lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <21c14e84-472b-74ec-eec6-0117d40e54d2@iogearbox.net>
Date:   Sat, 17 Aug 2019 23:32:41 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Stanislav Fomichev <sdf@...gle.com>, netdev@...r.kernel.org,
        bpf@...r.kernel.org
Cc:     davem@...emloft.net, ast@...nel.org,
        Martin KaFai Lau <kafai@...com>, Yonghong Song <yhs@...com>
Subject: Re: [PATCH bpf-next v4 0/4] bpf: support cloning sk storage on
 accept()

On 8/14/19 7:37 PM, Stanislav Fomichev wrote:
> Currently there is no way to propagate sk storage from the listener
> socket to a newly accepted one. Consider the following use case:
> 
>          fd = socket();
>          setsockopt(fd, SOL_IP, IP_TOS,...);
>          /* ^^^ setsockopt BPF program triggers here and saves something
>           * into sk storage of the listener.
>           */
>          listen(fd, ...);
>          while (client = accept(fd)) {
>                  /* At this point all association between listener
>                   * socket and newly accepted one is gone. New
>                   * socket will not have any sk storage attached.
>                   */
>          }
> 
> Let's add new BPF_F_CLONE flag that can be specified when creating
> a socket storage map. This new flag indicates that map contents
> should be cloned when the socket is cloned.
> 
> v4:
> * drop 'goto err' in bpf_sk_storage_clone (Yonghong Song)
> * add comment about race with bpf_sk_storage_map_free to the
>    bpf_sk_storage_clone side as well (Daniel Borkmann)
> 
> v3:
> * make sure BPF_F_NO_PREALLOC is always present when creating
>    a map (Martin KaFai Lau)
> * don't call bpf_sk_storage_free explicitly, rely on
>    sk_free_unlock_clone to do the cleanup (Martin KaFai Lau)
> 
> v2:
> * remove spinlocks around selem_link_map/sk (Martin KaFai Lau)
> * BPF_F_CLONE on a map, not selem (Martin KaFai Lau)
> * hold a map while cloning (Martin KaFai Lau)
> * use BTF maps in selftests (Yonghong Song)
> * do proper cleanup selftests; don't call close(-1) (Yonghong Song)
> * export bpf_map_inc_not_zero
> 
> Cc: Martin KaFai Lau <kafai@...com>
> Cc: Yonghong Song <yhs@...com>
> 
> Stanislav Fomichev (4):
>    bpf: export bpf_map_inc_not_zero
>    bpf: support cloning sk storage on accept()
>    bpf: sync bpf.h to tools/
>    selftests/bpf: add sockopt clone/inheritance test
> 
>   include/linux/bpf.h                           |   2 +
>   include/net/bpf_sk_storage.h                  |  10 +
>   include/uapi/linux/bpf.h                      |   3 +
>   kernel/bpf/syscall.c                          |  16 +-
>   net/core/bpf_sk_storage.c                     | 104 ++++++-
>   net/core/sock.c                               |   9 +-
>   tools/include/uapi/linux/bpf.h                |   3 +
>   tools/testing/selftests/bpf/.gitignore        |   1 +
>   tools/testing/selftests/bpf/Makefile          |   3 +-
>   .../selftests/bpf/progs/sockopt_inherit.c     |  97 +++++++
>   .../selftests/bpf/test_sockopt_inherit.c      | 253 ++++++++++++++++++
>   11 files changed, 491 insertions(+), 10 deletions(-)
>   create mode 100644 tools/testing/selftests/bpf/progs/sockopt_inherit.c
>   create mode 100644 tools/testing/selftests/bpf/test_sockopt_inherit.c
> 

Applied, thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ