lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jun 2018 17:46:44 -0700 From: Tushar Dave <tushar.n.dave@...cle.com> To: Daniel Borkmann <daniel@...earbox.net>, ast@...nel.org, davem@...emloft.net, jakub.kicinski@...ronome.com, quentin.monnet@...ronome.com, jiong.wang@...ronome.com, guro@...com, sandipan@...ux.vnet.ibm.com, john.fastabend@...il.com, kafai@...com, rdna@...com, brakmo@...com, netdev@...r.kernel.org, acme@...hat.com, sowmini.varadhan@...cle.com Subject: Re: [RFC v2 PATCH 1/4] eBPF: Add new eBPF prog type BPF_PROG_TYPE_SOCKET_SG_FILTER On 06/29/2018 01:27 AM, Daniel Borkmann wrote: > On 06/19/2018 08:00 PM, Tushar Dave wrote: >> Add new eBPF prog type BPF_PROG_TYPE_SOCKET_SG_FILTER which uses the >> existing socket filter infrastructure for bpf program attach and load. >> SOCKET_SG_FILTER eBPF program receives struct scatterlist as bpf context >> contrast to SOCKET_FILTER which deals with struct skb. This is useful >> for kernel entities that don't have skb to represent packet data but >> want to run eBPF socket filter on packet data that is in form of struct >> scatterlist e.g. IB/RDMA >> >> Signed-off-by: Tushar Dave <tushar.n.dave@...cle.com> >> Acked-by: Sowmini Varadhan <sowmini.varadhan@...cle.com> >> --- >> include/linux/bpf_types.h | 1 + >> include/linux/filter.h | 8 +++++ >> include/uapi/linux/bpf.h | 7 ++++ >> kernel/bpf/syscall.c | 1 + >> kernel/bpf/verifier.c | 1 + >> net/core/filter.c | 77 ++++++++++++++++++++++++++++++++++++++++-- >> samples/bpf/bpf_load.c | 11 ++++-- >> tools/bpf/bpftool/prog.c | 1 + >> tools/include/uapi/linux/bpf.h | 7 ++++ >> tools/lib/bpf/libbpf.c | 3 ++ >> tools/lib/bpf/libbpf.h | 2 ++ >> 11 files changed, 114 insertions(+), 5 deletions(-) >> > [...] >> >> +static bool socksg_filter_is_valid_access(int off, int size, >> + enum bpf_access_type type, >> + const struct bpf_prog *prog, >> + struct bpf_insn_access_aux *info) >> +{ >> + switch (off) { >> + case offsetof(struct sg_filter_md, data): >> + info->reg_type = PTR_TO_PACKET; >> + break; >> + case offsetof(struct sg_filter_md, data_end): >> + info->reg_type = PTR_TO_PACKET_END; >> + break; >> + } >> + >> + if (off < 0 || off >= sizeof(struct sg_filter_md)) >> + return false; >> + if (off % size != 0) >> + return false; >> + if (size != sizeof(__u64)) >> + return false; >> + >> + return true; >> +} > > Just a note, don't know much about rds, but when you make this writeable for > rds/tcp you definitely must make sure that it can be handled properly in there, > meaning when program rewrites packet data that this data is private to the BPF > prog (to avoid races/corruption) and that the rewritten data is correctly handled > from there. Sure thing. When I add something like bpf_sg_store_bytes(), I will make sure to take care of rewrites. Thanks. -Tushar >
Powered by blists - more mailing lists