| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Aug 2020 19:15:20 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
davem@...emloft.net
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH v5 bpf-next 3/4] bpf: Add kernel module with user mode
driver that populates bpffs.
On 8/3/20 12:29 AM, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@...nel.org>
>
> Add kernel module with user mode driver that populates bpffs with
> BPF iterators.
>
> $ mount bpffs /my/bpffs/ -t bpf
> $ ls -la /my/bpffs/
> total 4
> drwxrwxrwt 2 root root 0 Jul 2 00:27 .
> drwxr-xr-x 19 root root 4096 Jul 2 00:09 ..
> -rw------- 1 root root 0 Jul 2 00:27 maps.debug
> -rw------- 1 root root 0 Jul 2 00:27 progs.debug
>
> The user mode driver will load BPF Type Formats, create BPF maps, populate BPF
> maps, load two BPF programs, attach them to BPF iterators, and finally send two
> bpf_link IDs back to the kernel.
> The kernel will pin two bpf_links into newly mounted bpffs instance under
> names "progs.debug" and "maps.debug". These two files become human readable.
>
> $ cat /my/bpffs/progs.debug
> id name attached
> 11 dump_bpf_map bpf_iter_bpf_map
> 12 dump_bpf_prog bpf_iter_bpf_prog
> 27 test_pkt_access
> 32 test_main test_pkt_access test_pkt_access
> 33 test_subprog1 test_pkt_access_subprog1 test_pkt_access
> 34 test_subprog2 test_pkt_access_subprog2 test_pkt_access
> 35 test_subprog3 test_pkt_access_subprog3 test_pkt_access
> 36 new_get_skb_len get_skb_len test_pkt_access
> 37 new_get_skb_ifindex get_skb_ifindex test_pkt_access
> 38 new_get_constant get_constant test_pkt_access
>
> The BPF program dump_bpf_prog() in iterators.bpf.c is printing this data about
> all BPF programs currently loaded in the system. This information is unstable
> and will change from kernel to kernel as ".debug" suffix conveys.
>
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>
[...]
> diff --git a/kernel/bpf/preload/Kconfig b/kernel/bpf/preload/Kconfig
> new file mode 100644
> index 000000000000..b8ba5a9398ed
> --- /dev/null
> +++ b/kernel/bpf/preload/Kconfig
> @@ -0,0 +1,18 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +menuconfig BPF_PRELOAD
> + bool "Preload BPF file system with kernel specific program and map iterators"
> + depends on BPF
> + help
> + This builds kernel module with several embedded BPF programs that are
> + pinned into BPF FS mount point as human readable files that are
> + useful in debugging and introspection of BPF programs and maps.
> +
> +if BPF_PRELOAD
> +config BPF_PRELOAD_UMD
> + tristate "bpf_preload kernel module with user mode driver"
> + depends on CC_CAN_LINK
> + depends on m || CC_CAN_LINK_STATIC
> + default m
> + help
> + This builds bpf_preload kernel module with embedded user mode driver.
> +endif
[...]
When I applied this set locally to run build & selftests I noticed that the above
kconfig will appear in the top-level menuconfig. This is how it looks in menuconfig:
│ ┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │
│ │ General setup ---> │ │
│ │ [*] 64-bit kernel │ │
│ │ Processor type and features ---> │ │
│ │ Power management and ACPI options ---> │ │
│ │ Bus options (PCI etc.) ---> │ │
│ │ Binary Emulations ---> │ │
│ │ Firmware Drivers ---> │ │
│ │ [*] Virtualization ---> │ │
│ │ General architecture-dependent options ---> │ │
│ │ [*] Enable loadable module support ---> │ │
│ │ -*- Enable the block layer ---> │ │
│ │ IO Schedulers ---> │ │
│ │ [ ] Preload BPF file system with kernel specific program and map iterators ---- │ │
│ │ Executable file formats ---> │ │
│ │ Memory Management options ---> │ │
│ │ [*] Networking support ---> │ │
│ │ Device Drivers ---> │ │
│ │ File systems ---> │ │
│ │ Security options ---> │ │
[...]
I assume the original intention was to have it under 'general setup' on a similar level for
the JIT settings, or is this intentional to have it at this high level next to 'networking
support' and others?
Thanks,
Daniel
Powered by blists - more mailing lists