lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 23 Nov 2015 14:43:12 +0100
From:	Daniel Borkmann <daniel@...earbox.net>
To:	Florian Westphal <fw@...len.de>, Tejun Heo <tj@...nel.org>
CC:	davem@...emloft.net, pablo@...filter.org, kaber@...sh.net,
	kadlec@...ckhole.kfki.hu, daniel.wagner@...-carit.de,
	nhorman@...driver.co, lizefan@...wei.com, hannes@...xchg.org,
	netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
	cgroups@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-team@...com, ninasc@...com,
	Neil Horman <nhorman@...driver.com>,
	Jan Engelhardt <jengelh@...i.de>
Subject: Re: [PATCH 9/9] netfilter: implement xt_cgroup cgroup2 path match

On 11/21/2015 07:54 PM, Florian Westphal wrote:
> Tejun Heo <tj@...nel.org> wrote:
>> On Sat, Nov 21, 2015 at 05:56:06PM +0100, Florian Westphal wrote:
>>>> +struct xt_cgroup_info_v1 {
>>>> +	__u8		has_path;
>>>> +	__u8		has_classid;
>>>> +	__u8		invert_path;
>>>> +	__u8		invert_classid;
>>>> +	char		path[PATH_MAX];
>>>> +	__u32		classid;
>>>> +
>>>> +	/* kernel internal data */
>>>> +	void		*priv __attribute__((aligned(8)));
>>>> +};
>>>
>>> Ahem.  Am I reading this right? This struct is > 4k in size?
>>> If so -- Ugh.  Does sizeof(path) really have to be PATH_MAX?
>>
>> Hmmm... yeap but would this be an acutual problem?
>
> Since rule blob can be allocated via vmalloc i guess "no", its not
> really a problem unless someone needs realy insane amount of such rules.
>
> I don't have any better suggestion, so I guess its necessary evil.
>
> The only other question I have is wheter PATH_MAX might be a possible
> ABI breaker in future.  It would have to be guaranteed that this is the
> same size forever, else you'd get strange errors on rule insertion if
> the sizes of the kernel and userspace version differs.

Haven't looked deeply into kernfs, but if it's possible to get the object
from the struct file eventually, you could let iptables frontend open that
path and just pass the fd down. Would be sizeof(int) vs PATH_MAX then, i.e.
when you have a large number of rules to load.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ