libbpf: add support for privileged/unprivileged control separation #367
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Master branch: ea87ae8 |
|
Master branch: d055126 |
kernel-patches-bot
force-pushed
the
series/377165=>bpf-next
branch
from
cc6984d to
5846a2d
Compare
|
Master branch: 4e99d11 |
kernel-patches-bot
force-pushed
the
series/377165=>bpf-next
branch
from
5846a2d to
0951cf3
Compare
|
Master branch: 450d060 |
kernel-patches-bot
force-pushed
the
series/377165=>bpf-next
branch
from
0951cf3 to
1b57302
Compare
Add support for separation of eBPF program load and xsk socket creation. This is needed for use-case when you want to privide as little privileges as possible to the data plane application that will handle xsk socket creation and incoming traffic. With this patch the data entity container can be run with only CAP_NET_RAW capability to fulfill its purpose of creating xsk socket and handling packages. In case your umem is larger or equal process limit for MEMLOCK you need either increase the limit or CAP_IPC_LOCK capability. To resolve privileges issue two APIs are introduced: - xsk_setup_xdp_prog - loads the built in XDP program. It can also return xsks_map_fd which is needed by unprivileged process to update xsks_map with AF_XDP socket "fd" - xsk_socket__update_xskmap - inserts an AF_XDP socket into an xskmap for a particular xsk_socket Signed-off-by: Mariusz Dudek <[email protected]>
Introduce a sample program to demonstrate the control and data plane split. For the control plane part a new program called xdpsock_ctrl_proc is introduced. For the data plane part, some code was added to xdpsock_user.c to act as the data plane entity. Application xdpsock_ctrl_proc works as control entity with sudo privileges (CAP_SYS_ADMIN and CAP_NET_ADMIN are sufficient) and the extended xdpsock as data plane entity with CAP_NET_RAW capability only. Usage example: sudo ./samples/bpf/xdpsock_ctrl_proc -i <interface> sudo ./samples/bpf/xdpsock -i <interface> -q <queue_id> -n <interval> -N -l -R Signed-off-by: Mariusz Dudek <[email protected]>
|
Master branch: 91b2db2 |
kernel-patches-bot
force-pushed
the
series/377165=>bpf-next
branch
from
1b57302 to
9d8fe56
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=386633 irrelevant now for [{'archived': False, 'project': 399, 'delegate': 121173}] |
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 19, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 20, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 21, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 21, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 23, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 23, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 30, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 30, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Dec 31, 2024
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jan 3, 2025
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Nikolay Aleksandrov <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
kernel-patches-daemon-bpf bot
pushed a commit
that referenced
this pull request
Jan 6, 2025
Extend the netkit selftests to specify and validate the {head,tail}room
on the netdevice:
# ./vmtest.sh -- ./test_progs -t netkit
[...]
./test_progs -t netkit
[ 1.174147] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.174585] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
[ 1.422307] tsc: Refined TSC clocksource calibration: 3407.983 MHz
[ 1.424511] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc3e5084, max_idle_ns: 440795359833 ns
[ 1.428092] clocksource: Switched to clocksource tsc
#363 tc_netkit_basic:OK
#364 tc_netkit_device:OK
#365 tc_netkit_multi_links:OK
#366 tc_netkit_multi_opts:OK
#367 tc_netkit_neigh_links:OK
#368 tc_netkit_pkt_type:OK
#369 tc_netkit_scrub:OK
Summary: 7/0 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Nikolay Aleksandrov <[email protected]>
Link: https://lore.kernel.org/bpf/[email protected]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: libbpf: add support for privileged/unprivileged control separation
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=386633