While having a per-net-ns flow dissector programs is convenient for testing, security-wise it's better to have only one vetted global flow dissector implementation. Let's have a convention that when BPF flow dissector is installed in the root namespace, child namespaces can't override it. The intended use-case is to attach global BPF flow dissector early from the init scripts/systemd. Attaching global dissector is prohibited if some non-root namespace already has flow dissector attached. Also, attaching to non-root namespace is prohibited when there is flow dissector attached to the root namespace. v2: * EPERM -> EEXIST (Song Liu) * Make sure we don't have dissector attached to non-root namespaces when attaching the global one (Andrii Nakryiko) Cc: Petar Penkov <ppenkov@xxxxxxxxxx> Stanislav Fomichev (2): bpf/flow_dissector: add mode to enforce global BPF flow dissector selftests/bpf: add test for BPF flow dissector in the root namespace Documentation/bpf/prog_flow_dissector.rst | 3 ++ net/core/flow_dissector.c | 42 ++++++++++++++-- .../selftests/bpf/test_flow_dissector.sh | 48 ++++++++++++++++--- 3 files changed, 83 insertions(+), 10 deletions(-) -- 2.23.0.581.g78d2f28ef7-goog
