While having a per-net-ns flow dissector programs is convenient for testing, security-wise it's better to have only one vetted global flow dissector implementation. Let's have a convention that when BPF flow dissector is installed in the root namespace, child namespaces can't override it. Note, that it's totally possible to attach flow_dissector programs to several namespaces and then switch to a global one. In this case, only the root one will trigger; users are still able to detach flow_dissector programs from non-root namespaces. Alternative solution might be something like a sysctl to enable the global mode. Cc: Petar Penkov <ppenkov@xxxxxxxxxx> Stanislav Fomichev (2): bpf/flow_dissector: add mode to enforce global BPF flow dissector selftests/bpf: add test for BPF flow dissector in the root namespace Documentation/bpf/prog_flow_dissector.rst | 3 ++ net/core/flow_dissector.c | 11 ++++- .../selftests/bpf/test_flow_dissector.sh | 48 ++++++++++++++++--- 3 files changed, 55 insertions(+), 7 deletions(-) -- 2.23.0.444.g18eeb5a265-goog
