lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 21 Aug 2016 13:14:22 -0700 From: Sargun Dhillon <sargun@...gun.me> To: Daniel Mack <daniel@...que.org> Cc: htejun@...com, daniel@...earbox.net, ast@...com, davem@...emloft.net, kafai@...com, fw@...len.de, pablo@...filter.org, harald@...hat.com, netdev@...r.kernel.org Subject: Re: [RFC PATCH 4/5] net: filter: run cgroup eBPF programs On Wed, Aug 17, 2016 at 04:00:47PM +0200, Daniel Mack wrote: > If CONFIG_CGROUP_BPF is enabled, and the cgroup associated with the > receiving socket has an eBPF programs installed, run them from > sk_filter_trim_cap(). > > eBPF programs used in this context are expected to either return 1 to > let the packet pass, or != 1 to drop them. The programs have access to > the full skb, including the MAC headers. > > This patch only implements the call site for ingress packets. > > Signed-off-by: Daniel Mack <daniel@...que.org> > --- > net/core/filter.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 44 insertions(+) > > diff --git a/net/core/filter.c b/net/core/filter.c > index c5d8332..a1dd94b 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -52,6 +52,44 @@ > #include <net/dst.h> > #include <net/sock_reuseport.h> > > +#ifdef CONFIG_CGROUP_BPF > +static int sk_filter_cgroup_bpf(struct sock *sk, struct sk_buff *skb, > + enum bpf_attach_type type) > +{ > + struct sock_cgroup_data *skcd = &sk->sk_cgrp_data; > + struct cgroup *cgrp = sock_cgroup_ptr(skcd); > + struct bpf_prog *prog; > + int ret = 0; > + > + rcu_read_lock(); > + > + switch (type) { > + case BPF_ATTACH_TYPE_CGROUP_EGRESS: > + prog = rcu_dereference(cgrp->bpf_egress); > + break; > + case BPF_ATTACH_TYPE_CGROUP_INGRESS: > + prog = rcu_dereference(cgrp->bpf_ingress); > + break; > + default: > + WARN_ON_ONCE(1); > + ret = -EINVAL; > + break; > + } > + > + if (prog) { > + unsigned int offset = skb->data - skb_mac_header(skb); > + > + __skb_push(skb, offset); > + ret = bpf_prog_run_clear_cb(prog, skb) > 0 ? 0 : -EPERM; > + __skb_pull(skb, offset); > + } > + > + rcu_read_unlock(); > + > + return ret; > +} > +#endif /* !CONFIG_CGROUP_BPF */ > + > /** > * sk_filter_trim_cap - run a packet through a socket filter > * @sk: sock associated with &sk_buff > @@ -78,6 +116,12 @@ int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap) > if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) > return -ENOMEM; > > +#ifdef CONFIG_CGROUP_BPF > + err = sk_filter_cgroup_bpf(sk, skb, BPF_ATTACH_TYPE_CGROUP_INGRESS); > + if (err) > + return err; > +#endif > + > err = security_sock_rcv_skb(sk, skb); > if (err) > return err; > -- > 2.5.5 > So, casually looking at this patch, it looks like you're relying on sock_cgroup_data, which only points to the default hierarchy. If someone uses net_prio or net_classid, cgroup_sk_alloc_disable is called, and this wont work anymore. Any ideas on how to work around that? Does it make sense to add another pointer to sock_cgroup_data, or at least a warning when allocation is disabled?
Powered by blists - more mailing lists