On Mon, Oct 7, 2019 at 9:21 AM Stanislav Fomichev <sdf@xxxxxxxxxx> wrote: > > While having a per-net-ns flow dissector programs is convenient for > testing, security-wise it's better to have only one vetted global > flow dissector implementation. > > Let's have a convention that when BPF flow dissector is installed > in the root namespace, child namespaces can't override it. > > The intended use-case is to attach global BPF flow dissector > early from the init scripts/systemd. Attaching global dissector > is prohibited if some non-root namespace already has flow dissector > attached. Also, attaching to non-root namespace is prohibited > when there is flow dissector attached to the root namespace. > > v3: > * drop extra check and empty line (Andrii Nakryiko) > > v2: > * EPERM -> EEXIST (Song Liu) > * Make sure we don't have dissector attached to non-root namespaces > when attaching the global one (Andrii Nakryiko) Applied. Thanks
