lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ead133a1-2cbb-5f98-3617-8abfab7b6c5f@oracle.com>
Date:   Fri, 29 Jun 2018 17:46:44 -0700
From:   Tushar Dave <tushar.n.dave@...cle.com>
To:     Daniel Borkmann <daniel@...earbox.net>, ast@...nel.org,
        davem@...emloft.net, jakub.kicinski@...ronome.com,
        quentin.monnet@...ronome.com, jiong.wang@...ronome.com,
        guro@...com, sandipan@...ux.vnet.ibm.com, john.fastabend@...il.com,
        kafai@...com, rdna@...com, brakmo@...com, netdev@...r.kernel.org,
        acme@...hat.com, sowmini.varadhan@...cle.com
Subject: Re: [RFC v2 PATCH 1/4] eBPF: Add new eBPF prog type
 BPF_PROG_TYPE_SOCKET_SG_FILTER



On 06/29/2018 01:27 AM, Daniel Borkmann wrote:
> On 06/19/2018 08:00 PM, Tushar Dave wrote:
>> Add new eBPF prog type BPF_PROG_TYPE_SOCKET_SG_FILTER which uses the
>> existing socket filter infrastructure for bpf program attach and load.
>> SOCKET_SG_FILTER eBPF program receives struct scatterlist as bpf context
>> contrast to SOCKET_FILTER which deals with struct skb. This is useful
>> for kernel entities that don't have skb to represent packet data but
>> want to run eBPF socket filter on packet data that is in form of struct
>> scatterlist e.g. IB/RDMA
>>
>> Signed-off-by: Tushar Dave <tushar.n.dave@...cle.com>
>> Acked-by: Sowmini Varadhan <sowmini.varadhan@...cle.com>
>> ---
>>   include/linux/bpf_types.h      |  1 +
>>   include/linux/filter.h         |  8 +++++
>>   include/uapi/linux/bpf.h       |  7 ++++
>>   kernel/bpf/syscall.c           |  1 +
>>   kernel/bpf/verifier.c          |  1 +
>>   net/core/filter.c              | 77 ++++++++++++++++++++++++++++++++++++++++--
>>   samples/bpf/bpf_load.c         | 11 ++++--
>>   tools/bpf/bpftool/prog.c       |  1 +
>>   tools/include/uapi/linux/bpf.h |  7 ++++
>>   tools/lib/bpf/libbpf.c         |  3 ++
>>   tools/lib/bpf/libbpf.h         |  2 ++
>>   11 files changed, 114 insertions(+), 5 deletions(-)
>>
> [...]
>>   
>> +static bool socksg_filter_is_valid_access(int off, int size,
>> +					  enum bpf_access_type type,
>> +					  const struct bpf_prog *prog,
>> +					  struct bpf_insn_access_aux *info)
>> +{
>> +	switch (off) {
>> +	case offsetof(struct sg_filter_md, data):
>> +		info->reg_type = PTR_TO_PACKET;
>> +		break;
>> +	case offsetof(struct sg_filter_md, data_end):
>> +		info->reg_type = PTR_TO_PACKET_END;
>> +		break;
>> +	}
>> +
>> +	if (off < 0 || off >= sizeof(struct sg_filter_md))
>> +		return false;
>> +	if (off % size != 0)
>> +		return false;
>> +	if (size != sizeof(__u64))
>> +		return false;
>> +
>> +	return true;
>> +}
> 
> Just a note, don't know much about rds, but when you make this writeable for
> rds/tcp you definitely must make sure that it can be handled properly in there,
> meaning when program rewrites packet data that this data is private to the BPF
> prog (to avoid races/corruption) and that the rewritten data is correctly handled
> from there.

Sure thing. When I add something like bpf_sg_store_bytes(), I will make
sure to take care of rewrites.

Thanks.

-Tushar
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ