bpf: cgroup_sock lsm flavor #332
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Master branch: 44df171 |
|
Master branch: 0d7fefe |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
9602bd6 to
10033aa
Compare
|
Master branch: 0e5aefa |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
10033aa to
23410c1
Compare
|
Master branch: dcf456c |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
23410c1 to
4364ca6
Compare
|
Master branch: c7655df |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
4364ca6 to
74a39eb
Compare
|
Master branch: 127e7dc |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
74a39eb to
f5fbbdd
Compare
|
Master branch: db69264 |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
f5fbbdd to
d8b7aef
Compare
|
Master branch: e1a34e1 |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
d8b7aef to
07d01b4
Compare
|
Master branch: 0ed6ff5 |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
07d01b4 to
f04e49b
Compare
kernel-patches-bot
force-pushed
the
bpf-next
branch
from
0ed6ff5 to
9d87e41
Compare
|
Master branch: 9d87e41 |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
f04e49b to
7ea36d5
Compare
|
Master branch: 920fd5e |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
7ea36d5 to
cc55c3b
Compare
|
Master branch: 6a12b8e |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
cc55c3b to
8ac98a1
Compare
|
Master branch: b71a2eb |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
8ac98a1 to
9f7f601
Compare
|
Master branch: e8c5e1a |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
9f7f601 to
d15f6c7
Compare
|
Master branch: fd0493a |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
d15f6c7 to
0dc3ff2
Compare
|
Master branch: 003fed5 |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
0dc3ff2 to
8fc0e77
Compare
|
Master branch: 246bdfa |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
8fc0e77 to
34d4b2d
Compare
|
Master branch: d9d31cf |
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
34d4b2d to
1500a9a
Compare
I'll be adding lsm cgroup specific helpers that grab trampoline mutex. No functional changes. Signed-off-by: Stanislav Fomichev <[email protected]>
This lets us reclaim some space to be used by new cgroup lsm slots.
Before:
struct cgroup_bpf {
struct bpf_prog_array * effective[23]; /* 0 184 */
/* --- cacheline 2 boundary (128 bytes) was 56 bytes ago --- */
struct list_head progs[23]; /* 184 368 */
/* --- cacheline 8 boundary (512 bytes) was 40 bytes ago --- */
u32 flags[23]; /* 552 92 */
/* XXX 4 bytes hole, try to pack */
/* --- cacheline 10 boundary (640 bytes) was 8 bytes ago --- */
struct list_head storages; /* 648 16 */
struct bpf_prog_array * inactive; /* 664 8 */
struct percpu_ref refcnt; /* 672 16 */
struct work_struct release_work; /* 688 32 */
/* size: 720, cachelines: 12, members: 7 */
/* sum members: 716, holes: 1, sum holes: 4 */
/* last cacheline: 16 bytes */
};
After:
struct cgroup_bpf {
struct bpf_prog_array * effective[23]; /* 0 184 */
/* --- cacheline 2 boundary (128 bytes) was 56 bytes ago --- */
struct hlist_head progs[23]; /* 184 184 */
/* --- cacheline 5 boundary (320 bytes) was 48 bytes ago --- */
u8 flags[23]; /* 368 23 */
/* XXX 1 byte hole, try to pack */
/* --- cacheline 6 boundary (384 bytes) was 8 bytes ago --- */
struct list_head storages; /* 392 16 */
struct bpf_prog_array * inactive; /* 408 8 */
struct percpu_ref refcnt; /* 416 16 */
struct work_struct release_work; /* 432 72 */
/* size: 504, cachelines: 8, members: 7 */
/* sum members: 503, holes: 1, sum holes: 1 */
/* last cacheline: 56 bytes */
};
Suggested-by: Jakub Sitnicki <[email protected]>
Signed-off-by: Stanislav Fomichev <[email protected]>
Allow attaching to lsm hooks in the cgroup context. Attaching to per-cgroup LSM works exactly like attaching to other per-cgroup hooks. New BPF_LSM_CGROUP is added to trigger new mode; the actual lsm hook we attach to is signaled via existing attach_btf_id. For the hooks that have 'struct socket' as its first argument, we use the cgroup associated with that socket. For the rest, we use 'current' cgroup (this is all on default hierarchy == v2 only). Note that for the hooks that work on 'struct sock' we still take the cgroup from 'current' because most of the time, the 'sock' argument is not properly initialized. Behind the scenes, we allocate a shim program that is attached to the trampoline and runs cgroup effective BPF programs array. This shim has some rudimentary ref counting and can be shared between several programs attaching to the same per-cgroup lsm hook. Note that this patch bloats cgroup size because we add 211 cgroup_bpf_attach_type(s) for simplicity sake. This will be addressed in the subsequent patch. Also note that we only add non-sleepable flavor for now. To enable sleepable use-cases, BPF_PROG_RUN_ARRAY_CG has to grab trace rcu, shim programs have to be freed via trace rcu, cgroup_bpf.effective should be also trace-rcu-managed + maybe some other changes that I'm not aware of. Signed-off-by: Stanislav Fomichev <[email protected]>
Previous patch adds 1:1 mapping between all 211 LSM hooks
and bpf_cgroup program array. Instead of reserving a slot per
possible hook, reserve 10 slots per cgroup for lsm programs.
Those slots are dynamically allocated on demand and reclaimed.
It should be possible to eventually extend this idea to all hooks if
the memory consumption is unacceptable and shrink overall effective
programs array.
struct cgroup_bpf {
struct bpf_prog_array * effective[33]; /* 0 264 */
/* --- cacheline 4 boundary (256 bytes) was 8 bytes ago --- */
struct hlist_head progs[33]; /* 264 264 */
/* --- cacheline 8 boundary (512 bytes) was 16 bytes ago --- */
u8 flags[33]; /* 528 33 */
/* XXX 7 bytes hole, try to pack */
struct list_head storages; /* 568 16 */
/* --- cacheline 9 boundary (576 bytes) was 8 bytes ago --- */
struct bpf_prog_array * inactive; /* 584 8 */
struct percpu_ref refcnt; /* 592 16 */
struct work_struct release_work; /* 608 72 */
/* size: 680, cachelines: 11, members: 7 */
/* sum members: 673, holes: 1, sum holes: 7 */
/* last cacheline: 40 bytes */
};
Signed-off-by: Stanislav Fomichev <[email protected]>
For now, allow only the obvious ones, like sk_priority and sk_mark. Signed-off-by: Stanislav Fomichev <[email protected]>
lsm_cgroup/ is the prefix for BPF_LSM_CGROUP. Signed-off-by: Stanislav Fomichev <[email protected]>
Functional test that exercises the following: 1. apply default sk_priority policy 2. permit TX-only AF_PACKET socket 3. cgroup attach/detach/replace 4. reusing trampoline shim Signed-off-by: Stanislav Fomichev <[email protected]>
|
Master branch: 367590b |
sk_priority & sk_mark are writable, the rest is readonly. Add new ldx_offset fixups to lookup the offset of struct field. Allow using test.kfunc regardless of prog_type. One interesting thing here is that the verifier doesn't really force me to add NULL checks anywhere :-/ Signed-off-by: Stanislav Fomichev <[email protected]>
kernel-patches-bot
force-pushed
the
series/614736=>bpf-next
branch
from
1500a9a to
948df75
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=633493 expired. Closing PR. |
kernel-patches-daemon-bpf-rc bot
pushed a commit
that referenced
this pull request
Jul 8, 2024
Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Cc: Martin KaFai Lau <[email protected]>
kernel-patches-daemon-bpf-rc bot
pushed a commit
that referenced
this pull request
Jul 8, 2024
Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Cc: Martin KaFai Lau <[email protected]>
kernel-patches-daemon-bpf-rc bot
pushed a commit
that referenced
this pull request
Jul 8, 2024
Add a test case which replaces an active ingress qdisc while keeping the miniq in-tact during the transition period to the new clsact qdisc. # ./vmtest.sh -- ./test_progs -t tc_link [...] ./test_progs -t tc_link [ 3.412871] bpf_testmod: loading out-of-tree module taints kernel. [ 3.413343] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel #332 tc_links_after:OK #333 tc_links_append:OK #334 tc_links_basic:OK #335 tc_links_before:OK #336 tc_links_chain_classic:OK #337 tc_links_chain_mixed:OK #338 tc_links_dev_chain0:OK #339 tc_links_dev_cleanup:OK #340 tc_links_dev_mixed:OK #341 tc_links_ingress:OK #342 tc_links_invalid:OK #343 tc_links_prepend:OK #344 tc_links_replace:OK #345 tc_links_revision:OK Summary: 14/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Cc: Martin KaFai Lau <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Martin KaFai Lau <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: cgroup_sock lsm flavor
version: 5
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=633493