lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160622011904.GC97149@ast-mbp.thefacebook.com>
Date:	Tue, 21 Jun 2016 18:19:06 -0700
From:	Alexei Starovoitov <alexei.starovoitov@...il.com>
To:	Martin KaFai Lau <kafai@...com>
Cc:	cgroups@...r.kernel.org, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org, Alexei Starovoitov <ast@...com>,
	Daniel Borkmann <daniel@...earbox.net>,
	Tejun Heo <tj@...nel.org>, kernel-team@...com
Subject: Re: [PATCH -next 4/4] cgroup: bpf: Add an example to do cgroup
 checking in BPF

On Tue, Jun 21, 2016 at 05:23:22PM -0700, Martin KaFai Lau wrote:
> test_cgrp2_array_pin.c:
> A userland program that creates a bpf_map (BPF_MAP_TYPE_GROUP_ARRAY),
> pouplates/updates it with a cgroup2's backed fd and pins it to a
> bpf-fs's file.  The pinned file can be loaded by tc and then used
> by the bpf prog later.  This program can also update an existing pinned
> array and it could be useful for debugging/testing purpose.
> 
> test_cgrp2_tc_kern.c:
> A bpf prog which should be loaded by tc.  It is to demonstrate
> the usage of bpf_skb_in_cgroup.
> 
> test_cgrp2_tc.sh:
> A script that glues the test_cgrp2_array_pin.c and
> test_cgrp2_tc_kern.c together.  The idea is like:
> 1. Use test_cgrp2_array_pin.c to populate a BPF_MAP_TYPE_CGROUP_ARRAY
>    with a cgroup fd
> 2. Load the test_cgrp2_tc_kern.o by tc
> 3. Do a 'ping -6 ff02::1%ve' to ensure the packet has been
>    dropped because of a match on the cgroup
> 
> Most of the lines in test_cgrp2_tc.sh is the boilerplate
> to setup the cgroup/bpf-fs/net-devices/netns...etc.  It is
> not bulletproof on errors but should work well enough and
> give enough debug info if things did not go well.
> 
> Signed-off-by: Martin KaFai Lau <kafai@...com>
> Cc: Alexei Starovoitov <ast@...com>
> Cc: Daniel Borkmann <daniel@...earbox.net>
> Cc: Tejun Heo <tj@...nel.org>
> ---
>  samples/bpf/Makefile               |   3 +
>  samples/bpf/bpf_helpers.h          |   2 +
>  samples/bpf/test_cgrp2_array_pin.c | 109 +++++++++++++++++++++
>  samples/bpf/test_cgrp2_tc.sh       | 189 +++++++++++++++++++++++++++++++++++++
>  samples/bpf/test_cgrp2_tc_kern.c   |  71 ++++++++++++++
>  5 files changed, 374 insertions(+)
...
> +struct bpf_elf_map SEC("maps") test_cgrp2_array_pin = {
> +	.type		= BPF_MAP_TYPE_CGROUP_ARRAY,
> +	.size_key	= sizeof(uint32_t),
> +	.size_value	= sizeof(uint32_t),
> +	.pinning	= PIN_GLOBAL_NS,
> +	.max_elem	= 1,
> +};
> +
> +SEC("filter")
> +int handle_egress(struct __sk_buff *skb)
> +{
> +	void *data = (void *)(long)skb->data;
> +	struct eth_hdr *eth = data;
> +	struct ipv6hdr *ip6h = data + sizeof(*eth);
> +	void *data_end = (void *)(long)skb->data_end;
> +	char dont_care_msg[] = "dont care %04x %d\n";
> +	char pass_msg[] = "pass\n";
> +	char reject_msg[] = "reject\n";
> +
> +	/* single length check */
> +	if (data + sizeof(*eth) + sizeof(*ip6h) > data_end)
> +		return TC_ACT_OK;

love the test case.
It's using tc + clsact + cls_bpf in da mode + bpffs + direct packet access
and new cgroup helper.
All the most recent features I can think of :)

Acked-by: Alexei Starovoitov <ast@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ