lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 30 Nov 2021 20:33:43 -0800
From:   Andrii Nakryiko <andrii.nakryiko@...il.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     Song Liu <song@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
        Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
        Cong Wang <cong.wang@...edance.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        John Fastabend <john.fastabend@...il.com>,
        Jakub Sitnicki <jakub@...udflare.com>
Subject: Re: [PATCH bpf] libbpf: fix missing section "sk_skb/skb_verdict"

On Tue, Nov 30, 2021 at 8:19 PM Cong Wang <xiyou.wangcong@...il.com> wrote:
>
> On Tue, Nov 30, 2021 at 3:33 PM Song Liu <song@...nel.org> wrote:
> >
> > On Mon, Nov 29, 2021 at 12:51 PM Cong Wang <xiyou.wangcong@...il.com> wrote:
> > >
> > > On Fri, Nov 26, 2021 at 04:20:34PM -0800, Song Liu wrote:
> > > > On Fri, Nov 26, 2021 at 12:45 PM Cong Wang <xiyou.wangcong@...il.com> wrote:
> > > > >
> > > > > From: Cong Wang <cong.wang@...edance.com>
> > > > >
> > > > > When BPF_SK_SKB_VERDICT was introduced, I forgot to add
> > > > > a section mapping for it in libbpf.
> > > > >
> > > > > Fixes: a7ba4558e69a ("sock_map: Introduce BPF_SK_SKB_VERDICT")
> > > > > Cc: Daniel Borkmann <daniel@...earbox.net>
> > > > > Cc: John Fastabend <john.fastabend@...il.com>
> > > > > Cc: Jakub Sitnicki <jakub@...udflare.com>
> > > > > Signed-off-by: Cong Wang <cong.wang@...edance.com>
> > > >
> > > > The patch looks good to me. But seems the selftests are OK without this. So,
> > > > do we really need this?
> > > >
> > >
> > > Not sure if I understand this question.
> > >
> > > At least BPF_SK_SKB_STREAM_PARSER and BPF_SK_SKB_STREAM_VERDICT are already
> > > there, so either we should remove all of them or add BPF_SK_SKB_VERDICT for
> > > completeness.
> > >
> > > Or are you suggesting we should change it back in selftests too? Note, it was
> > > changed by Andrii in commit 15669e1dcd75fe6d51e495f8479222b5884665b6:
> > >
> > > -SEC("sk_skb/skb_verdict")
> > > +SEC("sk_skb")
> >
> > Yes, I noticed that Andrii made the change, and it seems to work
> > as-is. Therefore,
> > I had the question "do we really need it".
>
> Same question from me: why still keep sk_skb/stream_parser and
> sk_skb/stream_verdict? ;) I don't see any reason these two are more
> special than sk_skb/skb_verdict, therefore we should either keep all
> of them or remove all of them.
>

"sk_skb/skb_verdict" was treated by libbpf *exactly* the same way as
"sk_skb". Which means the attach type was set to BPF_PROG_TYPE_SK_SKB
and expected_attach_type was 0 (not BPF_SK_SKB_VERDICT!). So that
program is definitely not a BPF_SK_SKB_VERDICT, libbpf pre-1.0 just
has a sloppy prefix matching logic.

So Song's point is valid, we currently don't have selftests that tests
BPF_SK_SKB_VERDICT expected attach type, so it would be good to add
it. Or make sure that existing test that was supposed to test it is
actually testing it.

> >
> > If we do need to differentiate skb_verdict from just sk_skb, could you
>
> Are you sure sk_skb is a real attach type?? To me, it is an umbrella to
> catch all of them:
>
> SEC_DEF("sk_skb",               SK_SKB, 0, SEC_NONE | SEC_SLOPPY_PFX),
>
> whose expected_attach_type is 0. The reason why it works is
> probably because we don't check BPF_PROG_TYPE_SK_SKB in
> bpf_prog_load_check_attach().

We don't check expected_attach_type in prog_load, but
sock_map_prog_update in net/core/sock_map.c is checking expected
attach type and should return -EOPNOTSUPP. But given that no test is
failing our tests don't even try to attach anything, I assume. Which
makes them not so great at actually testing anything. Please see if
you can improve that.

>
> > please add a
> > case selftest for skb_verdict?
>
> Ah, sure, I didn't know we have sec_name_test.
>
> >
> > Also, maybe we can name it as "sk_skb/verdict" to avoid duplication?
>
> At least we used to call it sk_skb/skb_verdict before commit 15669e1dcd.

As I mentioned above, it could have been called "sk_skb!dontcare" and
that would still work (and still does if strict mode is not enabled
for libbpf). For consistency with UAPI expected_attach_type enum it
should be called "sk_skb/verdict" because BPF_SK_SKB_VERDICT vs
BPF_SK_SKB_STREAM_VERDICT vs BPF_SK_SKB_STREAM_PARSER.

>
> Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ