lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 5 Mar 2020 08:39:07 -0800
From:   Alexei Starovoitov <>
To:     Jakub Kicinski <>
Cc:     Toke Høiland-Jørgensen <>,
        Alexei Starovoitov <>,
        Daniel Borkmann <>,
        Andrii Nakryiko <>,
        Andrii Nakryiko <>, bpf <>,
        Networking <>,
        Kernel Team <>
Subject: Re: [PATCH bpf-next 0/3] Introduce pinnable bpf_link kernel

On Thu, Mar 05, 2020 at 12:16:20AM -0800, Jakub Kicinski wrote:
> > 
> > bpf program is an object. That object has an owner or multiple owners.
> > A user process that holds a pointer to that object is a shared owner.
> > FD is such pointer. FD == std::shared_ptr<bpf_prog>.
> > Holding that pointer guarantees that <bpf_prog> will not disappear,
> > but it says nothing that the program will keep running.
> > For [ku]probe,tp,fentry,fexit there was always <bpf_link> in the kernel.
> > It wasn't that formal in the past until most recent Andrii's patches,
> > but the concept existed for long time. FD == std::shared_ptr<bpf_link>
> > connects a kernel object with <bpf_prog>. When that kernel objects emits
> > an event the <bpf_link> guarantees that <bpf_prog> will be executed.
> I see so the link is sort of [owner -> prog -> target].

No. Link has two pieces: kernel object and program. It connects the two.

> > For cgroups we don't have such concept. We thought that three attach modes we
> > introduced (default, allow-override, allow-multi) will cover all use cases. But
> > in practice turned out that it only works when there is a central daemon for
> > _all_ cgroup-bpf progs in the system otherwise different processes step on each
> > other. More so there has to be a central diff-review human authority otherwise
> > teams step on each other. That's sort-of works within one org, but doesn't
> > scale.
> > 
> > To avoid making systemd a central place to coordinate attaching xdp, tc, cgroup
> > progs the kernel has to provide a mechanism for an application to connect a
> > kernel object with a prog and hold the ownership of that link so that no other
> > process in the system can break that connection. 
> To me for XDP the promise that nothing breaks the connection cannot be
> made without a daemon, because without the daemon the link has to be
> available somewhere/pinned to make changes to, and therefore is no
> longer safe.

This is not true. Nothing requires pinning.
Again. FD == shared_ptr. Two applications can share that link and
coordinate the changes to dispatcher prog without a daemon and without pinning.

Powered by blists - more mailing lists