| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <46649e97-dc4a-b6ab-94f9-45727c74c061@cumulusnetworks.com>
Date: Tue, 24 Jan 2017 17:19:07 -0700
From: David Ahern <dsa@...ulusnetworks.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
Andy Lutomirski <luto@...capital.net>
Cc: Tejun Heo <tj@...nel.org>, Andy Lutomirski <luto@...nel.org>,
Network Development <netdev@...r.kernel.org>,
"David S. Miller" <davem@...emloft.net>,
Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>
Subject: Re: [PATCH v2] bpf: Restrict cgroup bpf hooks to the init netns
On 1/24/17 5:11 PM, Alexei Starovoitov wrote:
> I think bpf_get_sock_netns_id() helper or sk->netns_id field would
> be good addition as well, since it will allow 'ip vrf' to be smarter today.
> It's also more flexible, since bpf_type_cgroup_sock program can make
> its own decision when netns_id != expecte_id instead of hard coded.
> Today the ip vrf use case does: 'sk->bound_dev_if = idx; return OK;'
> it will be able to:
> if (sk->netns_id != expected_id)
> return DROP;
> sk->bound_dev_if = idx;
> return OK;
> or
> if (sk->netns_id != expected_id)
> return OK;
> sk->bound_dev_if = idx;
> return OK;
I agree
Powered by blists - more mailing lists