lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z8WBIR72Zu5x50N9@MTARDY-M-GJC6>
Date: Mon, 3 Mar 2025 11:14:57 +0100
From: Mahe Tardy <mahe.tardy@...il.com>
To: Martin KaFai Lau <martin.lau@...ux.dev>
Cc: daniel@...earbox.net, john.fastabend@...il.com, ast@...nel.org,
	andrii@...nel.org, jolsa@...nel.org, bpf@...r.kernel.org,
	Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next 1/2] bpf: add get_netns_cookie helper to tracing
 programs

On Thu, Feb 27, 2025 at 12:32:43PM -0800, Martin KaFai Lau wrote:
> On 2/27/25 10:28 AM, Mahe Tardy wrote:
> > This is needed in the context of Cilium and Tetragon to retrieve netns
> > cookie from hostns when traffic leaves Pod, so that we can correlate
> > skb->sk's netns cookie.
> > 
> > Signed-off-by: Mahe Tardy <mahe.tardy@...il.com>
> > ---
> > This is a follow-up of c221d3744ad3 ("bpf: add get_netns_cookie helper
> > to cgroup_skb programs") and eb62f49de7ec ("bpf: add get_netns_cookie
> > helper to tc programs"), adding this helper respectively to cgroup_skb
> > and tcx programs.
> > 
> > I looked up a patch doing a similar thing c5dbb89fc2ac ("bpf: Expose
> > bpf_get_socket_cookie to tracing programs") and there was an item about
> > "sleepable context". It seems it indeed concerns tracing and LSM progs
> > from reading 1e6c62a88215 ("bpf: Introduce sleepable BPF programs"). Is
> > this needed here?
> 
> Regarding sleepable, I think the bpf_get_netns_cookie_sock is only reading,
> should be fine.

Ok thank you.

> The immediate question is whether sock_net(sk) must be non-NULL for tracing.

We discussed this offline with Daniel Borkmann and we think that it
might not be the question. The get_netns_cookie(NULL) call allows us to
compare against get_netns_cookie(sock) to see whether the sock's netns
is equal to the init netns and thus dispatch different logic.

Given we (in Tetragon) historically used tracing programs when no
appropriate network hook was available on older kernels I can foresee
how it can still be useful in such programs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ