lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40e427e2-5b15-e9aa-e2cb-42dc1b53d047@gmail.com>
Date:   Wed, 15 Apr 2020 20:23:11 -0600
From:   David Ahern <dsahern@...il.com>
To:     Yonghong Song <yhs@...com>, Andrii Nakryiko <andriin@...com>,
        bpf@...r.kernel.org, Martin KaFai Lau <kafai@...com>,
        netdev@...r.kernel.org
Cc:     Alexei Starovoitov <ast@...com>,
        Daniel Borkmann <daniel@...earbox.net>, kernel-team@...com
Subject: Re: [RFC PATCH bpf-next v2 00/17] bpf: implement bpf based dumping of
 kernel data structures

On 4/15/20 1:27 PM, Yonghong Song wrote:
> 
> As there are some discussions regarding to the kernel interface/steps to
> create file/anonymous dumpers, I think it will be beneficial for
> discussion with this work in progress.
> 
> Motivation:
>   The current way to dump kernel data structures mostly:
>     1. /proc system
>     2. various specific tools like "ss" which requires kernel support.
>     3. drgn
>   The dropback for the first two is that whenever you want to dump more, you
>   need change the kernel. For example, Martin wants to dump socket local

If kernel support is needed for bpfdump of kernel data structures, you
are not really solving the kernel support problem. i.e., to dump
ipv4_route's you need to modify the relevant proc show function.


>   storage with "ss". Kernel change is needed for it to work ([1]).
>   This is also the direct motivation for this work.
> 
>   drgn ([2]) solves this proble nicely and no kernel change is not needed.
>   But since drgn is not able to verify the validity of a particular pointer value,
>   it might present the wrong results in rare cases.
> 
>   In this patch set, we introduce bpf based dumping. Initial kernel changes are
>   still needed, but a data structure change will not require kernel changes
>   any more. bpf program itself is used to adapt to new data structure
>   changes. This will give certain flexibility with guaranteed correctness.
> 
>   Here, kernel seq_ops is used to facilitate dumping, similar to current
>   /proc and many other lossless kernel dumping facilities.
> 
> User Interfaces:
>   1. A new mount file system, bpfdump at /sys/kernel/bpfdump is introduced.
>      Different from /sys/fs/bpf, this is a single user mount. Mount command
>      can be:
>         mount -t bpfdump bpfdump /sys/kernel/bpfdump
>   2. Kernel bpf dumpable data structures are represented as directories
>      under /sys/kernel/bpfdump, e.g.,
>        /sys/kernel/bpfdump/ipv6_route/
>        /sys/kernel/bpfdump/netlink/

The names of bpfdump fs entries do not match actual data structure names
- e.g., there is no ipv6_route struct. On the one hand that is a good
thing since structure names can change, but that also means a mapping is
needed between the dumper filesystem entries and what you get for context.

Further, what is the expectation in terms of stable API for these fs
entries? Entries in the context can change. Data structure names can
change. Entries in the structs can change. All of that breaks the idea
of stable programs that are compiled once and run for all future
releases. When structs change, those programs will break - and
structures will change.

What does bpfdumper provide that you can not do with a tracepoint on a
relevant function and then putting a program on the tracepoint? ie., why
not just put a tracepoint in the relevant dump functions.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ