lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 23 Jul 2021 09:09:01 -0700
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Hangbin Liu <haliu@...hat.com>
Cc:     Martynas Pumputis <m@...bda.lt>,
        Networking <netdev@...r.kernel.org>,
        Stephen Hemminger <stephen@...workplumber.org>,
        David Ahern <dsahern@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [PATCH iproute2] libbpf: fix attach of prog with multiple sections

On Fri, Jul 23, 2021 at 12:55 AM Hangbin Liu <haliu@...hat.com> wrote:
>
> On Thu, Jul 22, 2021 at 09:51:50PM -0700, Andrii Nakryiko wrote:
> > > > > This is still problematic, because one section can have multiple BPF
> > > > > programs. I.e., it's possible two define two or more XDP BPF programs
> > > > > all with SEC("xdp") and libbpf works just fine with that. I suggest
> > > > > moving users to specify the program name (i.e., C function name
> > > > > representing the BPF program). All the xdp_mycustom_suffix namings are
>
> I just propose an implementation as you suggested.
>
> > > > > a hack and will be rejected by libbpf 1.0, so it would be great to get
> > > > > a head start on fixing this early on.
> > > >
> > > > Thanks for bringing this up. Currently, there is no way to specify a
> > > > function name with "tc exec bpf" (only a section name via the "sec" arg). So
> > > > probably, we should just add another arg to specify the function name.
> > >
> > > How about add a "prog" arg to load specified program name and mark
> > > "sec" as not recommended? To keep backwards compatibility we just load the
> > > first program in the section.
> >
> > Why not error out if there is more than one program with the same
> > section name? if there is just one (and thus section name is still
> > unique) -- then proceed. It seems much less confusing, IMO.
>
> If you and others think it's OK to only support one program each section.
> I do no object.
>

I'm not sure we are on the same page. I'll try to summarize what I
understood and you guys can decide for yourself what you want to do.

So I like your idea of introducing "prog" arg that will expect BPF
program name (i.e., C function name). In that case the name is always
unique. For existing "sec" arg, for backwards compatibility, I'd keep
it working, but when "sec" is used I'd check that the match is unique
(i.e., there is only one BPF program within the specified section). If
not and there are more than one matching BPF programs, that's a hard
error, because otherwise you essentially randomly pick one BPF program
out of a few.

> Thanks
> Hangbin
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ