| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <YgPz8akQ4+qBz7nf@google.com>
Date: Wed, 9 Feb 2022 09:03:45 -0800
From: sdf@...gle.com
To: ast@...nel.org, daniel@...earbox.net, kafai@...com
Cc: netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Override default socket policy per cgroup
Let's say I want to set some default sk_priority for all sockets in a
specific cgroup. I can do it right now using cgroup/sock_create, but it
applies only to AF_INET{,6} sockets. I'd like to do the same for raw
(AF_PACKET) sockets and cgroup/sock_create doesn't trigger for them :-(
(1) My naive approach would be to add another cgroup/sock_post_create
which runs late from __sock_create and triggers on everything.
(2) Another approach might be to move BPF_CGROUP_RUN_PROG_INET_SOCK and
make it work with AF_PACKET. This might be not 100% backwards compatible
but I'd assume that most users should look at the socket family before
doing anything. (in this case it feels like we can extend
sock_bind/release for af_packets as well, just for accounting purposes,
without any way to override the target ifindex).
(3) I've also tried to play with fentry/security_socket_post_create, but
it doesn't look like I can change kernel data from the tracing context.
fentry is also global and I'd like to get to cgroup-local-storage.
(I don't want to get involved in per-packet processing here, so I'm
looking at something I can do once at socket creation).
Any suggestions? Anything I'm missing? I'm leaning towards (2), maybe we
can extend existing socket create/bind/release for af_packet? Having
another set (1) doesn't make sense.
Powered by blists - more mailing lists