Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 1/8] net: reorder filter code Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 2/8] net: reorder flow_dissector Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 3/8] seccomp: include net Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 4/8] seccomp: include nlattr Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 5/8] seccomp: cut off functions not required Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 6/8] bpf: avoid duplicate definitions Norbert Manthey 2018-06-28 12:45 ` [less-CONFIG_NET v2 7/8] seccomp: drop CONFIG_NET Norbert Manthey 2018-06-28 19:02 ` Kees Cook 2018-06-28 12:45 ` [less-CONFIG_NET v2 8/8] kvm: " Norbert Manthey 2018-06-28 12:47 ` Paolo Bonzini 2018-06-06 16:33 ` [less-CONFIG_NET 1/7] net: reorder filter code Willem de Bruijn 2018-06-06 18:19 ` Norbert Manthey
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).