| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191002173357.253643-1-sdf@google.com>
Date: Wed, 2 Oct 2019 10:33:55 -0700
From: Stanislav Fomichev <sdf@...gle.com>
To: netdev@...r.kernel.org, bpf@...r.kernel.org
Cc: davem@...emloft.net, ast@...nel.org, daniel@...earbox.net,
Stanislav Fomichev <sdf@...gle.com>,
Petar Penkov <ppenkov@...gle.com>
Subject: [PATCH bpf-next 0/2] bpf/flow_dissector: add mode to enforce global
BPF flow dissector
While having a per-net-ns flow dissector programs is convenient for
testing, security-wise it's better to have only one vetted global
flow dissector implementation.
Let's have a convention that when BPF flow dissector is installed
in the root namespace, child namespaces can't override it.
Note, that it's totally possible to attach flow_dissector programs
to several namespaces and then switch to a global one. In this case,
only the root one will trigger; users are still able to detach
flow_dissector programs from non-root namespaces.
Alternative solution might be something like a sysctl to enable
the global mode.
Cc: Petar Penkov <ppenkov@...gle.com>
Stanislav Fomichev (2):
bpf/flow_dissector: add mode to enforce global BPF flow dissector
selftests/bpf: add test for BPF flow dissector in the root namespace
Documentation/bpf/prog_flow_dissector.rst | 3 ++
net/core/flow_dissector.c | 11 ++++-
.../selftests/bpf/test_flow_dissector.sh | 48 ++++++++++++++++---
3 files changed, 55 insertions(+), 7 deletions(-)
--
2.23.0.444.g18eeb5a265-goog
Powered by blists - more mailing lists