linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Yonghong Song <yhs@fb.com>
To: Udip Pant <udippant@fb.com>, Alexei Starovoitov <ast@kernel.org>,
	Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
	Andrii Nakryiko <andriin@fb.com>,
	"David S . Miller" <davem@davemloft.net>
Cc: <netdev@vger.kernel.org>, <bpf@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf-next v3 0/4] bpf: verifier: use target program's type for access verifications
Date: Tue, 25 Aug 2020 17:10:23 -0700	[thread overview]
Message-ID: <e88056b2-8c88-b4d3-7a23-3da4f0499ad4@fb.com> (raw)
In-Reply-To: <20200825232003.2877030-1-udippant@fb.com>



On 8/25/20 4:19 PM, Udip Pant wrote:
> This patch series adds changes in verifier to make decisions such as granting
> of read / write access or enforcement of return code status based on
> the program type of the target program while using dynamic program
> extension (of type BPF_PROG_TYPE_EXT).
> 
> The BPF_PROG_TYPE_EXT type can be used to extend types such as XDP, SKB
> and others. Since the BPF_PROG_TYPE_EXT program type on itself is just a
> placeholder for those, we need this extended check for those extended
> programs to actually work with proper access, while using this option.
> 
> Patch #1 includes changes in the verifier.
> Patch #2 adds selftests to verify write access on a packet for a valid
> extension program type
> Patch #3 adds selftests to verify proper check for the return code
> Patch #4 adds selftests to ensure access permissions and restrictions
> for some map types such sockmap.
> 
> Changelogs:
>    v2 -> v3:
>      * more comprehensive resolution of the program type in the verifier
>        based on the target program (and not just for the packet access)
>      * selftests for checking return code and map access
>      * Also moved this patch to 'bpf-next' from 'bpf' tree
>    v1 -> v2:
>      * extraction of the logic to resolve prog type into a separate method
>      * selftests to check for packet access for a valid freplace prog
> 
> Udip Pant (4):
>    bpf: verifier: use target program's type for access verifications
>    selftests/bpf: add test for freplace program with write access
>    selftests/bpf: test for checking return code for the extended prog
>    selftests/bpf: test for map update access from within EXT programs
> 
>   kernel/bpf/verifier.c                         | 32 ++++++---
>   .../selftests/bpf/prog_tests/fexit_bpf2bpf.c  | 68 +++++++++++++++++++
>   .../selftests/bpf/progs/fexit_bpf2bpf.c       | 27 ++++++++
>   .../bpf/progs/freplace_attach_probe.c         | 40 +++++++++++
>   .../bpf/progs/freplace_cls_redirect.c         | 34 ++++++++++
>   .../bpf/progs/freplace_connect_v4_prog.c      | 19 ++++++
>   .../selftests/bpf/progs/test_pkt_access.c     | 20 ++++++
>   7 files changed, 229 insertions(+), 11 deletions(-)
>   create mode 100644 tools/testing/selftests/bpf/progs/freplace_attach_probe.c
>   create mode 100644 tools/testing/selftests/bpf/progs/freplace_cls_redirect.c
>   create mode 100644 tools/testing/selftests/bpf/progs/freplace_connect_v4_prog.c

Thanks. LGTM. Ack for the whole series.
Acked-by: Yonghong Song <yhs@fb.com>

  parent reply	other threads:[~2020-08-26  0:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-25 23:19 [PATCH bpf-next v3 0/4] bpf: verifier: use target program's type for access verifications Udip Pant
2020-08-25 23:20 ` [PATCH bpf-next v3 1/4] " Udip Pant
2020-08-25 23:20 ` [PATCH bpf-next v3 2/4] selftests/bpf: add test for freplace program with write access Udip Pant
2020-08-27  6:04   ` Andrii Nakryiko
2020-08-27 19:41     ` Udip Pant
2020-08-25 23:20 ` [PATCH bpf-next v3 3/4] selftests/bpf: test for checking return code for the extended prog Udip Pant
2020-08-25 23:20 ` [PATCH bpf-next v3 4/4] selftests/bpf: test for map update access from within EXT programs Udip Pant
2020-08-26  0:10 ` Yonghong Song [this message]
2020-08-26  9:26 ` [PATCH bpf-next v3 0/4] bpf: verifier: use target program's type for access verifications Toke Høiland-Jørgensen
2020-08-26 19:52 ` Alexei Starovoitov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e88056b2-8c88-b4d3-7a23-3da4f0499ad4@fb.com \
    --to=yhs@fb.com \
    --cc=andriin@fb.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=davem@davemloft.net \
    --cc=kafai@fb.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=songliubraving@fb.com \
    --cc=udippant@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).