| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3a2e5263-354a-0496-a033-8b16901ba423@gmail.com>
Date: Wed, 23 Aug 2017 09:33:09 -0700
From: David Ahern <dsahern@...il.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: netdev@...r.kernel.org, daniel@...earbox.net, ast@...nel.org,
tj@...nel.org, davem@...emloft.net
Subject: Re: [PATCH net-next 1/8] bpf: Recursively apply cgroup sock filters
On 8/22/17 6:40 PM, Alexei Starovoitov wrote:
>> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
>> index df2e0f14a95d..7480cebab073 100644
>> --- a/kernel/cgroup/cgroup.c
>> +++ b/kernel/cgroup/cgroup.c
>> @@ -5186,4 +5186,22 @@ int cgroup_bpf_update(struct cgroup *cgrp, struct bpf_prog *prog,
>> mutex_unlock(&cgroup_mutex);
>> return ret;
>> }
>> +
>> +int cgroup_bpf_run_filter_sk(struct sock *sk,
>> + enum bpf_attach_type type)
>> +{
>> + struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data);
>> + int ret = 0;
>> +
>> + while (cgrp) {
>> + ret = __cgroup_bpf_run_filter_sk(cgrp, sk, type);
>> + if (ret < 0)
>> + break;
>> +
>> + cgrp = cgroup_parent(cgrp);
>> + }
>
> I think this walk changes semantics for existing setups, so we cannot do it
> by default and have to add new attach flag.
I can add a flag similar to the override.
> Also why break on (ret < 0) ?
Because __cgroup_bpf_run_filter_sk returns either 0 or -EPERM.
> The caller of this does:
> err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk);
> if (err) {
> sk_common_release(sk);
> so we should probably break out of the loop on if (ret) too.
>
I'll do that in v2.
Powered by blists - more mailing lists